Data Protection Act breach.

[punky]

I applied for a job for a governmental organisation and got shortlisted. When HR sent out the interview e-mail, the HR person put all e-mails in the "to:" field meaning that all were visible to each other. I wasn't best pleased as unlike everyone else (who had hotmail and gmail accounts) I had a proper domain e-mail which was hosted on a site with my CV on it. This meant that now every shortlisted applicant had access to my CV. I had to remove the site meaning job advertisers who I had directed to the site wouldn't now be able to see my CV.

I was going to wait until after they had chosen their candidate and if I wasn't, then reporting them to the ICO.

However, I have been e-mailed by another candidate asking me what questions were asked and how to prepare! I was amazed. I was just going to save it for the ICO but my partner said it was unprofessional and should contact HR and report the person. I was reluctant as this could mark me out as a "grass" to the boss which could prejudice my application as much as help it.

However, it gets more intriging. The person's e-mail address didn't conclusively match one on the original e-mail (although he could easily use another) but he seemed to know exactly when my interview was (interviews were spread over 2 days, and weren't allocated until after the initial e-mail). I was allocated on the earlier date and the candidate e-mailed me between the two interview dates. It could have been a guess but i'm wondering if he had inside knowlege. It could also explain why he wasn't on the initial e-mail as maybe only external candidates were.

So, what should I do?

1. Complain to the head of HR?
2. Complain to the boss advertising the job?
3. Forget the job and complain to the ICO?

Also, if I do complain to HR/the boss, should I do it before or after I hear back from the job? I should hear back on wednesday and i'm not expecting to get it.

MTIA.

[Damien]

Odd. One thing to consider is that although it seems there has been a further breach than the one you mentioned it's not clear what happened. If this person who e-mailed you knew exactly when your interview was then obviously there was somebody on the inside who leaked it, but then how did they not also have access to the questions?

Did he know exactly when or just the day? Did you twitter anything after the interview, he could have done a google search on you and found out that way.

I would complain to the head of HR if you get the job and the head of HR and the ICO if you don't. Wait until you get it because you probably don't want to cause friction at your new workplace. (Depends how strongly you feel about the breach though)

[superbiatch]

I'd be inclined to go straight to the top, this is a hurrendous breach of confidentiality. Someone should be sacked for it IMO

I'm not sure how much you want this job Punky, but if i was in your position I think I'd have to do the right thing and not let this lie. If your future management are decent people, they will deal with the person who cocked up and you professionally.

[punky]

Quote:

Originally Posted by Damien

Odd. One thing to consider is that although it seems there has been a further breach than the one you mentioned it's not clear what happened. If this person who e-mailed you knew exactly when your interview was then obviously there was somebody on the inside who leaked it, but then how did they not also have access to the questions?

Did he know exactly when or just the day? Did you twitter anything after the interview, he could have done a google search on you and found out that way.

The interview dates were separated by 4 days, and I was e-mailed the day after the first interview date. He knew I had been interviewed by his wording. It could be a guess though - he could have e-mailed everyone and 50% of the time he'd be right. On the other hand it may not.

I did twitter initially that I was shortlisted for the job, but not the date that it was being held. Also there's no actual ties between my twitter and my indentity/e-mail.

Quote:

I would complain to the head of HR if you get the job and the head of HR and the ICO if you don't. Wait until you get it because you probably don't want to cause friction at your new workplace. (Depends how strongly you feel about the breach though)

Cheers mate

---------- Post added at 22:51 ---------- Previous post was at 22:40 ----------

Quote:

Originally Posted by superbiatch

I'd be inclined to go straight to the top, this is a hurrendous breach of confidentiality. Someone should be sacked for it IMO

I'm not sure how much you want this job Punky, but if i was in your position I think I'd have to do the right thing and not let this lie. If your future management are decent people, they will deal with the person who cocked up and you professionally.

Cheers SB

This is a major governmental organisation (i.e. not a 2 man band limited company) so i'm guessing there's a rigid structure for dealing with DPA complaints. It shouldn't jeopardise my job application but I can't help but wonder.

I should imagine at some point some of the other original applicants may complain too if he contacts them.

[Hugh]

Rather than complain, may I suggest it might it be best to point out there appears to be an issue in their process, explaining what has happened.

That way it is a positive thing, rather than a negative thing, and you will be seen in a positive light. Then, if you get the job, you can try to fix the problem - if you don't get the job, you can highlight this in other ways.

Better inside the tent urinating out, than outside the tent urinating in.

[punky]

Quote:

Originally Posted by foreverwar

Rather than complain, may I suggest it might it be best to point out there appears to be an issue in their process, explaining what has happened.

That way it is a positive thing, rather than a negative thing, and you will be seen in a positive light. Then, if you get the job, you can try to fix the problem - if you don't get the job, you can highlight this in other ways.

Better inside the tent urinating out, than outside the tent urinating in.

Cheers for that. I was trying to give them as much leniency as possible - rather than going too much than running straight to the ICO and demanding compo. I haven't really though about how to breach it with HR/whoever. I had a hard enough job trying to get hold of HR in the first place. The initial e-mail and the main switchboard kept sending me to an unmanned voicemail. I eventually had to go to the department head just to get my interview confirmed.

[TheDaddy]

Quote:

Originally Posted by foreverwar

Rather than complain, may I suggest it might it be best to point out there appears to be an issue in their process, explaining what has happened.

That way it is a positive thing, rather than a negative thing, and you will be seen in a positive light. Then, if you get the job, you can try to fix the problem - if you don't get the job, you can highlight this in other ways.

Better inside the tent urinating out, than outside the tent urinating in.

Sound advice, especially if the person who sent the email is testing Gavin in some way, besides if you don't get the job after that you can always grass then up then

[Wayfair]

I am with foreverwar on this one, this is not something that can be allowed to happen but jumping in pointing fingers and expecting people to be sacked is a tad harsh, slowly slowy catchey monkey..

Unless you don't get the job and then, give um it large..

[Raistlin]

Having been in a similar position, but from the 'other side of the fence', I'd be tempted to ride this one out and see what comes of the interviews etc. As has been said, better to be raising 'legitimate concerns' from the inside, than stirring the pot from the inside. Pointing out flaws in processes (particularly when people's data may be put at risk by them) is a good thing when you're in a Government department - it makes you look like you care.....

[punky]

Thanks for the advice guys.

If I do mention it, very politely to either the head of HR or the departmental head, would it then predjudice the case if I do decide to go the ICO? I'm not the vengeful type and not demanding heads must roll. I know it was a simple mistake by a computer illiterate HR member but TBH I was a bit annoyed I had to take my CV offline compromising other job applications.

[Raistlin]

All the ICO is likely to do is review what happened within the framework of that department's internal governance structure, and then require of them that they show that they've put in place measures to stop it happening again.

To be honest you're likely to achieve the same, but without the hassle and upheavel of involving the ICO, by talking directly to those concerned.

[punky]

Bit disappointed by that. I thought there remit would be quite stronger.

I might as well go straight to the head of HR if can get hold of him/her.

[Raistlin]

I could be wrong about the ICO, but I seem to recall that the publicised sanctions that they levied against MOD after their data losses weren't all that massive.

To be honest I guess it depends on what you're hoping to achieve.

If you're hoping to force them to tighten up their standards so it doesn't happen again then (provided the ICO considers it's a serious enough breach) you'll probably achieve that.

If you're after an apology, and for lessons to be learned by those concerned, then approaching someone internal to that department might be the way forward.

What you should probably watch though is the fact that, whilst compromising, an email address on it's own isn't necessarily 'Personal' data. The fact that it allowed people to then extrapolate a URL that led them to your CV (which was posted on the Internet, albeit at a domain that you don't personally publicise) might be seen as unfortunate, but not necessarily a 'breach'.

I would be tempted to move away from that as a hook, and play the 'confidentiallity of applicants' game - in other words, the fact that people other than you and the organisation now know that you've applied and that this could compromise your application or your current employment.

Like I said before though, I'd be tempted to raise it once you get the job. Or, if you don't fancy waiting that long, perhaps ask during the interview if it's common practice to do things that way. Just be careful you don't ruin your chances completely though.

Finally, one last point (promise) - ask yourself if you will be comfortable working for them after this incident.

[TheNorm]

Quote:

Originally Posted by punky

...So, what should I do?...

Personally, I would have brought this up at the end of the interview in a polite, professional manner. And would have added that this is something I have experience with, and have a few ideas to stop it happening again.

[punky]

Quote:

Originally Posted by Rob M

I could be wrong about the ICO, but I seem to recall that the publicised sanctions that they levied against MOD after their data losses weren't all that massive.

To be honest I guess it depends on what you're hoping to achieve.

If you're hoping to force them to tighten up their standards so it doesn't happen again then (provided the ICO considers it's a serious enough breach) you'll probably achieve that.

If you're after an apology, and for lessons to be learned by those concerned, then approaching someone internal to that department might be the way forward.

What you should probably watch though is the fact that, whilst compromising, an email address on it's own isn't necessarily 'Personal' data. The fact that it allowed people to then extrapolate a URL that led them to your CV (which was posted on the Internet, albeit at a domain that you don't personally publicise) might be seen as unfortunate, but not necessarily a 'breach'.

I would be tempted to move away from that as a hook, and play the 'confidentiallity of applicants' game - in other words, the fact that people other than you and the organisation now know that you've applied and that this could compromise your application or your current employment.

Like I said before though, I'd be tempted to raise it once you get the job. Or, if you don't fancy waiting that long, perhaps ask during the interview if it's common practice to do things that way. Just be careful you don't ruin your chances completely though.

Finally, one last point (promise) - ask yourself if you will be comfortable working for them after this incident.

I don't know what I want to achieve really. I'm not vengeful and i'm not seeking that the HR woman responsible is fired, or cause trouble but I thought that is a breach and that the ICO should know and its up to them to decide what to do. If you think its easier to go through their department, then so be it.

---------- Post added at 17:05 ---------- Previous post was at 17:03 ----------

Quote:

Originally Posted by TheNorm

Personally, I would have brought this up at the end of the interview in a polite, professional manner. And would have added that this is something I have experience with, and have a few ideas to stop it happening again.

I did consider that, but I thought it might be irrelevent as its a completely different department to HR where the breach occured.