And Lo! It came to be written, “Thou shalt protect and keep secure any and all employee, customer, client, or company data, and thou shalt not process, utilise, share, or dispose of the aforementioned data without the expressed permission of the data owner.”

Seems simple enough. It’s hardly rocket science is it? Rocket science, is rocket science. Data protection, is not rocket science.

Yet, the protection of data requires a whole raft of bills and legislation to enforce.

The concept of private information is not a new one. in 1890, Samuel D. Warren and Louis Brandeis’ article “The Right to Privacy.” touched upon such modern concerns as, the right to be left alone, breaches of confidence and trust, obnoxious opprobrium by a prurient and gossipy press, the protection of privacy of affairs in which the community has no legitimate concern, and the matter of consent.

These two Boston lawyers could not then have predicted the world as it is now, with its free flowing of information. Not just within the local community, but globally, information that might once have taken weeks, or even months to disseminate, is now at our fingertips in seconds. The concepts Warren and Brandeis opined upon, all those years ago, are even more relevant today.

Over the years, data protection built to a crescendo.

1948’s Universal Declaration of Human Rights, gave us the 12^th fundamental human right. The Right to Privacy.

In 1967 the United States passed their Freedom of Information Act, which gave the individual the right to know what their government was saying about them. Provided they filled in all the forms.

In 1980, with computers and networking becoming a growing method for the processing and sharing of data, the Organisation for Economic Co-operation and Development published recommended guidelines regarding “the protection of privacy and transborder flows of personal data.”

1984 bought the United Kingdom the Data Protection Act, along with the Information Commissioner’s Office, and the Access to Personal Files Act was passed in 1987.

The Data Protection Act 1998 bought us an additional level of convoluted, legislative loop-de-loops, and in 2000 the UK caught up with the US and passed their own FOIA. Way to go UK.

At some point, post 2000, somebody actually attempted to read the 1998 DPA, said “What the hell is this mess!”, and in 2018 the UK passed the EU’s General Data Protection Regulation into law as the Data Protection Act 2018.

Then, companies across the UK had to rapidly push out training in the six GDPR principles, although it was, at the time, still largely undecided as to what constituted a “Public Authority” (the schedules of the 1998 DPA presumably being no help in this matter). This resulted in a bit of mumbling, or the excision of the public authority concept entirely from training materials.

All of this has also has also brought us such exciting roles as, “Data Controller”, and “Data Champion”. Job titles that turn a dowdy, graceless, nobody into a beautiful, elegant, princess.

A lot of hoo-ha for something that boils down to “Don’t do anything without permission.” Unless it is in the public interest of course. Depending on your definition of public interest.

So, you might say, “But, you’re right. It’s not exactly a complicated issue, is it?”

Well, you’d be right to say that. But also, wrong. Here’s why.

A company is moving its head office. The old, gloomy, multi-building shambles is being vacated, and the whole kit and kaboodle is being transported, half a mile up the road, to a single, monolithic, slab of bricks with elevators, open plan offices, conference rooms, and a big, airy reception with floor to ceiling windows and automatic doors. Yum!

Some years previously, when the 1998 DPA was enacted, this company considered that the various satellite offices, scattered as they were “hither and thither”, were not the best places to store non-digital, hard-copy only, employee information.

It was therefore decided that, the filing cabinets containing this information would be transported to a central department for their protection. The safest place on Earth. The ultimate in departments. The only department that could possibly understand the concept of not doing anything stupid with employee personal information.

The department known as… HUMAN RESOURCES! Da-Dala-Daaa!

You can probably guess where this is going.

At some point during the company head-offices’ two-thousand, six-hundred-and-forty-foot trek to pastures new, filing cabinets containing the non-digital, hard-copy only, data of some eighty plus employees, disappeared into thin air.

The question is why?

Not how. How is pretty simple.

There was of course a waste disposal skip sat outside the old building. There to receive any unwanted, and no longer required items of antiquity. Based on the available evidence, we could come to the conclusion that, the personal information of an entire division, some of it dating back forty years or more, ended up as trash.

What this constitutes is the unlawful destruction of employee information that the employee would reasonably expect to have access to.

Was it an act of malice? The division had diminished over the years, left to wither and die. Perhaps it had been decided that these records were no longer required as the division was about to be canned or sold off. Still not a good idea to dump any records though. Had there been a transfer of undertakings, any new employer might have a use for such things as qualification and contract records. Who can say?

It might even be entirely possible that someone in the HR department had personal beef against elements in the division and decided to exercise their power.

Or, maybe it was nothing more than an act of incompetence. Perhaps the cognitive acuity of whoever was in charge of file management, was largely devoted to keeping their knuckles up off the ground. As they eyeballed these strange pieces of paper and card, with names they don’t recognise and information they don’t understand, they said “Duurr. Wot dis?” and the same little voice in their head that tells them that crayons taste good, told them that these files belonged in the bin.

Perhaps these superannuated file cabinets, with their 1970’s aesthetic, just didn’t fit in with the company’s bright, shiny, new base of operations and it’s thoroughly modern look.

Either way it doesn’t really matter. It’s very hard to tell malice and incompetence apart, because the end result is invariably the same. So, by all means, pick which option you find the most appealing. It amounts to the same thing.

After this incident, a mystery someone leaves under something of a cloud. Their name never to be uttered again.

Now the company has a further problem. How to recover this lost information without anyone, especially the Information Commissioner’s Office, catching on.

Hoo-boy! That’s a poser.