Breach of GDPR - Panicking!

[fuckeduphelp]

When I was a nursing student, I accidentally sent a patient report to my university email. This week I’ve started my first qualified role and I’ve received training on data protection and GDPR. The trainer has said that people have been fined and criminally prosecuted for doing pretty much what I did, and now I’m panicking that I’m going to have a criminal record. Can anyone here with experience or knowledge of the ICO know whether I’m at risk? I know I’ve been ridiculously negligent 😩

I'm not an expert but I think it's usually big companies who are careless with data get fined etc. are you going to report it to your workplace.

Was it a patient record you were supposed to be looking at? How did you accidentally email it to yourself? What did you do when you realised your error?

I tend to think it's whoever didn't provide you with any GDPR training before you first got access to patient data who was negligent. Can you suggest to the university that they add it into the course?

I would say it's very unlikely you would be personally fined. Probably tells the hospitals they need to review their induction procedures for student nurses though.

Are you at the same organisation as where you sent the patient information from?

I am a solicitor and not so long ago advised an NHS Trust on its liability following a similar incident (secretary had emailed to her private account the medical records of patients - as she also worked as secretary for the consultants' private practice work).

The outcome was a report to the ICO (which had to be made by the Trust) and various actions relating to the individuals affected. They didn't do anything to the employee, other than a rap on the knuckles.

In general, I would say you absolutely have to fess up straight away and alert whoever your GFPR lead is. What's the paper trail here? As in, if someone accessed that report in the future, would it be clear to see that it had been sent to a private email address?

If you hadn't had any GDPR training at that point, then really the responsibility would fall on your supervisor. You shouldn't be given access to confidential information without the appropriate training (and this is exactly why!)

I'm confused.
You sent a patient's record to your own email address?
If so, just delete it and forget about it.

My thoughts too!!

if it wasn’t recently then it will be fine , people telling you to hand yourself in are being ridiculous .

And if the outgoing emails are checked server side? It would flag then and OP could potentially be in more trouble as she tried to hide it.

Op, where were you meant to be emailing it and how did you get your own address in there by mistake? Have you emailed yourself from work computer before and your address is stored in there?

Yeah this Don't worry assuming you were supposed to be looking at said patients record then don't worry. IF and it's a big IF anything every comes of it and you are asked You can easily explain. Surely there's a time line I think something like 60 days to investigate if it effects less than 500 people

GDPR lead here, also the person who has made the most GDPR mistakes ever 😂. I'd just delete it and let them know that during the training you realised you'd accidentally done that during your training but deleted it and know not to do it again. They'll log it and maybe report it higher but it's a mistake, these things happen.

I once had student details, names, addresses, DOBs in my work bag in the boot of my car, went into the corner shop for some milk (gone max 5 mins) and came back to my car broken into and my work bag gone. I had to call 999 and let my boss know, I learnt a lesson that day!

I’d previously sent university stuff to my uni email address which is how my email popped up as well as the person I actually meant to send it to. I deleted the email immediately from both sent items and my university inbox.

This happened in January.

Don’t worry! I also work with personal data and mistakes can obviously happen. The onus is generally on the organisation to make it very difficult for mistakes to be made, not on junior individuals to be experts. This doesn’t sound hideously reckless or negligent. As others suggested you might feel more at ease if you inform someone but I don’t think it’s that urgent- mentioning it during training seemed a nice option.

If it happened in Jan I really think you would be ok now, just make sure it doesnt happen again

In my previous role I used to have to investigate Breaches by Datix....the process was quite lengthy and always escalated to more senior people. In my experience, the majority were considered 'near misses', and only one or two - max - reached a more advanced stage and at no time did an individual take the rap. Please do NOT worry....and if it is historical Id say forget it but learn from the refresher training you have had. One small measure I would suggest is to install an 'email delay' function...so when a busy day strikes and pressure mounts, you do then have a bit of grace time to cancel the email or if the worst happens, recall it and report the potential breach immediately and transparently. Hopefully not a situation you will meet.....but these breaches DO happen and this is why there is at least now a process to mitigate the severity and impact. You will absolutely NOT have a criminal record....do join a professional Union though....we are all still human....it happens

Thanks so much for the reassurance. I saw my career flash before my eyes and I’ve only just started 😅

More context needed. Presumably you should not have been emailing it anywhere, so what happened?

I wouldn't worry about it or say anything at this point. It was a while ago and not at your current workplace, correct?

I would say delete and forget too.
It's not like you sent it to your uni lecturer who I'm guessing would indeed take it further.

Seriously, Forget about it.
Well done on qualifying! Congratulations

Someone has to find out about it and complain for it to even be investigated as an issue. Delete the email. Don’t tell anyone. You’ll be fine.

We’ve had worse data breaches at my office and nothing bad has ever happened to the person. No one has ever been sacked. If this happened months ago I don’t think I would even mention it. You didn’t know at the time but now you do and will probably never do it again. Don’t worry about it.