Read the March 2022 dilemma
This Grey Matter, published in the March 2022 edition of The Review magazine, presents a remote working environment in which Rob learns that information he received might not be recordable and auditable as per the regulatory standards. He has raised the issue with his manager and is told not to worry, so what should he do now?
Suggested solutions and results are as follows:
- Agree with his manager. The data transfer over WhatsApp took place over a month ago. There is nothing more that can be done right now. (1%)
- For his own peace of mind, Rob should ask Kiran if she deleted the document on her WhatsApp to ensure there will be no further data issues. (4%)
- Rob should speak to the data protection officer casually without giving any specific details, as he does not want to be seen to be contradicting his manager. (20%)
- Rob should report his manager to the data protection officer, as he knows something does not feel right and his manager’s inaction is incorrect. (75%)
Responses received: 367
The CISI verdict
Globalisation and technology have allowed organisations to be internationally based with colleagues and clients from across the world. But it also increases the opportunity for data exploitation.
Rob was sent information from his client abroad on his business phone via WhatsApp, but subsequently realises that something may have gone wrong.
Rob has raised a concern with his colleague and is advised to ‘speak up’ to his manager. Rob’s manager, however, tries to ensure that the issue isn’t reported any further.
Asking Kiran if she deleted the document on her WhatsApp (option 2) doesn’t transparently deal with the issue at hand. It may help confirm whether the document is still on the app, but doesn’t identify if the data was intercepted at any point. Speaking with the data protection officer casually (option 3) may help to keep everyone anonymous, but it doesn’t provide the data protection officer with the full picture.
Our recommended solution is option 3. Rob should feel that something is not right. By speaking with the data protection officer, he will be better guided on the next steps.
Should you wish to suggest a dilemma or topic to be featured in a future Grey Matter, please email ethics@cisi.org.
Selection of comments received from members
- Rob has tried to do the best thing for his client but has inadvertently broken the rules so needs to report the breach. However, it sounds as though his manager has little intention of following the rules and breaches them regularly, so reporting them is the only option.
- I would be inclined to have a chat with the DPO regarding the use of WhatsApp before escalating the situation.
- When talking to the data protection officer he should tell him what happened with Kiran and what his response was – that he spoke to his manager and what he said. He should seek guidance on what to do next, e.g. ask Kiran if he has deleted the correspondence on WhatsApp.
- The document was posted by the client, which Rob had no control over. This will hopefully resolve the most important action of making sure the risk from the breach is resolved or minimised. However, Rob should also speak to his DPO for guidance on how to deal with this problem in the future.
- Such an act may lead to breach of data protection norms and needs to be reported to the concerned officer for prudent and apt course of action
- It does not seem necessary that he reports ‘him’. But he does have a responsibility to report the situation to the data protection officer. Understandable that he feels that he is doing the best for the client, but was there no handover or forwarding adviser to pass the information to?
- Start with option 2. See what the response is and consider further action from there, which may include contacting the DPO.
- The right thing to do in such circumstances is to discuss the situation with the DPO in advance for instruction and guidance.
- If in doubt Rob should report it to the relevant data protection manager.
- Rob should not just restrict this to reporting his line manager to the DPO. He needs to be open and transparent with the DPO and seek guidance on what to do next.
- Having had the casual conversation, if he is proved correct he can always escalate the problem by mentioning that he thinks other employees might be doing similar things, which would invoke a team wide action from the DPO without necessarily destroying his relationship with the manager.
- Rob should speak to his data protection officer to both report the potential breach so it can be recorded and so that he can receive formal advice on any further action he should take. For example, speaking to Kiran to make certain she deleted the document. This would not however be a 'casual' approach, not does it need to contradict his manager; it is simply the proper approach. Rob should not be concerned as in the specific time-constrained circumstances, he did act with due care and diligence on behalf of his client and ensured the document was quickly brought into the more formal, recorded channels.
- The phrase "let's keep it between us" is a huge red flag that a manager knows something untoward is going on.
- The fact the manager has admitted he gets “stuff like that sent to him all the time” is a damning admission. Not much choice other than to go direct to the data protection officer for advice.
- Rob's gut feeling tells him it's wrong. It's best to get it out in the open now as the consequences will be much worse if the regulator were to discover it in the future.
- Rob should be honest and upfront about what has happened, but there are also underlying issues with business continuity and his ability to work remotely. These should also be flagged and addressed to prevent workarounds outside of any company or regulatory policies and avoid any associated risks with using such workarounds.
- Rob should report both his own receipt of the documents by WhatsApp and his manager's response, and in addition advise Kiran that this has been done and why.
- At this stage I wouldn't necessary 'report' the manager. But I would most definitely speak to the DP officer to clarify what should have happened and if a breach occurred. Then follow up action can be agreed.
- As long as it was his business phone and not his personal phone.
- Rob should also advise the data protection officer of the situation and delete the relevant document from his own WhatsApp as well as ensuring that Kiran has done the same.
- Check what the process should be in case a similar situation arises in the future.
This verdict is published in the September 2022 edition of The Review.
Should you wish to suggest a dilemma or topic to be featured in a future Grey Matter, please contact us at ethics@cisi.org