Can I loose my job for breaching data protection?

[fershuuu]

So I work for a company and we provide online learning courses.
Thursday I emailed 300 previous clients asking if they want to take part in another course.
I cc them all in by mistake so they all can see each others emails.
I've had a few emails back from them asking to speak with my manager as everyone can see everyone's email address and saying I've breached data protection.

Can I be sacked for this

It's still a breach of GDPR even if the email is recalled. Usually only unopened emails within the network can be recalled anyway.
I really don't think it's good advice to tell OP to just recall.the email. There are certain regulations that she and her company have to follow in these circumstances.

Exactly and even in the Scottish charity (std) example I don't think the individual employee should have (or did) lost their job. Retraining certainly but they were failed by the lack of a better system

Attemtping to recall is good practice even though it doesn't erase the breach and won't be very effective). Asking everyone to delete the original (in a resent, properly BCC'd email,) is also good practice . It also needs reporting to the DPO who can then review whether or not it is "serious".

Even if it is serious it doesn't follow that op should even face disciplinary action let alone lose her job. I would be focussing on improving our system not criticising individuals. The only time we ever would use HR is if there is
A) deliberate breach (disciplinary- may well lose their job ) or
B) recurrent breaches (competency might be considered, but first we would focus on system improvements )

(We would always do retraining following a breach though, that's not a criticism of the individual it just feels like good practice)

Good grief that's heavy handed.

The ICO are clear that organisations should primarily focus on designing out risk rather than expecting perfection from employees.

It’s because it’s the law

That attitude will make losing your job more likely.....

Agreed, we'd report, outline what we'd done to manage and mitigate the risk to individuals affected, identify any necessary training/lessons learnt etc.

The chances of a fine, unless this was part of a catalogue of similar incidents and indicative of endemic poor practice is very small. The hyperbole isn't necessary when offering a worried person advice. Unless you were actually trying to frighten them unduly.

People could opt out of being included in the telephone directory. It wasn't obligatory!

Yes it’s a breach but it was just a mistake, you’re only human. It’s an email address, it’s hardly the same as revealing financial or medical information. None of us know what your employer will do however it depends how seriously they view it and maybe the consequences for them.

Agreed, in my experience the ICO wouldnt be likely to investigate this. (But I might report to cover my back)

However the seriousness of a breach is not the thing that determines whether disciplinary action is required. Op didn't do this deliberately and her employer should have a fair better system in place for mailing list communications.

I agree

Mistakes happen, owning up to it and dealing with it is key.

First thing though as DPO I would look at what training the op has been given.

As she didn't realise this was a data breach I would suggest the organisation has failed to train her adequately. That's on their heads not hers

There is a lot of terrible advice in this thread.

It's highly unlikely that anyone has sold the info on.

Obviously you can't recall the email, the horse has already bolted.

It's not even clear at this stage that GDPR has been breached, because if they were all business email addresses, not people's personal ones, it's not considered personal information.

I'd seriously not worry about it, say nothing and likely it will not be mentioned, only if a recipient complains do you have a problem, so wait to see if there is a problem before wasting time thinking of a solution to it.

Own up immediately, it MIGHT help you.

Funny you talk about "terrible advice".

As per the ICO website...

"Yes, a business email address can be considered personal data. According to the UK GDPR, personal data is any information that can identify an individual, even if they are acting in a business capacity. For example, an email address like "[email protected]" identifies an individual, so it would be considered personal data."

So you saying "it's not considered personal information" is completely wrong because the ICO says it is!

Having dealt with the ICO I strongly doubt they would give the tiniest s**t about this.

Wrong. Read the original post - complaints received already

Probably the worst advice I've ever read on MN. If you try to cover it up, you're making the matter worse and just asking to be sacked. The OP NEEDS TO come clean to their manager and their organisations Data Controller immediately and let them deal with the breach, contacting customers to advise and apologise etc.

It led to harrassment for me, so yes it can be quite serious.

Doesn't matter. The law requires organisations to record data breaches. The organisations' own Data Controller decides whether it's serious enough to report to the ICO or not. To a large extent, for minor breaches, it's "self assessment". Should the ICO get involved in any way, they'll want to see the data breach reporting system in place and how breaches are dealt with.

Absolutely. This is potentially a minor breach and unlikely to be one that will result in any disciplinary action (depending on circumstances, of course).

But if I was OP's manager and the first I found about it was because, say, one of the affected customers sent a tweet complaining about it rather than the OP telling me about it ASAP then I'd not be a happy bunny.

I can’t get excited about this as a wrongful act. Unless it’s a trading course on a sensitive subject.But customers/prospective customers have complained….. so you have to go through the process now. I’m sure it will be ok.

You are very unlikely to be sacked for this and those people saying you are, are just trying to freak you out. And people that are complaining need to get over themselves imo, like you say, hardly the end of the world if someone knows your email.

At my workplace this would be a ticking off and maybe a direction to redo the GDPR training.

My cousin works in healthcare and accidentally sent a letter to the wrong patient with personal information about their treatment plan. This is obviously much worse than a bcc error and all she got a telling off and had to apologise and redo the training. She was supposed to sign and say it would never happen again but she refused because this sort of error is impossible to guarantee can NEVER happen and they let it go.

Just own up and it will be fine. It’s really nothing more than a whoopsie!

@PerkyMintDeer and you couldn’t just block the email addresses contacting you?