Can I loose my job for breaching data protection?

[fershuuu]

So I work for a company and we provide online learning courses.
Thursday I emailed 300 previous clients asking if they want to take part in another course.
I cc them all in by mistake so they all can see each others emails.
I've had a few emails back from them asking to speak with my manager as everyone can see everyone's email address and saying I've breached data protection.

Can I be sacked for this

Of course @DodoTired but policy you'd assume OP has read. Being an employee. Law should be known by all staff as well but I'd assume policy is the first thing new staff is given.

This is pretty much the advice I would have given. In my professional opinion it's likely to be a pretty low impact breach and at my work we take a no-blame approach to this type of data breach as long as it's reported promptly and we would use it as a learning opportunity. If you've not already spoken to your manager do that as soon as you can and make sure you apologise and show you are taking it seriously!

No. I couldn't.

Email them back and tell them to get lost, that's the best approach, they are sad acts who need to grow up and get on with their work.

Well, when our local authority did it, I could see that DP's ex had a job at a particular location, which meant I could tell which school their DD attends, narrow their address down to a particular area and if I were so inclined (and if DP were a violent, stalking prick, which fortunately he isn't), tell him exactly where to be waiting either at school kick out time or when his ex was likely to be at an event at night, meaning she would be using the largely unlit car park at a time when the gates were likely to be open and pretty much everybody else had already left.

Admittedly, it's a theoretical risk, but it's still a risk - just from one email address in the cc field.

That's much more along the lines of what happened to me and why "blocking the email" addresses didn't work. With a creepy man that
only knew my first name prior to the email leak.

Recall the email and report the error to your manager asap.

In some fields, yes, this could be a sackable thing, but there will be other fields where it isn't. The important thing now is to take action to mitigate potential harms and reduce the risk of this happening again.

What spectacularly bad advice

Wow, you really havn't a clue have you. I think you need to go on a data protection course. It's a VERY serious matter.

I presume you're the kind of muppet who whinges when schools don't allow photos/videos to be taken at the school nativity play!

while this is a very minor issue that is really awful advice. Being rude and unprofessional rarely makes an issue go away.

what subject do you teach? Is that how you manage communication with parents?

We’ve had similar instances at my company and the people were not sacked but they did inform as as soon as they were aware of the breach. It was really interesting being part of the process and to see how the privacy team work. These things happen and there should be processes in place to follow when it does happen. And if there isn’t then it’s a way to learn.

it only takes one of those 300 to know how and where to sell email addresses.....

It's not just about sharing email addresses (a personal data breach) but it also provides jigsaw identification information. That all those people have attended xyz course. I don't know what that course is, but it could share information that some people don't want sharing with 299 other people - dealing with bereavement? Managing mental health problems? Disability support etc etc.

As PP says, own up asap and please do not say it's just email addresses. That would massively concern me as a line manager as it would indicate there is very little understanding of what personal data is / data protection is.

yes, I might not sack you for an error but for heavens sake lose the attitude OP

I did a 3 day residential course on GDPR, got the certificate, decided it was yet another load of bureaucratic nonsense and moved swiftly on.

Its not VERY serious, its a few people who got other peoples email addresses, the world isn't going to stop turning, and if Steve at A to Z accountants is worried because Beth at Zigzag marketing can see his email address or visa versa they need to stand back and view the bigger picture - meanwhile the eejit doing scam emails from Moscow already has all their data...

This is one of reasons modern work
life is unsustainably shit and stressful.

But you must see that the OP has to tell her line manager what’s happened before any of the email recipients do, and that phrasing it like that is going to go down like a lead balloon.

What is? Edit - I man, what about this particular situation prompted you to say that please?

Oh and we do photos and videos at all school events, no problem, never had an issue.

Breaches should be reported to the ICO within 72 hours. You need to report it asap in the morning.

Because the instant nature of email and electronic communications means you’re at risk of being sacked for making a simple clerical mistake. Because there is not one person here who hasn’t made a slip up at work particularly when under pressure. Because - I’m sorry - but revealing someone’s freaking email address should not be a disciplinary offence.

To add to that often the pressure itself to work quickly is created by Outlook. Bombarded by emails day in day out, expected to respond quickly. It never ends. Email has ruined my job for certain.

Also the recipients might have complained to the ICO themselves.

@rubeelum i wish I could give that “thanks” more than once!

@rubeelum okay

it’s been this way since I began work a very long time ago but I suppose different areas of work are going to have adopted it later. I like Outlook, I find it very useful. Maybe just because I’ve used it forever.

I do think it’s a big error but if OP had no training it’s different. I’d expect a person to get a warning.

it's for the DPO to report to the ICO not the op. Op needs to report to her DPO.