The DPC received a complaint against an employer, a manufacturing company, asserting that their private information including attendances with the company doctor, details of a personal injury claim being pursued against the company and details of a disciplinary procedure taken against the complainant had been placed on the company’s shared ‘C-Drive’, available to be viewed by anyone within the company, and that a copy of the data on a CD-ROM was also left on the complainant’s desk.

It became apparent during the examination of the complaint that a number of workplace computers had been used to access the data on the shared drive, which the company stated was downloaded, copied or sent to an external email address. The organisation advised that it had carried out an investigation of the incident resulting in two employees, identified as having a significant role in the incident, having their employment terminated and that An Garda Síochána had been notified about the incident. The company notified the DPC of the breach incident outlining that certain data was accessed and viewed by at least two of its employees.

It was stated that the data was being transferred internally from its Human Resources (HR) department to its Legal department due to the imminent departure of one of its HR employees. During the transfer a large volume of electronic files relating to legal cases involving a large number of individuals had the potential to be accessed and viewed by employees who would not ordinarily have access to these.

The implementation of measures to protect and secure personal data are foundational principles of data protection law particularly in terms of ensuring there is no unauthorised access to or destruction of personal data.

With regard to this specific complaint, the DPC observed firstly that the information in respect of the complainant which was disclosed as part of the data breach included very sensitive information, and which constituted “special category data”, in circumstances where special category data includes information about “data concerning health or data concerning a natural person’s sex life”.

The information (examples of which were provided to this office) included details of attendances with the company doctor which revealed very personal and sensitive information about the complainant’s physical health, mental health and their personal circumstances. It was noted that this information was being maintained by the company in the context of legal proceedings/ claims being taken by the individual. Given the nature of the information, there was a particularly strong onus on the company to ensure that only those who needed access to such information were granted and so could access and process same.

The issue regarding this complaint was the placing of files to include the complainant’s personal information on a shared drive accessible to all employees. The DPC considered that due regard was not given to the sensitivity of the information contained in the files and the risks entailed with making them available to any employee of the company, even if this was only for a very short period of time. It would seem that the decision to transfer the files to the shared drive was taken for pragmatic reasons, i.e. the company confirmed it was executed in this manner as the files were too large to be sent by email.

However, this did not justify the placing of the files somewhere where any employee of the company would be able to access them, particularly given the risk of harm to the data subject if colleagues of theirs were able to find out very personal and sensitive information which the complainant may, quite legitimately, not have expected or wanted other employees to know, save to the extent that it was strictly necessary for limited employees to know in relation to legal proceedings/claims between the data subject and their employer. Moreover, there were a number of alternative options in transferring the files to the Legal department, which would not have presented the same risk to the security of the personal data, including placing the files on a folder, whether on the shared drive or otherwise, where access was restricted to limited individuals. That such alternative options might have been more time-consuming or difficult to implement were no justification for the placing of the files on the shared drive with unrestricted access to other employees.

The fallout of the failure to protect personal data in this case was considerable giving rise to legal proceedings against the company by the affected individual, the loss of two long-term employees who were dismissed not to mention the impact on the individual whose data was disclosed.