The complainant alleged that insecure processing by his former employer had made his personal data accessible to unauthorised persons, including former colleagues and external third parties.

The complainant was in legal dispute with the company arising from his dismissal. In connection with that dispute, the company had prepared documents including an internal investigation report and a legal submission to the Workplace Relation Commission (WRC). While the WRC submission did not contain a great deal of the complainant’s personal data, the internal investigation report did.

Approximately one month before the complainant first contacted the DPC, the company had notified the DPC of a data breach. The notification stated that the WRC submission had been inadvertently stored on a folder accessible by all employees, rather than on one that was accessible only by authorised HR staff. The error was noticed and corrected two days later, and the company notified the DPC shortly thereafter. The company’s systems did not record whether, when or by whom the WRC submission might have been accessed, or whether it had been copied or printed.

In the complaint, the complainant alleged that the breach affected not just the WRC submission but also the internal investigation report, and that these had been accessible from all parts of the company’s intranet, including on a device that could be used by both employees and visitors to the company’s premises. The complainant submitted statements from former colleagues who described having access to documents relating to “the internal investigation.” The company denied that the internal investigation report had ever been accessible by unauthorised persons.

It also maintained that, while the WRC submission had been inappropriately available for a short time on the company’s intranet, it was not on a part of it accessible to non-employees.

The DPC addressed two main issues: what had been the content and extent of the breach, and whether the company’s security measures had met the standard required by applicable data protection legislation.

The complainant’s former colleagues had said that documents concerning “the internal investigation” had been accessible by them. However, these statements had not described in any detail the nature or contents of the documents, did not say when or by whom they had been seen, and did not say that the documents were accessible by non-employees. Against that, the company had consistently maintained that the WRC submission, but not the internal investigation report, had been inappropriately accessible to employees for a number of days. Significantly, the company had notified the DPC of that approximately one month before the complainant had first lodged his complaint. The DPC took the view that there was insufficient evidence to support the claim that the internal investigation report had been disclosed, or that the complainant’s personal data had been accessible by non-employees as well as unauthorised employees.

Concerning the company’s security measures, the DPC noted that the applicable standard had to reflect and mitigate the harm that could be caused by relevant risks including, as in this case, disclosure to unauthorised persons. The company was clearly aware of the risk of disclosure, as it had arranged for confidential documents to be stored in a way that gave access only to authorised HR staff.

However, the company had failed to properly anticipate and mitigate the risk of human error in storing such documents, as had happened to the WRC submission. The DPC also reminded the company of the need to ensure that relevant personnel are aware of the need to handle personal data in accordance with applicable security measures, and to respond to breaches accordingly. This case illustrates how data controllers must consider all risks that can arise when they process personal data, including the risk of human error. The measures that they adopt to address those risks must reflect not just the possible causes of loss or harm, but also the consequences of a breach, and the ways in which those consequences can be minimised or remedied.