How badly have I fucked up?

[AmberDay75]

I sent a work email on Thursday, and sent it to the wrong “Joe Blogs” who works for a different part of our organisation. He replied with a casual wrong Joe message and I apologised. Didn’t think any more about it. Over the weekend I’m wondering if I need to report it to someone? It was about a customer and had some personal information. I’m getting really anxious tonight about how much of a fuck up it is.

When I was working I used to get emails from someone occasionally that were meant for someone else. We had similar short names. I just contacted them to advise and to resend to correct person. This was before GDPR

It's probably fine, if you think it had sensitive information, then I'd just let your manager know (by email so you have a record)

To answer your question, not that bad at all. You can not be lawfully sacked for a first time mistake on an internal email system, your colleague is bound by the same confidentiality requirements so it has no consequence for your client, and it is so common in large organisations that at the very worse it will be recorded and you manager will tell you to be more careful. This happens everyday to someone. Let you manager know and get confirmation it is permanently deleted by the receipiant not just in the deleted folder. That's the end of it.

The thing that worries me is the person who received the email, although internal is in a completely different branch of the company. They wouldn’t have access to the customer otherwise. I think that might make a difference? 😥

And the 72 hours thing, because it’s been more than that already 😭

I realize it’s not exactly the same situation, but I once left highly sensitive departmental salary information out in a public place on a copier inside my department for several hours. I retrieved the document as soon as I realized it was missing, and immediately reported my mistake to my boss. He shrugged, said “mistakes happen” and told me not to worry about it. Nothing came of it. I suspect that “mistakes happen” will be the worst of it for you as well. A one time error is unfortunate but understandable.

Please try not to worry - as I said above, it is a personal data breach because he had access to personal data about a customer that he doesn't normally have or have a need to - so it needs to be recorded by your company as such.

It won't be a breach which is reportable to the ICO, so don't worry about the timescale - but please don't let that worry put you off reporting it - it's one of those areas that can become a bigger thing if you try to ignore it rather than fronting up. Mistakes do happen - because people are human - it's a protective factor that the breach remained internal therefore can be said to have gone to a 'trusted partner' rather than anyone who may have malicious intent.

Also think how you can avoid a similar thing happening again - is his email address now in your frequent contacts list - if so deleting it from there can stop it auto filling the to field - and building in a purposeful check of the to field before sending the email can be good practice.

Above all - don't worry - when a breach is reported the priority is containing it / recovering the data (which you've already done), assessing the impact on the data subject (which sounds like it will be incredibly low) and then considering what went wrong and how to stop it happening again.

Thank you @JustAnotherSod. That’s helpful to know. When it’s recorded does this mean I’ll get a formal warning for the error? I’m also in the process of getting another job in another part of the business and worried this will impact on this. 😭

I'm my company there are 3 of us woth the same name, do [email protected] [email protected] and [email protected]. I'm forever getting the wrong emails, one of them once being in regards to a disciplinary meeting (feared for my life at this one), I also get accused of not replying to emails that I haven't received. Nothings been done about it yet.

AmberDay75 In my place, an error like this would be recorded as an accidental breach and we may ask the employee to re-do data protection training, tweak email address book settings or revisit email handling procedures etc - depending on what has caused the error. Where the same person has done the same thing again we might get IT to remove the auto fill option on email addresses. Recording breaches meets out obligations under data protection law and allows us to identify patterns of errors etc so as to identify areas which need technical / organisational solutions applied.

Disciplinary action due to data protection breaches is reserved for those who intentionally do something like search the systems for a family member etc or who intentionally try to 'cover up' breaches rather than report them as required - of course, I can't comment directly on what your employer will do, but would imagine its very likely to be similar.