Whilst I agree that the haughty approach by HQRAFAC is not appropriate, i suspect that there is a huge worry about not too much, with associated unnecessary lower garment twisting!
As a UK registered organisation, as far as I’m aware, we’re answerable to the UK Information Commissioner’s Office (ICO). Even if issues materialise, it won’t necessarily be the end of the world. In 2017 the ICO processed 17,300 complaints and issued only 16 fines. That won’t change under GDPR as the Commissioner herself explains here.
The “definition” of personal data seems to get distorted too; ICO outline it here (use the Questions 1 - 8 to see what might, or might not, fit). Very generally, processed or collected / filing system data is what will always count.
We shall see I suppose.
They don’rt need bank details as they can send us cheques, which as I understand is how money used to get paid.
They can send stuff out by post, which would mean that things would have to be planned properly and we get decent lead times for activities. Email would work better if we could scan and email things, rather than print the things they send or put on sharepoint, sign and stick in an envelope.
No, they could implement a clearly ridiculous system instead - but it does rather depend on how you define “need”. I think that everyone pretty much else on the planet agrees that they need your bank details in order to pay you.
I mean I’d say that my car “needs” petrol. I could of course push it, or have it pulled by a horse, or re-fit it with a steam engine, but these would be quite silly.
i’ve been contacted by 3 companies who i am on a email newsletter today already - seems the 1st May is the date to start for some companies to get inline!
Bringing this up to try and think of a better place. When on the staff page on SMS, when you click your name (or another) on the list, it takes you to the home page with the profile pic, it has 2 x sensitive data on here, even if you are looking for qualifications for example if you are updating one, you would see their nationality and religion. The amount of data on the holding home page is quite worrying too as it also has full address and personal contact information and DoB, which is too much information if you are trying to meet the Data protection principle of “used for specified, explicit purposes”
I physically can’t get around seeing that without closing my eyes, the audit is there to show who has been on what etc but if you are going on to qualifications you will have been on the home page. When you click into the person, the tabs should be there to blank out this data with the protection of auditing, people forget religious beliefs are as much as a protective characteristic as information about health under the Data Protection Act. Who can this be raised with?
To get to that page and see such information you need to 1) Be a member of our organization. 2) Need to have completed protecting information course/BPSS/DBS. 3) Have logged into SMS using your account. 4) Have had permissions allocated to you by your OC to view such information.
The fact you can see this data is because many steps have been taken to protect it, that you have direct permission to ‘bypass’. This isn’t really a data protection issue as such. It’s not information that can be seen by everyone. Only by those who meet all the criteria above. If you don’t have the right permissions, you can’t see anything! This is what the view staff tab looks like for me on units, as I have no allocated permissions to view staff profiles, as I have no need to:
I can of course see my own details, and the details of cadets as needed.
There is an argument we could be more granular with the permissions. But I don’t think it’s needed. Maybe your OC is just giving out the permissions a bit haphazardly?
Also, if you want to take it up the chain, the term you want to use is ‘special category personal data’. Protective Characteristics is an Equality Act thing, and they don’t quite line up with UK GDPR.
if the OC feels it is suitable for their staff to see other people’s profile then permission is granted. to my knowledge there are no guidelines on what this should look like, eg only uniform staff, only officers, only those who take command of events.
it is up to the OC to decide. I have full access and can’t say i have abused it. i have used it to call a member of the staff team in the past before the creation the WhatsApp group, and used an address on SMS to drop something off a a Staff members house.
I am of the mindset i have nothing to hide, and for those who know me IRL can do a bit of googling and likely find an email address, phone number and home address without much effort (the first two being on RBL event posters as a “contact”)
that said, i can understand why some might be less open to the idea of everyone knowing “everything”. As @JoeBloggs indicates these people have jumped through various hoops and are trusted with Cadet details so it isn’t unreasonable to have CFAV details either.
GDPR is summarised by three points
1 - the data held must have a justified reason. Holding contact details for CFAVs is justified.
2 - the data must be held “securely” ie behind lock and key or passwords (which BADER does for us)
3 - can only be used for the reason it was shared with an organisation for. (in our case 99% to be able to contact a CFAV).
there is an argument that religion is an odd category to record on SMS, i cannot think of an occasion when I have needed to look it up on someone’s profile and i suspect more use for HQAC stats collection on the “diversity” of the CFAV population than in any other format.
I’m not a member of the organisation anymore but I can still log in to systems and access sensitive data about CFAV and cadets on my last unit before resigning several months ago.
And one I’ve raised with Region and the Commandant. As I say, I wouldn’t access the data, but if it’s an institutional problem then other people with more nefarious aims could well be accessing things after leaving
