Dear All,

I do not think we have enough information to know what is happening.



Consider the following scenario. Someone reads the Telegraph article and initiates a Facebook friend request with the obvious message of "You are a stunning".  Are they a stalker? Have they committed a data breach?  Perhaps a movie studio executive contacts her about a film based on the incident?



The employee may have only known the person's name. That is all that is needed to find someone on Facebook especially as the name is not that common.

Let's say the employee was smitten or infatuated, he spends his evenings scanning  Facebook looking for her through that name and or combinations. Alternatively, he might have written a computer code to search various systems to find her.



So, let's consider how he might know her name. She says that she never told him her name. Do we know this for certain? Could he have overheard it outside the workplace? Could he have asked someone else at work her name? However, here is the issue. What happens outside of the workplace?  If he saw her on the street, and said hello "Debbie", would that be a data breach?



Strictly speaking he would be breaching the Act. He would only know her name from work place where she had authorised his use of it assuming he only knew her name from the bank and nowhere else.



Is this what we are saying should happen each time someone tells us their name in the course of our work or we find it through our work? Is the breach itself what is important or how someone reacted to it? Does this warrant an ICO investigation? Note, she did not approach the police (as far as we know). She went to the press.



Further we have to consider, is she doing a private activity or is she engaging in a public activity i.e. transacting business with a company? It is not a public activity in the sense of a public authority, but is it a private activity in the way of visiting a physician or going to confession?



If the employee had been at McDonalds? Or the local gym, would that be different?



All of the above is creepy and inappropriate. However, is it a security breach that would require the ICO to become involved? We do not have enough information to know whether it fits that criteria?



To be sure, he has potential access to her information. Did he access it? We do not know. The organisation said they investigated. If they had a serious audit system, as most banks do, they are going to be able to review when he accessed her information, if did access it. If he did access, and he cannot provide an authorisation for it, then he is going to have a problem, but how much of a problem?



If Debbie had said yes to his message, would there still be a data breach? If so, how should it be punished?



My prediction: the employee will be outed relatively quickly.** He will lose his job as the company cuts its reputational losses.



Best way forward? Return to the old way of courting potential paramours. If they live at home make a formal declaration through their father.  http://www.wikihow.com/Ask-Permission-from-a-Girl's-Father-to-Date-Her



Best



Lawrence



**A quick google searched showed this hit a number of major websites. It is the type of human interest story that gains traction. He made a mistake and he is going to reap the consequences.







-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of [log in to unmask]

Sent: 22 January 2016 13:06

To: [log in to unmask]

Subject: Re: Bank Clerk Sends Flirty Messages



I think you're absolutely right. Obviously we don't know what the bank's investigation found and, particularly if they found themselves doubting some part of the woman's story, they are probably wise to take a reputational hit rather than get into a slanging match. But on the face of it, yes he was misusing personal information (her identity) for which the bank was data controller, and yes I would agree with the description of it as "intrusive stalking".



I do worry slightly that she, through this story, has now published her name, age, location, and a photograph to boot - and may be getting more "flirty messages" than she bargained for.  Or perhaps Telegraph readers don't use Facebook for that sort of thing?







-----------------------------------------------------------------

Ben Plouviez

Head of Information Governance - Agriculture, Food & Rural Communities Directorate The Scottish Government Saughton House | Broomhouse Drive | Edinburgh EH11 3XD

T: 0131 244 6671

www.gov.scot

-----------------------------------------------------------------





-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Blyth, Victoria

Sent: 22 January 2016 12:20

To: [log in to unmask]

Subject: Re: [data-protection] Bank Clerk Sends Flirty Messages



The story implies that he only knew her name because he had served her at the bank. Which to my mind is using information he obtained in the course of his employment to harass a member of the public. It doesn't say whether he accessed bank records further to identify her in order to search on Facebook, but I'm not seeing it as that much different to bank clerk accesses details from boyfriend's soon to be ex-wife's bank account in order to help him with his divorce, which is one the ICO has been involved with.



And even if all he did was get her full name through his employment, and the rest was Facebook/social media searching, the woman has a level of distress that not only is she being approached in an unwanted manner, but she knows that this person has access to a large amount of personal data about her and he's already shown himself to be untrustworthy with that access. Her spend patterns, loan applications, mortgage details (so address)...



I'm also looking a little askance at the headline! For "flirty messages" read "intrusive stalking"?



Victoria Blyth

Information Strategy Manager

Information Management Team

London Borough of Barnet, North London Business Park, Oakleigh Road South, London N11 1NP

Tel: 020 8359 2015

please consider the environment - do you really need to print this email?

Barnet’s Information Management Policies are available on the intranet here





-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Donald Henderson - CHX

Sent: 22 January 2016 11:33

To: [log in to unmask]

Subject: Re: [data-protection] Bank Clerk Sends Flirty Messages



Why would the ICO even be interested? Presumably the bank clerk was doing it as a private individual rather than as an employee of the bank...



Donald Henderson

Information Compliance Manager

Perth & Kinross Council



-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Kevin Broadfoot

Sent: 22 January 2016 10:55

To: [log in to unmask]

Subject: [data-protection] Bank Clerk Sends Flirty Messages



Interesting story in the Telegraph: apparently a bank clerk uses Facebook to track down a married customer and send her unwanted messages; she complains and the bank offers compensation but clerk keeps his job.  She refers the matter to the Financial Services Ombudsman who thinks they can't do anything about it: quote "We can't make them apologise and we don't have the power to tell a firm what to do about disciplinary issues."



What was preventing them referring the complainant to the ICO?



see: www.telegraph.co.uk/news/newstopics/howaboutthat/12114279/HSBC-clerk-sends-flirty-messages-to-married-customer-after-tracking-her-down-on-Facebook.html



Kevin



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Securing the future... - Improving services - Enhancing quality of life - Making best use of public resources.



The information in this email is solely for the intended recipients.



If you are not an intended recipient, you must not disclose, copy, or distribute its contents or use them in any way: please advise the sender immediately and delete this email.



Perth & Kinross Council, Live Active Leisure Limited and TACTRAN do not warrant that this email or any attachments are virus-free and does not accept any liability for any loss or damage resulting from any virus infection. Perth & Kinross Council may monitor or examine any emails received by its email system.



The information contained in this email may not be the views of Perth & Kinross Council, Live Active Leisure Limited or TACTRAN.

It is possible for email to be falsified and the sender cannot be held responsible for the integrity of the information contained in it.



Requests to Perth & Kinross Council under the Freedom of Information (Scotland) Act should be directed to the Freedom of Information Team - email: [log in to unmask]



General enquiries to Perth & Kinross Council should be made to [log in to unmask] or 01738 475000.



General enquiries to Live Active Leisure Limited should be made to [log in to unmask] or 01738 454600.



General enquiries to TACTRAN should be made to [log in to unmask] or 01738 475775.



Securing the future... - Improving services - Enhancing quality of life - Making best use of public resources.







^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^







This email and any attachments to it are intended solely for the individual to whom it is addressed. It may contain sensitive or confidential material and should be handled accordingly. However, it is recognised that, as an intended recipient of this email, you may wish to share it with those who have a legitimate interest in the contents.



If you have received this email in error and you are not the intended recipient you must not disclose, distribute, copy or print any of the information contained or attached within it, all copies must be deleted from your system.  Please notify the sender immediately.



Whilst we take reasonable steps to identify software viruses, any attachments to this email may contain viruses which our anti-virus software has failed to identify. No liability can be accepted, and you should therefore carry out your own anti-virus checks before opening any documents.



Please note: Information contained in this e-mail may be subject to public disclosure under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004.





^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^







This email was scanned by the Government Secure Intranet anti-virus service supplied by Vodafone in partnership with Symantec.  (CCTM Certificate Number 2009/09/0052.)  In case of problems, please call your organisations IT Helpdesk.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.



*********************************** ******************************** This email has been received from an external party and has been swept for the presence of computer viruses.

********************************************************************



**********************************************************************

This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.



Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.





Tha am post-d seo (agus faidhle neo ceanglan  còmhla ris) dhan neach neo luchd-ainmichte a-mhàin. Chan eil e ceadaichte a chleachdadh ann an dòigh sam bith, a’ toirt a-steach còraichean, foillseachadh neo sgaoileadh,  gun chead. Ma ’s e is gun d’fhuair sibh seo le gun fhiosd’, bu choir cur às dhan phost-d agus lethbhreac sam bith air an t-siostam agaibh, leig fios chun  neach a sgaoil am post-d  gun dàil.



Dh’fhaodadh gum bi teachdaireachd sam bith bho Riaghaltas na h-Alba air a chlàradh neo air a sgrùdadh airson dearbhadh gu bheil an siostam ag obair gu h-èifeachdach neo airson adhbhar laghail eile. Dh’fhaodadh nach  eil beachdan anns a’ phost-d seo co-ionann ri beachdan Riaghaltas na h-Alba.

**********************************************************************







The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) This email has been certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.







^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^







________________________________





Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^