I have received someone's disciplinary letter by email by mistake............

[Nailgirl]

So I've just opened my personal email account.
It is clearly Nail Girl @ gmail or whatever.

The email says "Dear Nail, as discussed details of the disciplinary for next week etc -see attachments" from Joan (insert another name).

Panicking -I hope the attachments as of course my first name is Nail.

Except this is a whole different person, name, address, medical details, and documents, OMG.

The email is signed off to her "best wishes for your wellbeing".

Not my company etc. -OMG.

I've emailed them back and said "Nail Girl is not Nail BonJovi -as should have been obvious from the email address. I suggest you contact Nail Bon Jovi pretty sharply and tell them that her confidential disciplinary stuff was sent to the wrong email. Obviously I opened the attachement due to the informal tone of the email that addressed me by my first name.

I will be printing off these documents tonight and posting them first thing in the morning to her address.

I asssume that this would be the right thing to do.

@Nailgirl Of course you’re should let the intended recipient know! No way would I trust the company to inform them. As you know their name and who they work for, could you try and find an email/phone number to let them know quickly without sending their confidential stuff through the post?
I really don’t understand all the posters telling you to drop it and go no further!

I wouldn't print or post anything, but if you have the other person's details I would contact them and let them know. I would want to know if it was me.

Definitely let the poor person know. I wouldn’t be printing anything off though unless she specifically requested it.
Tell the dim wits asap and report to ICO as its such a clanger they need to audit their procedures.

I wouldn’t be doing the company any favours by deleting it. If that was my information I’d be livid. They have a duty to look after that person’s information end of.

Sounds like malware to me. You should look at the source code before even opening emails like this and never open attachments. That's been standard practice for 20 years ffs.

Do not print and send, it is not your information so you do have the right to do so. In fact you yourself could be in breach of GDPR if you did as you are handling sensitive and personal information that you have no right to access.

Maybe you could send a letter to them explaining what happened and tell them to email you if they want to be sent the documents you received and leave your email address for them to contact you

I mean send a letter to the person who's documents you received

Screen shot them and post them in here so we can all check if it was meant for us??😂no really don’t do that!
Have you checked if it is an actual company and if the intended recipient is actually real and their address is an actual place? It does sound like a scam/ malware to me.

Of course you should let the person know that you have received this special category data.

It’s not appropriate to have people conduct disciplinary proceedings who should themselves have a disciplinary.

As for people speculating that the person may get more distressed and not want to know. The company has a duty to inform the employee of the breach and it would only be fair for Nail to make sure that happens.

Don’t print and send them. You’ll then be mishandling the data too. If you don’t trust the company to tell her, and there’s no reason you should, report it to the ICO yourself and they’ll contact both parties.

Even without the legal side above, it could well humiliate the woman to get her disciplinary notes from a stranger who has clearly read them. She will see them from the company anyway, and the information breach would likely not impact on disciplinary proceedings, they’d run concurrently as separate issues.

Actually, I would google the company. If they are large enough, they should have a department that deals with information security. Otherwise it's head office. I would forward them the email, explain you received by mistake and point out it's a huge breech of confidentiality etc etc. Lay it on really thick.

@Barryisland

Screen shot them and post them in here so we can all check if it was meant for us??😂no really don’t do that! Have you checked if it is an actual company and if the intended recipient is actually real and their address is an actual place? It does sound like a scam/ malware to me.

Ooh, didn't think of this. Run a virus scan to be safe as you opened the attachments.

@ButamIbothered

If I had received an email like this I would have just deleted it without responding or any other action, due the fact that it could be spam.

But then the person having the disciplinary would be presumed to have received the info, and could be in further trouble for not responding.

At least the OP has let the company know they have messed up and can find the correct email address

maybe a breach of gdp

Maybe???

It is certainly a breach.

If my personal details including medical details were sent to the wrong email, I would certainly want to know.

Personal information should be encrypted. If the company is this incompetent I would have reservations that they will report it as a data breach themselves.

I would post them to the postal address.

Human error is one thing. This is a serious data breach.

@Bear65

Do not print and send, it is not your information so you do have the right to do so. In fact you yourself could be in breach of GDPR if you did as you are handling sensitive and personal information that you have no right to access.

I am not an expert and stand to be corrected, but I think GDPR only applies to businesses/organisations handling data. I doubt OP would be in breech of it as she is not running a business or organisation.

I once received a complaint response that wasn't meant for me. I had complained to the same company but my name was in no way similar. The complaint response contained detailed information about the complainant's disability, because it was a disability discrimination complaint.

The person and I were both in a group related to this company, so I contacted the person in question and sent her the information about the GDPR breach so that she could add it to her complaint. I think that someone deserves to know if a company has mishandled their data.

Of course you should let the person know that you have received this special category data.

It’s not appropriate to have people conduct disciplinary proceedings who should themselves have a disciplinary.

As for people speculating that the person may get more distressed and not want to know. The company has a duty to inform the employee of the breach and it would only be fair for Nail to make sure that happens.

This.

@ButterboxSpoon

Let's face it, the person being disciplined would have huge leverage over the company with this info - there is now potential for a massive claim under GDPR.

I guess, OP, it's up to you whether you want to give them the ammunition for that or not 🤷

There is incredibly slim potential for a very small claim/written apology and statement they will review procedures. Literally no reward.

You have to prove loss. What has the intended recipient actually lost?

It's a mistake and the ICO are very busy dealing with huge scale data breaches, not this sort of thing.

Why are you so desperate to be a part of this drama, op? Not your circus, or your monkeys. Perhaps a courtesy email to the person explaining the mix up and advising they seek help with gdpr.

But printing stuff off and speaking to your own HR? Weird.

I think it sounds like a scam too. If you managed to find the person's details publicly on LinkedIn or wherever I assume the scammers have done the same to make it look more credible.

I think on one hand they have the right to know, however as PP have suggested you don't know what she is being disciplined for. Going off the nails thing, she could be under disciplinary for verbally/physically abusing clients and using dangerous, illegal material on their nails. The GDPR thing however I would want to know, if I was the person disciplined; so I can understand why the OP wishes to post it to them. But if it means she will have them.over a barrel and will enable her to continue then maybe best not know. Really until you know the personality of the person involved you can't know how they would use this. I would in this instance email back explaining it's the wrong email then leave it.

It's a mistake and the ICO are very busy dealing with huge scale data breaches,

This is a big data breach.
Why are you minimising it?

Have you any professional experience in this area? I have and this is a serious breach.

I got an email once with loads of paperwork attached about a custody case in Australia. I read enough to see it wasn't for me, replied saying the email address was wrong and deleted it as requested by the solicitors who sent it. It's not really the end of the world if people receiving these things exercise discretion and don't go misusing people's data by eg screenshot ring or printing and posting it.

@BibbityBobbityBellend

Printing it and sending it seems like a very kind thing to do. I would do the same and I would be grateful if it was done for me. You have no evidence that the company will report the breach and follow the rules. Whilst it is not your problem, the third party has a right to know.

I don't understand the mentality of not helping people in a situation like this.

Is it kind? Imagine randomly getting that in the post, doesn't seem kind to me.

I once received a letter from a hospital in my mailbox, totally wrong address. I opened it as it was from a hospital, it was an oncology referral. I thought oh I'd best call the hospital. Rang and explained I had this letter and no idea why. They said they would resend it. I said I can post it? They said no, destroy it.

I did, THEN, my next door neighbour knocked on my door asking for the letter. She must have called the hospital (I must have told them my address) and they must have said where it was sent. I was so confused, how was it for my neighbour when the address was different (my brain is slow), so we had this awkward conversation where she was saying if it happens again give me the mail and I was still trying to catch up and saying the hospital told me to throw it away which sounded defensive.

It was only after I realised she had mail forwarding from her old address! She must have thought it wierd as we had met before and done names, but obviously I'd forgotten her bloody name and it felt too rude for me to say I had forgot her name.

Anyway I learned where personal or sensitive information is involved, just don't get personally involved! You did the right thing to bring it to their attention, now I would leave it.