An organisation in the voluntary sector became aware during an internal audit review that during their employment, an ex-employee had forwarded emails, and attachments, from their work account to their private email account. The emails contained personal data, including the special category health data under Article 9 of the GDPR of a number of vulnerable individuals. 

The DPC engaged with the organisation to establish the root cause of this breach and to ascertain what measures the organisation had in place in order to protect the rights and freedoms of the affected data subjects.  The organisation carried out an investigation and received assurances from the ex-employee that the personal data had been deleted and was never shared with any third parties, and that they had used their personal email address for convenience in certain circumstances. 

The organisation’s Data Protection Officer (DPO) also engaged with the organisation’s Head of IT to examine if technical measures could be implemented to reduce the risk of this issue reoccurring. All affected data subjects were notified and were advised that the DPO was available to assist them should they have any queries.

Following engagement with the DPC, the organisation implemented a number of solutions, both technical and organisational, to prevent this issue from occurring again. The organisation also launched an awareness campaign to remind all staff, volunteers and the Board of Directors of their responsibilities to keep personal data safe and private; and to ensure compliance with the organisation’s Data Protection Policy.