31 July 2024
Is Sending a Birthday Card a Breach of Data Protection Law? No, but mishandling people’s data is.
By Jess Pembroke, Head of Data Protection
Even the simplest gestures, like sending a birthday card, can raise questions about compliance with the General Data Protection Regulation (GDPR). While sending a birthday card itself is generally not a breach of data protection law, it is essential to consider the broader implications of privacy and dignity whenever using people’s personal data.
A recent case involving the Commissioners for His Majesty’s Revenue and Customs (HMRC) highlights the significance of handling people’s data and their requests for access to it correctly. In this case. Ms. H Toure brought multiple claims against the Commissioners for His Majesty’s Revenue and Customs (HMRC), including allegations of harassment, victimisation, and discrimination based on race, religion, belief, and disability. The case was heard over several days in March and April 2024 and a number of the claims were upheld, while others were dismissed.
The case highlights the importance of adhering to data protection laws and ensuring fair treatment in the workplace. Some Data Protection issues within this case included:
- Sending a birthday card
Sending a birthday card to an employee is not necessarily unlawful under data protection; the tribunal noted that “[her manager] allegedly retrieved the Claimant’s date of birth from her HR profile and added it to a list without the Claimant’s consent” and “The practice of keeping a list of employees’ birthdays so that they can be marked is, in the experience of the Tribunal, not an unusual practice for managers to adopt.” However, “[Ms Toure] had asked to be removed from the birthday card list, as she felt it was inappropriate given her ongoing grievances and the way she was being treated” and a different manager sent Ms Toure a birthday card at a later date because “[her previous manager] failed to pass on the message when the Claimant left his team”.
Organisations must ensure that they:
- Ask for consent to keep a list of birthdays and use people’s addresses to send birthday cards,
- Ensure that any objections to uses of personal data are recorded, and systems are in place to ensure these objections are passed on to relevant systems/departments.
2. Data Subject Access Requests
Individual are entitled to make a request for their personal data. This is called a data subject access request. In this case, the HMRC disclosed information to the claimant that they had not been previously made aware of through a data subject access request; however, “there were issues with the initial response to the Claimant’s Subject Access Request and she had to follow up in order to be sent documents that ought to have been captured in response to her initial request”.
The Tribunal also had to prompt HMRC to provide them with the documents and even then, the documents were provided in a redacted form because “[they] initially believed that the SAR team had not retained an unredacted copy of the documents gathered to send to the Claimant in response to her SAR. They had subsequently discovered that unredacted copies had, in fact, been retained” and the Tribunal said “as an explanation, we considered that to be far from adequate. It implied a troubling lack of rigour in the Respondent’s approach to disclosure.”
Organisations must ensure that they:
- Respond to data subject access requests promptly and fully, and within one calendar month.
- Keep a copy of both the original and redacted information.
- Coordinate with other departments when documents such as these are required for legal cases or hearings.
- Ensure staff handling responses to Data Subject Access requests are adequately trained, or
- Outsource data subject access requests to a qualified third party such as a retained Data Protection service
3. Adequate Systems and Processes
In relation to an earlier appeal hearing with HMRC Ms Toure had asked for a solicitor to be present, which was refused. She also asked for an interpreter to be present which was also refused and then she asked if the meeting could be recorded, which was agreed to. The Tribunal notes that: “only one part of the recording was available, as the other part could not be accessed for unspecified technical reasons” and “There was also a transcript of the second part of the appeal meeting. The recording of the other part had apparently been lost or could not be recovered. The transcript was an automatically generated one. It was not a particularly helpful document, as it did not say who was speaking at any point”.
This is an example of data not being collected sufficiently. The third data protection principles states that “data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed”. This principle aims to ensure that the necessary amount of data is collected and maintained; and organisations need to make sure that their systems and processes are fit for purpose.
4. Conclusion
While sending a birthday card is a kind gesture, it is crucial for organisations to handle personal data with care. Ensuring compliance with GDPR not only protects individuals’ privacy and dignity but also fosters trust and transparency. Organisations must remain vigilant in their data handling practices by doing so, they can create a respectful and secure environment for their employees.
Whilst this case highlights other important matters such as discrimination and harassment, the thread of poor data handling practices reflects an overall lack of good practices in data handling. This serves as a reminder that robust data protection practices are essential not only for legal compliance but also for maintaining a respectful and dignified workplace.
At Naomi Korn Associates we can help with managing data protection risks. We offer a range of data protection services to help organisations with their responsibilities so that they are managed legally, safely, and strategically.
We also have a fantastic range of CPD UK accredited courses covering a wide variety of topics to help build in-house skills and knowledge. Eager to learn more about Data Protection? Naomi Korn Associates’ next Data Protection Essentials course, a fundamental two-part online workshop which provides a practical and hands-on approach to understanding data protection. Participants will gain the knowledge and skills needed to navigate data protection in real-world scenarios. Attendees will also gain an understanding of the UK’s key data protection legislation (the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018). (6 CPD Points, next 18 & 19 September, 9:30am-1pm).