Grassing up a colleague

[Janey90]

I’ve got to deal with this on Monday morning. One member of my team (let’s call her Nicola) made a big mistake last week, which resulted in some confidential information getting sent somewhere it shouldn’t. I don’t want to go into any more detail than that, but the information was not medical or financial. But it has caused my department some embarrassment.

However we would all be none the wiser about this (for the time being) if another team member (let’s call her Ruth) hadn’t reported this to a very senior member of staff. Ruth could have helped Nicola with some damage limitation measures, but chose not to.

As much as I’m frustrated that Nicola made this error, I don’t like a snitch and feel Ruth has been very petty.

You need to understand why Ruth didn't report it to you first. Perhaps she anticipated this exact type of response.

Your management skills appear weak based on your posts.

If it’s a GDPR breach senior management will have been alerted by the GDPR team anyway, she’s not been petty at all, why do you think it shouted been covered up in some way?

Nicola made a mistake.

Ruth did it on purpose.

I know which one I’d keep on my team.

VERY similar thing happened at my work this week. I wonder if we work at the same place! Nicola is under threat of losing her job and Ruth wanted exactly that to happen as they are both up for the same promotion. Ruth is an evil little witch and all my sympathies are with Nicola.

Given your position, OP, I would expect you to be setting a better example to your team. Not liking a snitch, you're not 6 anymore, you were probably bypassed by Ruth as she knew your stance and wouldn't be able to trust you'd be professional. It's good that Ruth reported this, very professional and ethical of her. It takes guts, especially when she's faced with people who would rather cover it up. Good on her, the world needs more Ruths.

Nicola should have self reported and your company needs a GDPR(UK) policy that has a clear reporting mechanism. If your company doesn't have a policy or reporting mechanism then Ruth did exactly the right thing.

I'm called one of the names in the post and have had to talk myself down from the panic I somehow did the things in question and then forgot about it/didn't realise!!!!!

As an Exec Board Director I’m very glad that people like Ruth exist. Without them, sometimes Execs wouldn’t get the information we need to see. I’d be wary of having someone like you in a management position; what you’re suggesting is absolutely the wrong attitude and approach to these kinds of incidents.

I’m not sure whether you are aware of the significant penalties for Board Directors for GDPR breaches? If not, look these up then think again.

How do you know the ins and outs of it all?

A whole department looking after GDPR sounds a lot more serious a breach than you think. A GDPR depth would escalate to senior management anyway.

It's not the whistle-blower problem they didn't follow a procedure. Maybe they aren't aware of it. Maybe the mist obvious route to blow the whistle was to go to Senior management.

The bigger problem is having reported an issue, you seem to know all about it, but you aren't senior management. Who whispered in your ear?

As Legal Counsel and DPO, I agree with the previous response of the exec board director. Someone in management criticising someone for reporting these incidents doesn’t look good, so for your own sake, don’t say you think Ruth shouldn’t have spoken about it tomorrow. You’d sound bad.

As someone who has handled this a lot in my career, it’s best I know and know quickly. Unless Nicola has disclosed data accidentally multiple times and/or this incident will cost the company money or undermine a commercial deal, it’s really not a big deal.

It does become a big deal if you don’t tell people who need to know and “handle it in your team”.

I hate the attitude of “I don’t like snitches”. Why? Because you prefer a world of cover ups and dishonesty? It’s a disgusting attitude that is the breeding ground for corruption and abuses of power and process.

Speaking up should always be championed, encouraged and supported. I’m not saying everyone should be maliciously telling tales about trivial matters every two minutes, but if something has gone wrong or you take issue with someone’s behaviour, you should escalate it within process and how you see fit.

If you think senior people are acting inappropriately towards Nicola because she made a mistake that Ruth told them about, then that’s on senior people not Ruth.

What’s your rationale to think it was better to hide the truth from senior colleagues?

(This attitude is truly one of my biggest bugbears!)

We have had it drummed into us that GDPR breaches must be reported immediately.

I have fucked up in the past (legal work) and grassed myself up immediately. If someone else caused a breach and didn’t put their hands up. I would have no hesitation in ‘grassing’ on them

Do you not have a company policy for managing data breaches?

If you do, then it should have been followed.

If you don't, I suggest you need one asap.

This. Mind you I’ve had thorough training on GDPR breaches and know how serious they are.

Without knowing Nicola or Ruth, there’s two reasons that Ruth has done what she’s done.

The first is because she doesn’t like Nicola and is copying in senior management purely because of that relationship. It’s not grassing because there was a GDPR breech. That is serious and needs addressing, not just sweeping under the rug. It can be vindictive of Ruth, particularly if she’s name dropped Nicola but she should still report it.

The second reason she went straight to senior management and not the GDPR team is because she doesn’t think there will be any action through the usual route. The way you have said that it’s an embarrassment to the team and Ruth could have helped with damage limitation. Combined with your use of ‘snitch’ and ‘grassing’, I am leaning towards Ruth doesn’t think anyone would deal with this properly.

Have a look at Ruth’s usual behaviour and your own. If Ruth is usually CC’ing in every manager, she’s that type of person. It’s annoying, we’ve all worked with them. Senior managers will know the type of person she is. If Ruth’s behaviour is bothering you because you think it highlights an inaction on your part or your team’s part, is she right? Is your phrasing of this situation just minimising what is a serious data breech? If the latter, the reason her actions are getting to you is because you know your inaction is going to be called out. You think she’s going to ‘snitch’ on you.

But for the sake of full disclosure it’s fair to say you don’t agree with what she did. it would also show the bosses that you and Nicola might benefit from a bit of extra training

It’s like being back at school, isn’t it!

I don't think that is the case at all. Sometimes there will be mistakes that you can ignore and some you can't.

Ruth professionally reported a breach.

Nicola, made a mistake, but with an otherwise good record it is simply a lessons learnt/training opportunity for the team. If not, it is not Ruth’s fault your company is not supportive when good employees make mistakes.

You, and your grassing/snitch language, wanting to take sides, and brush it under the carpet by keeping away from senior management, are the biggest problem.

How shit at data management is your company if you have a whole department to deal with GDPR breaches! This, combined with your whole attitude to 'snitches' and trying to hide what has happened suggests a highly dysfunctional attitude to data, responsibility and confidentiality in your work.

If Ruth didn't follow the correct procedure then she needs retraining as does Nicola.

I don’t agree with most posters here - no one should be reporting anything to senior management immediately without any chance for resolution or investigation first - it should come through you.

The team who deal with breaches should have dealt with it and then you, as team lead, would have gone to management with the message of this happened, this is how it was fixed, this is how we have built in controls to prevent reoccurrence.

By going straight to senior management she had disempowered you to deal with this - I would clearly and calmly tell her that she is not to go around you again on any matter and all messaging to senior management goes via you.

The only exception is whistleblowing where you were trying to hide this from the compliance team, which sounds like was not the case.

People who go around their immediate line managers like this are usually trying to build direct relationships with directors etc to advance their own careers. It’s extremely irritating and unprofessional.

It depends who you mean by "we" would be none the wiser and "my" team - i.e. are they your colleagues (on the same level) or are you their manager?

If you mean "the company as a whole" as in nicola wasnt going to mention it to anyone so you think Ruth should have followed her lead and brushed it under the carpet then U - it's a gdpr issue and needs to be escalated to whoever deals with that - usually Nicola's manager and info gov manager or similar.

However if Nicola had already followed the appropriate procedure for reporting and Ruth took it upon herself to get involved unnecessarily and tell the rest of the team and/or a much senior manager who didn't need to know about it - then, yes, grass.

I don’t blame you.

Ruth’s motive was to look like Mrs goody two-shoes at the expense of the company and Nicola.

And 'grassing up' sounds like The Sweeney or The Bill