I have received someone's disciplinary letter by email by mistake............

[Nailgirl]

So I've just opened my personal email account.
It is clearly Nail Girl @ gmail or whatever.

The email says "Dear Nail, as discussed details of the disciplinary for next week etc -see attachments" from Joan (insert another name).

Panicking -I hope the attachments as of course my first name is Nail.

Except this is a whole different person, name, address, medical details, and documents, OMG.

The email is signed off to her "best wishes for your wellbeing".

Not my company etc. -OMG.

I've emailed them back and said "Nail Girl is not Nail BonJovi -as should have been obvious from the email address. I suggest you contact Nail Bon Jovi pretty sharply and tell them that her confidential disciplinary stuff was sent to the wrong email. Obviously I opened the attachement due to the informal tone of the email that addressed me by my first name.

I will be printing off these documents tonight and posting them first thing in the morning to her address.

I asssume that this would be the right thing to do.

I'd want to know if my work did that. So send them. In case it's me 😂

I'm probably too late to this but here's my twopence worth as a Data Protection Officer

1. You should NOT print off the information and share, what if the name of the other person is incorrect but something else in it is correct and identifying someone else, you could exasperate the breach, you can also be liable as an individual. You just need to report to the sender.
2. You are legally obligated to delete the email, if you do not you yourself are breaching GDPR, you have no legal basis to continue to hold the data, even to prove the breach, nor send it on to anyone else, including the potential data subject.
3. It is too soon to report to the ICO. The employer will assess the breach, not all breaches need to be reported to the ICO, the employer will review it and decide whether it needs to be reported to the ICO or not. If they do not report it to the ICO and you are not happy with that, or the way they are handling your complaint, THEN you can report to the ICO.

It is serious and should be dealt with appropriately, but it also happens incredibly frequently and there is a set process for dealing with it which should be followed through. It is an easy mistake to make and I wouldn't expect someone to face disciplinary action for such a mistake (unless there is wider context here such as repeat breaches) but it is important it is reported so the data subject is made aware (as I feel it passes the threshold for the data subject to be informed- not all breaches needed to be communicated to data subjects) and so the company can log it as per legal requirements and hopefully learn from it to improve processes.

Jfc, what a self righteous busy body with too much time on her hands

Severe breach of GDPR, extremely worrying for that company and they could get fined thousands if an investigation finds this. Whoops!

@movingonup201 you’re wrong. The OP has no liability as her proposed actions fall outside the scope of Article 2.

The company had a legal duty to report this breach of GDPR. They should not have emailed this information, it should have been posted. Me personally, I would report this to the ICO.
This person is being disciplined and they email the details to a random stranger? This is breaking the law.

@Mollymoostoo no the company does not have to report the breach. They only have to do this where there is a risk to the rights and freedoms of the data subject. What do you think that risk might be in this instance?

@PegasusReturns when I replied I thought she was an employee of the company but on reading the whole thread perhaps not? If she is, an individual can be found personally liable and have legal expectations on them. Either way my points still stand that she shouldn't be exasperating the breach by sharing and should only be deleting the email and reporting, there is a reason that is in place when within the scope of GDPR.

I would certainly want to know ... those saying delete is a nonsense . The organisation has broken this woman’s confidentiality and she absolutely needs to know . If you delete thee is no proof , relying on them to do the right thing . It is down to the person whose confidentiality has been broken to see what has been sent. No doubt. Any other way is dishonest

@movingonup201 again you’re wrong:

How can an individual be personally liable in these circumstances and what “legal expectations” can they “have” on them?

@Twinkled it's not nonsense it's the law
(Well it would be if the receiver worked for the company too as stated) the law expects you to delete, it isn't your problem if the company does or doesn't do what is excepted of it, they've made a mistake, there's no reason to assume they wouldn't follow procedure, it's not a big mistake that needs covering up, it's a relatively frequent occurrence that companies general know how to handle and what their expectations are.

@movingonup201
you could exasperate the breach,
How?

This is a breach of GDPR and you should inform the sender and delete.
But I would see if I can find this person on facebook and PM them to make them aware this has happened. They might give you their email address for you to forward it on so there is proof it was delivered to the wrong person. As you don't work for the company, you are not held by their GDPR rules.

you could exasperate the breach
How?

@DynamoKev

Assuming the poster means exacerbate, then yes printing could be an exacerbation but the OP has no legal liability despite what @movingonup201 believes so can be filed by the OP under Not My Problem.

Didn't RTFT, however, links and attachments in emails from unknown senders should not be clicked or opened. If I were you, I would also scan the computer used for malware just in case this was a phishing email.

I am also slight concerned that @movingonup201 claims to be a Data Protection officer but seems unaware of the ICO and the interest they ought to be taking if this kind of data misuse is usual and regular as @movingonup201 seems to think.

It's not OK. At all.

@PegasusReturns under data protection law people can be personally liable, if you deliberately deviate as an individual the ICO has power to prosecute. You only have to Google for cases where the ICO have prosecuted individuals come up.

Section 170 DPA (so not GDPR) "obtaining, disclosing, procuring a disclosure to another person, retaining personal data without the consent of the DC" is the part for the law the ICO can prosecute an individual for if they refuse to delete data even if they have obtained legally. I'm not certain if this is the case if the person has been sent the data personally rather than through work, so I may still be wrong on that regard but if she does work for the same company then she does have a legal responsibility, personally, to delete, it is a criminal offence not to.

Send it back to them and, by all means, mention the confidentiality breach. Don't print the letter off or send it.

Movingonup21 . Ever heard the law is an ass. I would want to know if it were me . You do not know if the company is large / small honest / dishonest, it maybe be worth their while to cover up. You can’t know that for certain

@movingonup201 I don’t need to look up cases I’m a Data Privacy lawyer and I’ve been involved in multiple cases with the IC and other SAs.

You’re misunderstanding the law and circumstances and misrepresenting the position. It’s not helpful on a thread where people are already frothing.

@DynamoKev haha oh my goodness, you really need to look into the ICO if you think for a millisecond this will make them blink. The ICO as an authority are a laughing stock for most in the DP community and are not fit for purpose, they are completely overwhelmed with the new legislation, they are turning a blind eye to data concerns much larger than what is happening on this thread.

They are well known for taking a completely different stance to the EDPB, have offered no guidance since the over turning of privacy shield, have only this last month confirmed (and reduced) the fines of BA and Marriott, these small scale breaches involving one person (Im not saying it isn't serious but is small fry with the kinds of breaches the ICO are dealing with, when millions of peoples data is disclosed) barely get a look in.

The government alone report THOUSANDS of their own breaches a year, honestly, do an FOI, breaches are very common.

So yes I am a DPO and that is why I am saying you don't report to the ICO yet a) they won't respond until you have complained directly to the company first, that is their policy, b) good luck getting them to take any action, their plate is pretty full and they struggle even with the big cases. They don't actually fine anywhere near as often as people presume.

Data controllers are not obliged to inform the data subject unless there is a high risk to the rights and freedoms of the individual.

[quote movingonup201]@DynamoKev haha oh my goodness, you really need to look into the ICO if you think for a millisecond this will make them blink. The ICO as an authority are a laughing stock for most in the DP community and are not fit for purpose, they are completely overwhelmed with the new legislation, they are turning a blind eye to data concerns much larger than what is happening on this thread.

They are well known for taking a completely different stance to the EDPB, have offered no guidance since the over turning of privacy shield, have only this last month confirmed (and reduced) the fines of BA and Marriott, these small scale breaches involving one person (Im not saying it isn't serious but is small fry with the kinds of breaches the ICO are dealing with, when millions of peoples data is disclosed) barely get a look in.

The government alone report THOUSANDS of their own breaches a year, honestly, do an FOI, breaches are very common.

So yes I am a DPO and that is why I am saying you don't report to the ICO yet a) they won't respond until you have complained directly to the company first, that is their policy, b) good luck getting them to take any action, their plate is pretty full and they struggle even with the big cases. They don't actually fine anywhere near as often as people presume.
[/quote]
💯

@Twinkled of course the people want to know, but that is for the company to decide and inform, not the individual.