I have received someone's disciplinary letter by email by mistake............

[Nailgirl]

So I've just opened my personal email account.
It is clearly Nail Girl @ gmail or whatever.

The email says "Dear Nail, as discussed details of the disciplinary for next week etc -see attachments" from Joan (insert another name).

Panicking -I hope the attachments as of course my first name is Nail.

Except this is a whole different person, name, address, medical details, and documents, OMG.

The email is signed off to her "best wishes for your wellbeing".

Not my company etc. -OMG.

I've emailed them back and said "Nail Girl is not Nail BonJovi -as should have been obvious from the email address. I suggest you contact Nail Bon Jovi pretty sharply and tell them that her confidential disciplinary stuff was sent to the wrong email. Obviously I opened the attachement due to the informal tone of the email that addressed me by my first name.

I will be printing off these documents tonight and posting them first thing in the morning to her address.

I asssume that this would be the right thing to do.

[quote movingonup201]@Twinkled of course the people want to know, but that is for the company to decide and inform, not the individual.[/quote]
Again, correct.

@FedUpWithBriiiiick

Data controllers are not obliged to inform the data subject unless there is a high risk to the rights and freedoms of the individual.

That's Article 34 of the GDPR, by the way.

@PegasusReturns how am I wrong? Feel free to PM, I'm not trying to win an argument, I dug out my notes for that post and according to those if someone refuses to delete data they've been sent incorrectly in a breach I have it written it is a criminal offence to ignore, if I'm wrong I'd really rather know so I'm not saying it when I shouldn't, but want to know how I'm wrong.

And sorry yes I did mean exacerbate (I'd love to say that was an auto correct but I genuinely think I've been using the wrong word all these years which is a bit embarrassing...but shows I will put my hands up when I can see I'm wrong!! )

[quote movingonup201]@PegasusReturns how am I wrong? Feel free to PM, I'm not trying to win an argument, I dug out my notes for that post and according to those if someone refuses to delete data they've been sent incorrectly in a breach I have it written it is a criminal offence to ignore, if I'm wrong I'd really rather know so I'm not saying it when I shouldn't, but want to know how I'm wrong.[/quote]
@movingonup201 you are absolutely correct www.legislation.gov.uk/ukpga/2018/12/section/170/enacted

In fact, there is a case in the courts at the moment about a man who incorrectly received 3rd party personal data and refused to delete it. I'll see if I can get a link.

@FedUpWithBriiiiick thank you, happy to have it pointed out if I'm misunderstanding something but that's how I believed it to be until shown differently.

Seems like you're actively trying to make the situation even worse. Just tell the company they emailed you in error then delete it. Job done.

@FedUpWithBriiiiick skip all the way back to s4 and look at the scope.

@PegasusReturns

According to the ISO website Personal data breaches can include:sending personal data to an incorrect recipient

This should be reported.

The risk you mention is not relating to the ISO being informed. It is relating to the company telling the individual their data was sent to someone else.

But if you do the job you say you do, I am sure you know this already.

A hospital suffers a breach that results in accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.

According to the ISO, the person should be notified if the disciplinary information shared included medical information as suggested by the OP.

[quote PegasusReturns]@FedUpWithBriiiiick skip all the way back to s4 and look at the scope.[/quote]
Sorry, ‘s4’ of what?

I love the fact people need to quantify their response by stating their job title.

A simple Google search tells us this is against the law and the company should be notified so they can take steps to make sure it doesn't happen again.

I love the fact people need to quantify their response by stating their job title.

I'm the Son of God and I'm pretty sure what OP describes was a Sin.

@Themostwonderfultimeoftheyear

All you need to do is reply explaining the error and the delete the email.

This

@JesusInTheCabbageVan

I love the fact people need to quantify their response by stating their job title.

I'm the Son of God and I'm pretty sure what OP describes was a Sin.

😂😂😂😂😂😂

@FedUpWithBriiiiick

Sorry, ‘s4’ of what?

S.4 of the Act to which you provided a link to support your position

@Nailgirl call me petty but I would post so someone else can go through disciplinary and a lawsuit with the real Nail. Medical documents that is a serious GDPR breach I'm trying to imagine how similar you'll email addresses could be.

[quote PegasusReturns]@FedUpWithBriiiiick

Sorry, ‘s4’ of what?

S.4 of the Act to which you provided a link to support your position[/quote]
www.legislation.gov.uk/ukpga/2018/12/section/4/enacted

You mean this? Just tells us about the scope of the Act in relation to personal data processing (Chapter 2 = GDPR, Chapter 3 = non GDPR). Not sure I follow...

I mean, it's unlikely that a prosecution would take place, but the point is that it is an offence.

@Mollymoostoo

This is clearly a data breach and I have said as much, but it is not a reportable one based on the OP.

You’re confusing the requirement to notify the individual where there is a high risk with the requirement to report to the ICO where there is a risk.

Although the threshold is higher for notifying the individual versus notifying the ICO, both require a risk based approval.

[quote PegasusReturns]@Mollymoostoo

This is clearly a data breach and I have said as much, but it is not a reportable one based on the OP.

You’re confusing the requirement to notify the individual where there is a high risk with the requirement to report to the ICO where there is a risk.

Although the threshold is higher for notifying the individual versus notifying the ICO, both require a risk based approval.[/quote]
Agree on this!

I mean, it's unlikely that a prosecution would take place, but the point is that it is an offence.

Only and offence if the facts bring it within the scope of the Act as set out in s4....

Anyway I’m out. I’ve offered advice in good faith, the rest of you can continue linking to statutes that you don’t understand.

Hmmm I’m not sure. People do make mistakes. You can’t go printing things off OP.

You could report it to HR though. I’m not sure I would though it’s a mistake!

Perhaps the OP could return to the thread and let us know what her HR, and what the ICO, recommended as actions?

@PegasusReturns there's no need to be rude, you're coming across very arrogant, I am open and happy to be told how I am wrong but you haven't done so, you keep saying "you're wrong" without explaining how exactly. We don't even know the full context of this situation so I'm not sure why you can come across with such certainty. We have stated what is an offence, and even that we can't be certain that it is in this case because we aren't exactly sure of the situation, but still you persist with accusations of not understanding the law. I still cannot see what I have said wrong so stand by all my comments made thus far, but welcome constructive pointers to the contrary.