I have done something really bad at work. Meeting tomorrow to discuss it. So so ashamed and worried.

[daytimemom]

I am so ashamed. I have done something unforgivable at work. My stomach is churning. Just checked my work emails from home and saw one from my manager saying under no circumstances must I access a work database (will call it RED) and we will be having a meeting about it tomorrow.

RED is a new database I have just been given access to. It is an appointment booking database for work colleagues. Last week I was playing around on RED trying to work out how to use it as I needed to make an appointment for a colleague. I noticed I was down as a manager for a couple of colleagues on RED (I don’t manage anyone) so clicked on these colleagues names to see who they were. It brought up confidential info on them like address and date of birth. Accessing these colleagues details was my first mistake.

My second was clicking on my own name, I wanted to see what it said ie why I was down as a manager & in all honesty I was curious.

So by accessing my own record I have breached all our organisations information governance policies. I know it was wrong and I don’t know why I didn’t think about this at the time. So so stupid.

I now feel sick to my stomach. I am on probation so they could just sack me. How will I get another job with this on my record I know I have done something unforgivable but I don’t know how I will be able to cope with this

Its not unforgivable, and it wasn't really your mistake.

In the meeting, explain what you explained here. If they seem to be blaming you, point out how surprised you were that the database allowed you to access records you shouldn't have been able to. Also point out that you had no previous training in the system and were in the process of familiarising yourself with it when you clicked on those records.

Consider sending an email now (so its read tomorrow am at the latest) asking for clarification on whether or not the meeting with your manager is a disciplinary one. If it is, then take someone you trust into the meeting with you (you have the right to do this).
If it is a disciplinary meeting they should have made this clear already, however.

Stop blaming yourself! You are not at fault, they are. Your (perfectly understandable) actions have revealed a big hole in their security.

Stop apologising. You clicked on a name to see if you could book an appointment with that person to see how it worked. How would you know that personal information would pop up?

Ask them if this loophole has now been closed. That’s it.

I hope you’re over-thinking this. You had permission to use the data base to make appointments, but happened to notice you were down as a manager to two colleagues when you don’t manage anybody. It is unrealistic to expect that you wouldn’t look at that! It sounds to me as if you have uncovered a problem with the database; if anyone has messed up, it’s IT. I agree that they’ve asked you not to use the database again until they’ve fixed it.

I don't think you have anything to worry about. I work in data protection and if I were your manager my concern would be focused what IT issue allowed this to happen, who else might have unauthorised access and how can it be fixed asap. I would be following he data breach process but the focus would be on this and not what you as an individual did.

I would not go overboard on an apology from your side. I think what you should be doing is asking for clarification in how it can be fixed as you are keen to still be able to use the system so you can still perform that task at work etc.

Agree with everyone else. It's their fault. Them telling you not to access the database now is probably because they need to fix the permissions before you can use it again. They're going to meet with you to explain. That's my take on it.

What Squishy said, This: If they seem to be blaming you, point out how surprised you were that the database allowed you to access records you shouldn't have been able to. Also point out that you had no previous training in the system and were in the process of familiarising yourself with it when you clicked on those records.

I agree not to apologise excessively for this. I agree with others that this is not your mistake. The way you described here what you did is the way most people would act - you clicked on names without knowing what you would see. You should have had training / guidance in using the system and you should not have been given access to that data.

Did you tell someone at the first opportunity?

Unless this is NHS, you will be fine.

I can't see how you made a mistake?

You were following training.

You didn't recognise names so you clicked on them. You didn't know it would bring up personal info.

You clicked on your own name. You own personal info is your own so no foul there.

It sounds like the system does not have the correct access codes, which unless you set them (with full knowledge. etc.), is not your fault.

What I would do personally is email the manager back tonight and say something like this. I’d want to get ahead of the narrative here.

“Thanks [Susan], I wanted to speak to you about this actually and didn’t manage to grab you today so great we are having a meeting. I am concerned about the access privileges - today I went on the system to try and book an appointment for [Bob] and found it is showing several people reporting to me and when I clicked on one of their names it showed me their DOB and Home adddress. I was also concerned to see it showed me my info when I clicked on my name - not what I was expecting to happen.

Very happy to discuss further tomorrow and I have some ideas about how we can train the right people up. “

.

Did you sign a data processing agreement for your job? This bit of info is crucial!

They will have realised they made a mistake in allowing you access. They will be panicking as they shouldn’t have given you this access and they’re in the sh1t about data protection . They don’t want you to go on RED now they realise you can access data you shouldn’t and are worrying about it. It’s all their issue in allowing you access. I bet they’ll be in a fatal panic too about the breaches of data they have permitted to happen with the new data protection laws. It’s their fault op not yours.

FWIW I would have done exactly the same as you —but then I’m nosy— in looking at the data. I don’t think you sound unreasonable at all in what you did. I’d also feel embarrassed and nervous and anxious and convinced it was all my fault when reading the email from manager about it. I would cringe at what I did and wish I hadn’t looked.

From an outsider it’s easy for me to say this but I really think they will be more worried about covering themselves in their mistake than about your professionalism.

^emerald has brilliant advice there. I’d definitely do that.

I agree with Emerald. I’d want to say something tonight, mainly to put my mind at rest.

I agree this is their mistake I don't know why you're apologising.

You're trying to work out a system you've had no training on. You see some information wrt your managing a couple of colleagues that is incorrect. You click on their names to see who they are - and you're presented with confidential information you had no desire to access.

a) lack of training, and b) non-secure system.

It sounds like they don't know exactly how it works yet.

You can't be blamed for that, be absolutely clear.

I don't know why women in business always blame themselves. If you were a bloke you'd be blaming everyone else including your mum.

Does anyone else have to know?

Their breach, not yours. I am not fully up on these things but you probably should have recorded the breach but this would cause problems for your work. It sounds like your manager gave you their access. Massive data breach, don't let her make you a scape goat for her mistake and be prepared for standing up for yourself.

Don't go in all guns blazing, see what she says, apologise for clicking on things but just state what you said to us, but of it goes any further than stand your ground. You were given access to something you shouldn't, regardless of clicking on it, it's their mistake.

I would play dumb and say something like " oh silly me I don't know what I'm doing yet with this new system, Ive probably clicked on all the wrong things by accident hope I get properly trained soon"

Jeez op, their bad not yours. I wouldn’t go in with my arms up waving a white flag, in fact I’d turn it round onto then and ask wtf you are down as a manager to these strangers and wtf is this info accessible to those who can enter the database?

Totally agree with Emerald’s advice - get back on the front foot.

They’ve screwed up, they gave you the wrong permissions. It’s not your fault, so please don’t stress.
In my old job, I frequently got sent things not intended for me as my email address was close to a lady in HR (responsible for hiring, firing etc, our first name and surname,e initial were the same. I deleted them of course once I realised I wasn’t the intended recipient, but frankly it was not my fault they were sent to me!

Don't apologise, wait and see exactly what they say first!

I can't see how anyone can legally stop you accessing your own data. You accessed it because you were curious about an inaccuracy, and you accessed other people's data incidentally while trying to get the hang of the system. If they bollock you for either of those things, IMHO it's an unfair overreaction on their part. I don't think what you did was so terrible, and hopefully not a sacking offence. Hope it goes OK.