Page 4 | Grassing up a colleague

2021x · 23/03/2026 01:16

I am the person in my organisation who deals with the reports when the come in. The people who are the most difficult to deal with are the ones who think that people who made the mistake should be "given the benefit of the doubt" i.e. they didn't mean to or it was just human error. They focus on the behaviour of other people rather than the actual issue at hand.

If information has been mistakenly handled and the another person outside the team notices it then they did the right thing by escalating to senior managment. 1. Because of what appears to be a significant time lapse and 2. Because there were not systems in place to detect that the email has been sent mistakenly.

Your collegue Nicole has to manage this well. If she she shows anything other than gratitude for the mistake being covered internally (as oppose to externally) it will be noted by senior managment.

Starseeking · 23/03/2026 01:22

MyDarlingWhatIfYouFly · 22/03/2026 22:03

I don’t agree with most posters here - no one should be reporting anything to senior management immediately without any chance for resolution or investigation first - it should come through you.

The team who deal with breaches should have dealt with it and then you, as team lead, would have gone to management with the message of this happened, this is how it was fixed, this is how we have built in controls to prevent reoccurrence.

By going straight to senior management she had disempowered you to deal with this - I would clearly and calmly tell her that she is not to go around you again on any matter and all messaging to senior management goes via you.

The only exception is whistleblowing where you were trying to hide this from the compliance team, which sounds like was not the case.

People who go around their immediate line managers like this are usually trying to build direct relationships with directors etc to advance their own careers. It’s extremely irritating and unprofessional.

OP clearly stated the below in her opening post:

…which resulted in some confidential information getting sent somewhere it shouldn’t…it has caused my department some embarrassment.

However we would all be none the wiser about this (for the time being) if another team member (let’s call her Ruth) hadn’t reported this to a very senior member of staff. Ruth could have helped Nicola with some damage limitation measures, but chose not to.

If that isn’t OP encouraging a cover up 🙄 “for the time being”, then I don’t know what is.

You may not be aware, but there are strict deadlines for reporting GDPR breaches to the ICO. If the OP took her time in applying these “damage limitation measures”, it’s possible these deadlines would be missed, should the breach warrant reporting.

Trying to recall emails or asking recipients to delete what they’ve received doesn’t mitigate or negate the fact that the original distribution occurred (ask me how I know!).

Whether Ruth was being petty or not really doesn’t come into equation, as clearly OP acknowledges that the confidential breach DID occur i.e. the material facts Ruth’s reporting are true, irrespective of her motive for doing so. OP doesn’t dispute this.

Smarvellous · 23/03/2026 01:39

So why do they have a dept specifically to deal with these incidents? We don't know what damage limitation op is referring to, but that doesn't automatically mean a cover up? It could mean giving Nicola the chance to report it herself and agree a strategy of next steps with the appropriate channels as defined in their policy - not go straight to senior management. The only exception to Ruth's actions is if she genuinely didn't understand procedure or the lower reporting channels were unavailable. As pp has pointed out, the senior person may not have been able to take immediate action (without consequence elsewhere) where it was the job of the designated dept to do so. Ruth's motivation is key and needs to be got to the bottom of. Along with how the mistake happened in the first place.

outerspacepotato · 23/03/2026 02:00

Janey90 · 22/03/2026 22:14

Thank you - this is exactly the case. Tomorrow I will have to deal with Nicola’s mistake but the most troubling element of this is Ruth’s vindictive behaviour.

Show quote history

I think you're mad that Ruth reported the breach before you could cover for Nicola. You sound like you've got it in for Ruth.

This was a whistleblower episode of sorts. Ruth wasn't "snitching", she was reporting a breach of confidential data that it sounds like Nicola and you didn't want to come out. She did an end run around you that prevented a coverup and that could have cost some jobs as well as company consequences.

You're putting personal over business.

Smarvellous · 23/03/2026 02:22

There's simply not enough to go on here for that kind of accusation. The truth will out however, as investigations unfold.

LordEmsworth · 23/03/2026 05:37

You're going to punish the person who reported the incident because you don't like the fact that they reported it ("grassing")? Nice.

Maybe Nicola's learnt a valuable lesson about taking responsibility for her errors. If she had reported it in the first place, this wouldn't have been an issue.

FrippEnos · 23/03/2026 05:38

It sounds to me that you are friends with nicola and dislike ruth already.
It is also likely, from your posts, that this happens more often than you would like and that your department could get in to trouble for covering up issues again.

ItsNotMeEither · 23/03/2026 05:39

Janey90 · 22/03/2026 22:14

Thank you - this is exactly the case. Tomorrow I will have to deal with Nicola’s mistake but the most troubling element of this is Ruth’s vindictive behaviour.

Show quote history

So, tomorrow, you deal with Nicola's training, work out why she made the mistake and make sure it never happens again.

You thank Ruth for noticing and reporting the data breach/error in processes, even though it rankles that she made it into a bigger deal than it needed to be (as annoying as it is, you keep that to yourself), however, you also make sure Ruth gets some education on company policies so that if she comes across anything in the future, she knows the correct chain of command for reporting and also that she should indeed step in to mitigate the issue.

You need to be subtle. Ruth did the right thing, but you're just quietly letting her know that you noticed that she went about things the wrong way. Noted for if it ever happens again.

TheCurious0range · 23/03/2026 05:42

Why didn't Nicola follow the information security policy and report the data loss? Failure to do that would be almost worse than the initial loss, especially if it was a mistake, in my organisation.

You could review the information security policy with Ruth so she knows where to report any future data losses she spots, but I really don't think this is on her.

Hawkinsresident · 23/03/2026 05:53

I had an email on Friday saying submit your quote here is the RFP portal. Clearly the person sent the email to all customers than vendors. Next day had an email from their security saying its a breach and not to click the link. So companies cover this type of shit all the time.

it was a mistake no one messes up email distros on purpose. Ruth was right, as leader just mitigate the situation than play games that for 9 year old girls.

Flowersforyourchocolateprettyplease · 23/03/2026 06:05

Sounds like Rith knows OP has form for cover ups and doesn't trust her, hence reporting higher up.

Don't shoot the messenger.

LadyVioletBridgerton · 23/03/2026 06:31

It’s not ‘grassing up’ are you twelve? It’s potentially a serious GDPR breach and needs to be reported, ideally by the person who did it. In my place of work, we have a no blame culture so you just fire off an email saying what you did. It gets reviewed and the security officer decides if any further action needs to be taken.

Quokka99 · 23/03/2026 06:44

If Nicola was aware she'd made this mistake, she should have reported it herself and if she didn't report, I'd be concerned. I'm assuming from the OP that she wasn't aware. In this case, Ruth could have told Nicola she'd discovered the mistake and offered to report it to the appropriate department together.

TheRealLillyAllenVerifiedAccount · 23/03/2026 07:00

Janey90 · 22/03/2026 20:18

I’ve got to deal with this on Monday morning. One member of my team (let’s call her Nicola) made a big mistake last week, which resulted in some confidential information getting sent somewhere it shouldn’t. I don’t want to go into any more detail than that, but the information was not medical or financial. But it has caused my department some embarrassment.

However we would all be none the wiser about this (for the time being) if another team member (let’s call her Ruth) hadn’t reported this to a very senior member of staff. Ruth could have helped Nicola with some damage limitation measures, but chose not to.

As much as I’m frustrated that Nicola made this error, I don’t like a snitch and feel Ruth has been very petty.

What is your organisation policy? In my place the person who picked up the error would be expected to report it and possibly do some immediate damage limitation. But we report to the ICO.

I picked up a colleague's mistake a couple of weeks ago. I contacted her originally out of courtesy so she could deal with it but she was very dismisive of it so I ended up having to report it. I felt like a snitch but I'm not being dragged into someone else's mistake by not handling it properly myself.

Aphroditesangel · 23/03/2026 07:03

Ruth did the right thing. I can’t help wondering why she went higher up than she needed to? Is there a culture of sweeping GDPR breaches under the carpet and she thinks nothing would get done if she reported it lower down?

AgnesMcDoo · 23/03/2026 07:05

Ruth has done the right thing.

Righttherights · 23/03/2026 07:12

This sounds like Nicola posting. I can’t believe a manager would be posting this. If you have to deal with it why did Ruth not report it to you?
Regardless, GDPR breaches can result in big fines and loss of trust and confidence from employees. If Nicola was aware of what she did she should have owned up straight away. Ruth should have encouraged her to do so , and was right to report it, but should have done so quickly and helped mitigate the breach.
Looks like training required asap and some serious team building!

Owly11 · 23/03/2026 07:19

I don't like the sound of Ruth. Watch your back.

Fundays12 · 23/03/2026 07:21

As someone who worked in HR for years your colleague did the right thing making the company aware. GBDR breaches can have huge implications for a company so they need to know. The person committing the error maybe put through a disciplinary procudere but also anyone complicit in covering it maybe also be put through a disciplinary procedure. They potentially face harder disciplinary measures than the person making the error for covering it up.

LiviaDrusillaAugusta · 23/03/2026 07:26

Some work cultures are weird.

We would never be in trouble for reporting something, even if it is the wrong department.

But then I guess, given the comments about ‘grassing’ and ‘snitching’, it’s not a great culture.

If you are going to rip into Ruth, perhaps remind Nicola that the best thing to do when she fucks up is to admit it to the relevant department straightaway. Then people won’t have to go over her head

pinkpony88 · 23/03/2026 07:26

Now I see why my employer makes us do GDPR training…

LiviaDrusillaAugusta · 23/03/2026 07:30

Fundays12 · 23/03/2026 07:21

As someone who worked in HR for years your colleague did the right thing making the company aware. GBDR breaches can have huge implications for a company so they need to know. The person committing the error maybe put through a disciplinary procudere but also anyone complicit in covering it maybe also be put through a disciplinary procedure. They potentially face harder disciplinary measures than the person making the error for covering it up.

Exactly this! We are told that if we learn of a breach we have to report it. We do have people who, along with their other job, deal with compliance issues, whether to report to ICO etc but it’s not an issue if we report to someone more senior.

I would be in trouble if I knew and didn’t report someone’s breach.

It seems odd that the person reporting it is being slated for her attitude and people are suggesting retraining when Nicola was the one who made the error

Bearbookagainandagain · 23/03/2026 07:31

Reporting breaches of processes isn't being a "snitch", particularly when it involves data privacy.

The person who caused it should have been the one reporting it themselves, and they should face disciplinary measures for not doing so.

LiviaDrusillaAugusta · 23/03/2026 07:32

And I am not risking my own job for someone - but then I don’t work in a place where doing the right thing is worse than a data breach

MiniCoopers · 23/03/2026 07:39

Are you more cross because she went over your head and didn’t allow you to deal with it? It sounds like she may have been worried you wouldn’t do that properly