Outcomes - Selected Case Summaries

Categories

 

Error in HR system causes breach at PoCS

Informal Resolution | 04 August 2022

An error in a workflow process for a specific employee report within PoCS’s newly deployed Human Resource Management System (HRMS) provided managers with unauthorized access to the personal data of employees who did not report to them. In response to the breach, PoCS cancelled all open workflows for this report and conducted an investigation into the full scope of the breach. It was discovered that 11 reports were impacted by the error, of which only two involved extensive personal data.

PoCS asserted that the risk posed by a second group of reports was minimal and the breach was unlikely to cause harm, also because the accidental disclosure was made to government managers who are expected to maintain a duty of confidentiality. We agreed, and the second group was not formally notified.

We concluded that PoCS took appropriate action in response to the breach, including the reconfiguration of the faulty workflow process using a unique identifier, and ensuring that the correct reporting manager receives it. The two data subjects with an increased risk of harm due to the breach were notified in accordance with the DPA. We had no further concerns and the case was closed.