Husband lost his job. His fault but he had good intentions. We are both deeply upset. Please help.

[user1471433754]

My husband's boss phoned him a fortnight ago, and told him to stand down and to hand his laptop in to HQ the following day. My husband was so shocked, we didn't know what was happening. We were in a distressed state as he's contract and won't get paid either.
After over a week, of not sleeping, eating, desperately worried, we received a very aggressive lawyers letter from the company. It accused him of downloading documents to his private e mail to read. Husband did do this, they weren't sensitive but he did do it so he could read them at night, and deleted them right after. He honestly didn't realise he was doing wrong. He was doing his best to help his team and get the work done. He's always known for getting jobs done and been told he's a great asset.
Back story to this is, I've been very ill the last year. I nearly died, also lots of illness on my part, mental breakdown, 2 operations, serious illness. He was trying to look after me and do his job at the same time in the evening. He's now been dismissed. Looks like we are going to have to pay both sides legal fees, but he has no job, I can't work. We speak to a lawyer tmro.
He has been foolish, but he did it with the best of intentions to get the work done. We are early sixties and so distressed, I'm worried he will have a heart attack. He's cried non stop, he is horrified, ashamed, embarrassed. Please be kind x

He’s a contractor - he wasn’t fired, his contract was terminated and they don’t need to give a reason or even involve HR. The fact that they have given a reason and issued a legal letter is concerning.

Very true! Although I had a access to legal advice through mine which could be useful?

Or better still, walk away from this thread and don't feel obliged to share more information with complete strangers who enjoy casting aspersions on you and your DH. Good luck with things.

Where the fuck are you getting this all from?

theres no indication of violence from the employer. For a start.

I think personnel or HR would’ve been involved.

Reply and acknowledge their letter and say you are taking legal advice and will reply further when you have done so.

That's met their 3-day deadline and remember "taking legal advice" does not necessarily mean a talking to a solicitor.

Just a quick note to say that the definition changed under GDPR. Under the old Act it was data that could identify a liv g individual, but now it’s much stricter.

The definition of personal data is any data that can be used to identify an individual.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/#:~:text=The%20UK%20GDPR%20defines%20personal%20data%20as,means**%20Manual%20information%20in%20a%20filing%20system

He isn’t an employee, so doesn’t have the same rights thereof, and depending on what data he was taking and processing outside company systems, he could have exposed the company to the risk of large costs: fines, reputational damage, loss of clients, loss of business. If the security systems in his private laptop are inadequate it’s even worse, as that data could have much more easily been accessed by others without the right to it. Just because criminal charges may not be laid it doesn’t mean that a civil case can’t be brought.

If you look at the wording of the GDPR this isn’t actually the case - I find the ICO explanations are often overly simplistic and leave out important details, probably because they are broadly aimed at laypersons. The wording actually states that it is, “any information relating to an identified or identifiable natural person”. Plus you have to consider inferred personal data, especially inferred special category data. Eg someone requesting kosher food at a work event could indicate that they are Jewish.

*edited as autocorrect decided that ‘special category data’ should in fact be ‘social category data’ ffs!

Yes. I know. Why are you talking about GDPR definitions? I’m sorry im autistic and I’m not understanding.

I would also have a concern about computer misuse act? And stealing proprietary information?

https://gdpr.eu/eu-gdpr-personal-data/

I think it’d best if you don’t understand something not to give advice.

thr man was a contractor, he was not fired. And you’ve no idea who else was involved, I would assume plenty as they knew he’d taken the data. It won’t have been his manager monitoring his emails.

it wasn’t a violent act, dial down the hyperbole. This isn’t an episode of esstenders, there is a real person at the other side of this. And your advice is appalling and wrong.

Unless he works for MI6 I don’t think they will take it that far!

Even with GDPR breaches of this type as long as any data sent to the wrong place etc. is deleted immediately with no further distribution, the breach is considered to be dealt with. I’ve had multiple dealings with the ICO on these types of breaches and they are normally satisfied if they are given written assurances that the breach has been contained and controls are in place to prevent recurrence.

I didn't see the post you're responding to, but I would say this is good advice across the board. Including, my daughter is a lawyer and they'll take all your assets. I'm a lawyer but know nothing about employment law or the specifics of this, so would never attempt to advise on it, let alone on the internet. Nor would I expect my mother to.

@user1471433754 This is a website made up of random people with no proof that they are who or what they say they are. They're giving you lots of advice on a very upsetting situation with little to no information and I suspect it's making you more upset. Some of the advice seems to be good and knowledgeable, but even then, we have no idea whether it applies to your specific situation. Equally a lot of it seems overwrought and downright alarmist.

I would suggest you take a deep breath, try to understand what is actually in the letter and you and your husband should have a very honest conversation and figure out the next steps.

Wishing you a good outcome.

I would say it’s not just about the gdpr breach.

Because the reference was to personal data, and that is the relevant legislation. I was explaining that the legal definition is actually broader than people often think, meaning that sometimes they don’t realise that information they are processing is covered, or may be defined as ‘special category’, ie with extra protections that may have been violated in this case. I’m not referencing computer misuse etc as I am focusing on my area of law.

Your health has no bearing on this. It all depends on him downloading personal mails and the company view. 🤷‍♀️

Agreed. I’ve always found the ICO to be more concerned with the impact of the breach, and whether it was shown to be the result of systemic issues like poor policies and training, widespread failure to adhere to / monitor and enforce adherence to policy etc. rather than a one-off mistake that has had no material impact on data subjects. I definitely think it helps that they are not funded by fines, in countries where that is the main source of income for the relevant regulator I have definitely found a somewhat more, hmm, ‘quick to fine’ approach shall we say?!

Sorry you’re going through this, what a shock and obviously very distressing.

However, this is a very basic rule he’s broken. It will be in the company’s information security training and their acceptable use policy, as well as in the staff handbook. My company makes us do the training and read/sign the policy annually.

as to whether the docs are sensitive - unless he has shown them to you (which also breaks the rules…..) you simply don’t know if that’s true.

No, I totally agree that it isn’t - but if he hasn’t financially benefitted from the data downloaded and he has deleted it straight away I don’t think the company has any grounds for bringing a civil case. There little gdpr risk and they haven’t lost anything financially.

So either they are being very heavy handed with the lawyers to minimise future risk, or the OPs husband has not told her the entire truth.

I’d say it’s less about GDPR than theft of commercially sensitive info, the keeping of which would very likely be prohibited in the terms of the contract under competition rules.

Yes. There are times when MN is helpful, but this particular thread on the whole does not strike me as one of them.

I expect the company's response has been heavy-handed because they are obliged to demonstrate how seriously they take this and report what action has been taken, urgently.

I doubt it's the first or the last time someone has made this kind of error. They are in damage limitation mode.

The delight some PPs have taken in trying to crank up the panic is really grim. Many of those demanding more detail would, I suspect, have absolutely no grasp of the situation even if OP were to return with a full account of data policy, her DH's contract, and details of the leaked information. There are many posts here just firing scattershot apparently just for the fun of it.

The worst is the ones trying to charge him with imaginary crimes and breaches with no information. Bonkers.