GDPR question

legobrick

Old-Salt
Evening all, hoping someone on here is a bit more clued up on this than me.

I just arrived at work and have found that someone in the office has decided to create a contact list with all our personal numbers on it. Makes sense to have for DR purposes, but they have put up about ten copies all around the place including the public/uncontrolled access areas.

Would this be classed as breach of the GDPR regs?

Thanks
 

OneTenner

LE
Book Reviewer
Are these 'personal' numbers company owned numbers or truly personal? If the latter, it's clearly a breach of the Data Protection Act 2018 (as amended) or GDPR if you prefer.
The first thing I'd be asking is where the numbers were obtained from, even work numbers can be restricted from 'public' viewing - and then who authorised the contact list to be drawn up, so you can have a chat with them and your company DPO.....
 

legobrick

Old-Salt
Are these 'personal' numbers company owned numbers or truly personal? If the latter, it's clearly a breach of the Data Protection Act 2018 (as amended) or GDPR if you prefer.
The first thing I'd be asking is where the numbers were obtained from, even work numbers can be restricted from 'public' viewing - and then who authorised the contact list to be drawn up, so you can have a chat with them and your company DPO.....
They are indeed all personal numbers, I would assume they came from HR records.
It doesn't bother me that colleagues have my number more the fact of leaving them on view for every man and his dog in a Public building to see.

I will have quiet word tomorrow with the office bod responsible.

Thanks for the reply
 

OneTenner

LE
Book Reviewer
They are indeed all personal numbers, I would assume they came from HR records.
It doesn't bother me that colleagues have my number more the fact of leaving them on view for every man and his dog in a Public building to see.

I will have quiet word tomorrow with the office bod responsible.

Thanks for the reply
If the numbers are all 'shared' between colleagues, it's possible someone just harvested them from their phone contacts without any oversight - doesn't make it acceptable but it does highlight lack of understanding of the legislation, expect some GDPR compliance training in the weeks and months ahead! ;)
 

Chinggis

War Hero
The GDPR is European Union law that was incorporated into UK law by the Data Protection Act 2018. That might sound like I'm being pedantic, but if you're going to cite the law at whoever is responsible it's important to cite the right one.

Section 40 of the Act says:
The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

Putting a list of staff's personal phone numbers in a public area is a breach of section 40 because whoever put the list up didn't use appropriate organisational measures to protect your data against unlawful processing or accidental loss. If you don't know who did it, inform your manager and remind them that as the company is the Data Controller for your personal data it is vicariously liable for any breach of DPA 2018 by any of its employees.
 
Last edited:
Who gives their company their actual personal mob? Just invent one, like your religion, ethnicity and sexual orientation.

Who's going to risk sacking a bi sexual, Hindu Irish Traveller? Especially when they can't even ring them...
 

New Posts

Latest Threads

Top