Hi Lawrence - looking at your de-convoluted scenario - "I remember the old contact list and post it on Facebook. Is this a breach? or unauthorised disclosure per s.55? Or both or neither?"
I've have to say yes.
Posting only the intranet link to facebook would probably be okay, because only people authorised to gain access to the individual contact details would be able to use it.
Posting the list to facebook though has effectively released it into the wild: yes, it might be on a Facebook group page (it might even be a closed group), but it's also completely out of the control of the Data Controller now - anyone with access to the group could have copied it and may yet further disseminate it at any time.
The ICO takes a pretty consistent view that junior staff can expect to be better shielded from identification than senior colleagues, so I'd have to lean towards the scenario falling foul of processing conditions, a Section 55 matter (reckless disclosure) and possibly a Sched 7 problem.
Regards,
Owen
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|