I’m sure most people, like me, are fed up with hearing about the new data protection law which has come into force, the General Data Protection Regulation. We’ve all received plenty of messages via email, company advertisements on LinkedIn and warnings on the radio, it’s a difficult subject to avoid. It’s not all doom and gloom though, one benefit to all these messages is that we should all be more aware of the importance of how we handle data and what causes a data breach.
Are you fully aware of what classes as a data breach? Did you know that a simple message to a close work colleague could result in a breach regardless of the reasonable thinking behind it? It’s a tricky area of law particularly when existing relationships need to be questioned.
In this blog, I explain an example of a case involving a school and an out of school club to show just how easily a data breach can occur.
How can a simple message turn into a data breach?
Recently I was contacted for advice on a case by a school which leases its facilities during the school holiday periods to an external company, who run an out of school club. The company also chooses to employ staff from the school it hires the facilities from. This is not an uncommon arrangement in schools. As a result there is a close relationship which has grown between the company and the school through the use of shared resources.
The school had a member of staff off sick with stress before the holiday period, however this employee was also due to work for the club. The school was aware of this, spoke to the employee and suggested that they should not work due to their ill health. The employee asked the school not to take the opportunity away from them. The school intended to inform the club about the employee’s ill health as they did not feel the employee should be working for the club when they had been off sick from school, but they called me before doing so.
It would appear reasonable that the school would expect the employee not to work during the holiday period, as they had been too ill to attend their usual work at the school. However, if the school had informed the club of the employee’s ill health, that would have been a data breach.
The reason for this is that the club and the school are not the same company. The employee had not given the school permission to share their medical data with the club and in fact had expressed that they did not want the opportunity to work taken away. If this message had been sent, the school would have been required to report this breach to the Information Commissioner’s Office (ICO).
Additionally if they had provided this detail to the club, they could also have been looking at potential claims of constructive dismissal from the employee, for a breach of trust and confidence in the mishandling of their personal data and potentially disability discrimination.
How can schools deal with HR issues without causing a data breach?
In order to deal with this, the school could have asked the employee if they had worked during the holiday period once they returned from the summer break. If the employee had been working they could have sought medical evidence to find out if it was reasonable for this member of staff to work for one employer, whilst being too unwell to work for another. Dependant on the medical evidence the school could then have looked at further action, potentially of a disciplinary nature, especially if this employee failed to return to work after the holiday period.
This case illustrates just how important it is for an employer to consider how they share data, as an honest but simple mistake which could have been made here, would possibly have had much wider financial and PR consequences.