We were recently asked a question by a HR business with whom we are working;
"One of our clients employee's has suggested that because they gave his phone number to a customer that this breach [of the GDPR] should be reported to the ICO - surely this is not bad enough for that?"
For the purpose of this, we assumed the phone number given out was a personal one and not a work number, so the answer to this question was two-fold;
Firstly, whether this was a Data Breach at all?
We consider that it was indeed a data breach. Information had been shared for a purpose for which it was intended at the time the employee gave that information. An employer may gather personal information such as a phone number, in order to be able to contact the employee should they need to, but has no automatic right to share that information with any other party without the permission of the employee. The only exceptions to this would be if they were asked to share it with law enforcement or the courts (complying with a lawful request under the Data Protection Act 2018), or perhaps where some party were to be acting on behalf of the company in an official capacity (such as outsourced HR and/or Payroll).
If an employer needs to give out a Mobile number to customers, they should supply that employee with a company phone, or obtain written consent for that individual to use their personal mobile to receive work calls.
Secondly, was it a reportable breach?
We don't believe so. In order for a breach to be reportable, it must be likely to cause a risk to the individual concerned.
The GDPR does not set out the definition of a reportable breach however the UK's Information Commissioners Office have issued guidance on their website and a useful tool for assessing if a breach is reportable. In essence however the rule of thumb is that if a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly and without undue delay.
A ‘high risk’ generally means that there is a high likelihood of the consequences as a result of the breach, then it will be reportable. Such consequences do not have to be physical or financial, it could simply be the knowledge of the information to others is distressing (such as in the Government's breach with the New Years Honours List).
What was our advice?
This was most definitely a breach of the confidentiality of personal data, so we advised the client to advise their client to record the incident in the organisation's Data Breach Register and/or Information Security Incident Log.
Further, we advised that the organisation reach out to the party with whom they shared the information and ask for it to be erased, also requesting confirmation that this has been done by return.
We advised that the organisation explain to the individual in simple terms that the incident has been recorded, that the deletion of the shared information has been requested (and confirmed as having been deleted), and that suitable training would be given to all staff to ensure similar incidents do not occur in future.
Finally, as alluded to above, we advised that the organisation undertake staff training and ensure they place emphasis on the lawfulness of sharing information.