Anonymous
Share this content
9

GDPR issue?

Do we need to report to ICO?

Didn't find your answer?

Search AccountingWEB

Payroll summaries sent to employer went to the wrong client with similar name.
Whilst all the payslips are password protected, these weren't. 
Systems will be updated but do we need to make a report?  The only personal data (in terms of identifying the individual) is the name on these reports.  

Replies (9)

Please login or register to join the discussion.

By Tim Vane
07th May 2019 18:40

Report to your DPO. He or she will need to decide on whether to report it ICO.

Thanks (0)
Replying to Tim Vane:
avatar
By the_drookit_dug
07th May 2019 20:48

Unless they have more than 250 employees, they're unlikely to have a DPO.

Thanks (1)
Replying to the_drookit_dug:
By Tim Vane
08th May 2019 15:36

Quote:

Unless they have more than 250 employees, they're unlikely to have a DPO.

Yes but they posted anonymously so how can we know?

Thanks (1)
avatar
By the_drookit_dug
07th May 2019 20:52

From the limited info you've provided, it sounds like it may be a reportable breach.

A breach is reportable if it presents a 'risk to the rights and freedoms' of the data subjects. I'd say disclosing salary info qualifies as such.

How many individuals received the info, and what did they do with it?

Thanks (0)
avatar
By john hextall
09th May 2019 11:20

Oops. If it has individual names on then it is personal data. If it has gone to the wrong person then it is a breach. Can you get it back? Has anyone seen it who should not have?
Can you let the affected individuals know within 48 hours of the breach? Have you done something so that it does not happen again? If you do not have a DPO, you may need to talk to the ICO...

Thanks (0)
avatar
By kjay
09th May 2019 12:04

They may be more interested in how you are sending the salary data. If you are sending salary information via open email with no encryption or through a system like docSAFE then there could be security issues?

If you know the person the data was sent to and can retrieve it, or it was encrypted, or the personal data was very limited then the following may help you decide if you need to report it to the ICO.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...

"When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it."

If you are still unsure, as suggested by other contributors, speak to your DPO if you have one or ICO for advice and definitely document what you have done.

Hope this helps

Thanks (1)
By coops456
09th May 2019 13:20

Would your answers differ if the error had been made by post rather than email?

A couple of years ago, we received a notice of coding from HMRC for a client - but in the same envelope was another notice that was meant for an entirely different employer who was not our client.

If the same thing happened today, would that be a GDPR breach?

Thanks (1)
Replying to coops456:
avatar
By kjay
10th May 2019 22:49

Hi, I am not a GDPR expert and would advise if I doubt contact the ICO. However, I would consider post along side email. Your example, it is one persons data, not stolen but sent in error, to you who was not expecting or tying to obtain the information. If this happened again you could send the notification back to HMRC let them investigate and note your actions?

Thanks

Thanks (0)
avatar
By EnglishRose
10th May 2019 11:24

As someone else said it must be reported if it poses a risk to people's rights and freedoms.
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/09/...

Recital 75 of GDPR says

"The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects."

Thanks (0)
Share this content