By Steven Orpwood, Data Protection Expert

April 2023

 

Five years ago, in the early days of the GDPR, I wrote a blog about the danger of accessing personal data when there is no requirement to do so. The point being that it’s illegal and can lead to sanctions in the workplace and in the courts. Since then, this particular issue has been in the news time and again, and people are more aware than ever before about the need to keep their personal data safe. 

 

So, we might ask ourselves, how it is possible there are still stories about inappropriate access to personal data and the consequences to the perpetrators.

 

In this article, I am not focusing on the potential damage to a data subject resulting from inappropriate access, rather, that the activity continues. Just recently, a police sergeant in Manchester was dismissed from the Force for making checks on people he knew for no policing purpose, and sharing some very sensitive data he gathered with a third-party. In fact, most cases relate to someone looking at details of friends and family, and passing them on. Perhaps this is unsurprising, since it’s those closest to us who hold the greatest interest, but this does seem to be an ‘unfriendly’ act against people we know and love.

 

The Data Protection Act defines ‘processing’ as taking action with someone’s personal data, and a ‘data breach’ as the loss, destruction, alteration, damage or disclosure of personal data. It’s noticeable in both cases that there is an action performed on personal data and that the action can be undertaken by a person. But look at the text more closely and the ‘person’ that’s barely described is the data protection equivalent of homo economicus, a human who is consistently rational, and who pursues their ends optimally – that is, someone who does what’s required of them, as prescribed by process, and does not vary from this path. Back in reality we are then amazed that someone might be so foolish as to complete an action that will undoubtedly get them into trouble. The problem is that most people are not rational 100% of the time, or always process orientated, and as a result some will be tempted to look at things they shouldn’t.

 

But here we have the issue. We know we are expected to be and do one thing, but occasionally we will let self-interest or even just plain nosiness get the better of us, and we will do things we shouldn’t. The sergeant in question apologised and admitted he had "made a mistake", so it’s not that he was unaware of the fact he shouldn’t have been doing it. 

 

So in conclusion this is an ongoing problem for organisations, and needs to be dealt with. First and foremost, organisations should not assume it won’t happen, and if it does, that it’s not their problem. Secondly, they should ensure their workers are informed and aware of the consequences through thorough and repeated training. Thirdly, they should ensure they retain only the data required to perform necessary tasks, put measures in place to restrict access to data, log when that data is accessed, and be proactive about monitoring access. These steps will not completely stop the problem, but they will prevent most people from ‘indulging’ themselves with a little look at the neighbours’ lives, however tempting it might be.

 

At Aim, we provide regular training for our employees for both the Data Protection Act and data breach management; both training videos are available from our website at no cost. In addition, we use our own data governance software, dataBelt®, to index and categorise our data so we know what we have, how it relates to the purpose for which it was collected, and where it’s stored, ensuring that sensitive data is not shared unnecessarily. Organisational oversight of data, and employee awareness of their data responsibilities are key to maintaining internal, and customer, confidence. Please get in touch if you would like to know more about managing your data.