Payroll summaries sent to employer went to the wrong client with similar name.
Whilst all the payslips are password protected, these weren't.
Systems will be updated but do we need to make a report? The only personal data (in terms of identifying the individual) is the name on these reports.
Related resources
Replies (9)
Please login or register to join the discussion.
Unless they have more than 250 employees, they're unlikely to have a DPO.
Yes but they posted anonymously so how can we know?
From the limited info you've provided, it sounds like it may be a reportable breach.
A breach is reportable if it presents a 'risk to the rights and freedoms' of the data subjects. I'd say disclosing salary info qualifies as such.
How many individuals received the info, and what did they do with it?
Oops. If it has individual names on then it is personal data. If it has gone to the wrong person then it is a breach. Can you get it back? Has anyone seen it who should not have?
Can you let the affected individuals know within 48 hours of the breach? Have you done something so that it does not happen again? If you do not have a DPO, you may need to talk to the ICO...
They may be more interested in how you are sending the salary data. If you are sending salary information via open email with no encryption or through a system like docSAFE then there could be security issues?
If you know the person the data was sent to and can retrieve it, or it was encrypted, or the personal data was very limited then the following may help you decide if you need to report it to the ICO.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...
"When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it."
If you are still unsure, as suggested by other contributors, speak to your DPO if you have one or ICO for advice and definitely document what you have done.
Hope this helps
Would your answers differ if the error had been made by post rather than email?
A couple of years ago, we received a notice of coding from HMRC for a client - but in the same envelope was another notice that was meant for an entirely different employer who was not our client.
If the same thing happened today, would that be a GDPR breach?
Hi, I am not a GDPR expert and would advise if I doubt contact the ICO. However, I would consider post along side email. Your example, it is one persons data, not stolen but sent in error, to you who was not expecting or tying to obtain the information. If this happened again you could send the notification back to HMRC let them investigate and note your actions?
Thanks
As someone else said it must be reported if it poses a risk to people's rights and freedoms.
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/09/...
Recital 75 of GDPR says
"The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects."
