Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

GDPR and PPS

  • 29-05-2021 9:23pm
    #1
    Registered Users, Registered Users 2 Posts: 8


    My employer sent my pps number to the parent company in US. I don’t mind that I guess that’s normal enough. But the US company sent it to another company in south east Asia by mistake along with my address. I guess they thought it was a zip code. The Asian company posted me something in March with the PPS number written on the outside envelope like a zip code.

    Is this a serious data breach? Or only if my PPS gets used? Maybe postal workers are covered by confidentiality agreements so risk is low? I’m worried since I can’t change my PPS number... any advice?


Comments

  • Registered Users, Registered Users 2 Posts: 724 ✭✭✭athlone573


    My employer sent my pps number to the parent company in US. I don’t mind that I guess that’s normal enough. But the US company sent it to another company in south east Asia by mistake along with my address. I guess they thought it was a zip code. The Asian company posted me something in March with the PPS number written on the outside envelope like a zip code.

    Is this a serious data breach? Or only if my PPS gets used? Maybe postal workers are covered by confidentiality agreements so risk is low? I’m worried since I can’t change my PPS number... any advice?

    What do you think a Chinese postman is going to do with your PPS number?

    You could log a complaint with the GDPR person (your employer's to start with) but I think the most you'll get is an apology. No harm logging it though so they can improve their processes.


  • Registered Users, Registered Users 2 Posts: 8 laurajaney83


    athlone573 wrote: »
    What do you think a Chinese postman is going to do with your PPS number?

    You could log a complaint with the GDPR person (your employer's to start with) but I think the most you'll get is an apology. No harm logging it though so they can improve their processes.


    The first line made me LOL. - I should have mentioned that I never received the letter it is stuck in limbo. But I would imagine it is somewhere in the postal system. Still accountability sucks for stuff like this.. I’m more annoyed with the us company for not being more careful with my ppsn.


  • Registered Users, Registered Users 2 Posts: 11,266 ✭✭✭✭martingriff


    My employer sent my pps number to the parent company in US. I don’t mind that I guess that’s normal enough. But the US company sent it to another company in south east Asia by mistake along with my address. I guess they thought it was a zip code. The Asian company posted me something in March with the PPS number written on the outside envelope like a zip code.

    Is this a serious data breach? Or only if my PPS gets used? Maybe postal workers are covered by confidentiality agreements so risk is low? I’m worried since I can’t change my PPS number... any advice?

    I would contact your work in relation to it. Get them to find out what happened. What is data protection in the USA


  • Registered Users, Registered Users 2 Posts: 78,647 ✭✭✭✭Victor


    athlone573 wrote: »
    What do you think a Chinese postman is going to do with your PPS number?
    It's not "is going to do", it's more what someone could do with name, address, employer and PPSN. Not that automated mail sorting systems scan and retain the full address.
    What is data protection in the USA
    To a certain degree it doesn't exist.


  • Registered Users, Registered Users 2 Posts: 14,599 ✭✭✭✭CIARAN_BOYLE


    If your US parent company sent your pps number to South East Asia that's not a gdpr breach as its fully outside the EU.

    If your own company sent your pps to the American parent that may or may not be a data breach depending on if there's a legitimate business reason to supply your pps number to the US aren't. I suspect that there would not be.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 724 ✭✭✭athlone573


    On the face of it, it is a GDPR breach, by my interpretation, although I would consider the risk of harm to be relatively minor (as alluded to earlier) the OP may legitimately be concerned.

    I would suggest writing to your company's "Data Controller" stating your concerns and see how they respond.

    Realistically I don't see a case for significant compensation and it may be unwise to rock the boat too much with your employer.


  • Registered Users, Registered Users 2 Posts: 910 ✭✭✭doc22


    If your US parent company sent your pps number to South East Asia that's not a gdpr breach as its fully outside the EU.

    If your own company sent your pps to the American parent that may or may not be a data breach depending on if there's a legitimate business reason to supply your pps number to the US aren't. I suspect that there would not be.

    Could you explain how it isn't a breach as GDPR covers the EU persons data across the world .......


  • Registered Users, Registered Users 2 Posts: 14,599 ✭✭✭✭CIARAN_BOYLE


    doc22 wrote: »
    Could you explain how it isn't a breach as GDPR covers the EU persons data across the world .......

    Perhaps you would like to establish your point further

    By my reading of the provisions the articles that deal with territoriality are 3.1, 3.2 and 3.3.

    Article 3.1: GDPR applies to EU based organisation even if handling data outside the eu. The parent is not a EU based entity.
    Article 3.2 applies gdp to non EU based organisations regarding the monitoring of online information or regarding the sale of goods or services to citizens within the EU. This breach would appear to be neither.
    Article 3.3: Relates to EU embassies and similar odd exception.

    So from my understanding the data breach would be sending the pps number to the US parent. If the US parent did something with the data it wouldn't be covered and they shouldn't have had the data in the first place.


  • Registered Users, Registered Users 2 Posts: 724 ✭✭✭athlone573


    There are extra territorial arrangements whereby data processors in certain third countries are allowed, provided their data privacy safeguards are deemed equivalent by the EU. This list of countries would include major developed economies.

    It may be that a breach of regulations occurred when the data left the US (as well as the data breach that occurred when the data was exposed via the postal service)


Advertisement