Grassing up a colleague

[Janey90]

I’ve got to deal with this on Monday morning. One member of my team (let’s call her Nicola) made a big mistake last week, which resulted in some confidential information getting sent somewhere it shouldn’t. I don’t want to go into any more detail than that, but the information was not medical or financial. But it has caused my department some embarrassment.

However we would all be none the wiser about this (for the time being) if another team member (let’s call her Ruth) hadn’t reported this to a very senior member of staff. Ruth could have helped Nicola with some damage limitation measures, but chose not to.

As much as I’m frustrated that Nicola made this error, I don’t like a snitch and feel Ruth has been very petty.

I am always team whistleblower.

Or based on prior experience she already knows it will be swept under the carpet unless she reports it higher up. Ruth is brave.

And I think if I got into trouble for my ‘attitude’ I would double down in this case

Nobody "grassed", you are not 12 and at school presumably
I think you need to grow up quite a bit and learn some professionlism

As a manager I would separate out the two issues, deal with the critical loss of confidential info first and then when looking at what to improve next time ask Ruth why she didn’t follow the set procedure.

There may be a reason (for example I had to report an IT issue recently and I emailed my boss as well as the IT team as it was a weekend and I knew IT wouldn’t pick it up til Monday, so I needed to cover myself). But it might be that she isn’t trained adequately and so didn’t know the escalation. If she’s got no good reason then it’s an issue to be discussed.

I wouldn’t want to create the impression in my team that reporting mistakes leads to any backlash. For all you know this could have been one of many mistakes and Ruth finally had enough and reported it.

Presumably because she didn't notice her error, and Ruth did.
Ruth should have gone to her when she found the error, and then one of them should have reported to the GDPR team. Not straight to the bosses.

Her line manager should have been first port of call , who then takes any action needed and then reports up the line if neccessary .

Not sure if OP is Ruth’s boss but if so, I think she should request management training urgently

Depends on the procedure, if Ruth is expected to go out of her way to mitigate colleague’s mistake, it has probably happened before so Ruth wants to make a point of telling someone who might actually listen

That hasn't always been my experience and would need investigating

“Grassing” and “snitching” are not terms a manager should be using. You need to step up a bit - and put any personal dislike of Ruth aside. Favouritism rarely ends well.

That said, Ruth went against procedure, so you would be perfectly entitled to ask her why and to outline the procedure and the reasons for it again for clarity. Don’t frame it in terms of “telling tales” - just be factual.

However, if this is going to get out I would be very neutral when I let people know that she reported the leak and this is now the action that has to be taken by the department now.
Be careful not to show any disapproval.
Just let colleagues know that this is who she is factually.

Or OP could be a professional and not let people know who reported the leak at all?

So just to answer a few questions.

I was on holiday all last week, and was catching up on my emails over the weekend, which is why I didn’t know about this sooner, and also Ruth could not have reported the breach to me, because I wasn’t around.

It turns out that Nicola reported the breach herself, but didn’t get the process quite right. Ruth could very easily have helped her with this, she has experience with GDPR, but chose to escalate the matter instead. We all have GDPR training, but the last session was over a year ago and Nicola had obviously forgotten the details.

I don’t participate in cover-ups, thankfully this sort of thing doesn’t happen very often. But if something does go wrong, the onus is on sorting it out properly and discretely, and re-educating those that need it.

I would never use the terms ‘snitch’ and ‘grass’ in a work setting, but on an anonymous forum like MN I feel comfortable sharing my gut feelings about something, even though I would not articulate those thoughts.

So our department is gong to have a further session on GDPR, and I’ve spoken to both Nicola and Ruth separately. Nicola was mortified and Ruth “was just trying to help” by letting our most senior staff know, instead of helping Nicola report it in the correct way to the correct department. Interestingly I was given the heads-up about all this, by someone who isn’t really involved, and it became clear that many people know about Ruth’s “help”. My initial thoughts about Ruth haven’t changed.

And by the way, just to reiterate that both Nicola and Ruth are made up names, so I’m sorry if any real life people were alarmed!!!

Nicola sounds crap at her job if she simply 'forgot' a key aspect of managing and protecting confidential data.

What do you mean deal with it discreetly? Did you inform the persons whose data has been mismanaged?

But before grassing her up she could have advised her to own up to it herself.

A GDPR breach would be escalted to senior management anyway - or the findings would be if there was an actual breach. Also, assurances would need to be put in place to ensure there wasn't a repeat offense.

Data breaches can and do happen. Ithe key thing is ensuring the organisation is open and honest about this, willing to learn from mistakes ideally accepting that individuals do make errors and support them to fess up when needed.

Ruth sounds like she perhaps was doing some good old fashioned shit stirring with senior management but TBF she might have been alarmed that Nicola had cocked up really badly and with you not being there, she felt someone needed to know in case it came back to bite you all on the bum. If Nicola is so good at the job usually, how come she didn’t know the basic process of who to report the mistake to? Maybe Ruth is fed up of her always cocking stuff up.

Please read my update - Nicola reported the breach to the correct department, albeit not via the correct process. So she was not trying to cover it up.

Nicola rarely cocks anything up (although I realise last week was an exception) so Ruth would not be fed up of her continually making mistakes.

I work in this area and handle data breaches all the time. Not reporting the breach (doesn’t matter if it’s not financial or medical) is worse than the breach itself. Data breaches are almost always accidental or a process gap and it’s usually a good learning tool. Ruth did the right thing.

So Ruth didn’t use the correct procedure and neither did Nicola? Yet Ruth is in the firing line?

I am a bit surprised that anyone senior enough to be involved enough in this would use words like ‘grassing’ and if you weren’t there, why would you jump straight into blaming Ruth?

As usual, people are completely making things up here with no factual basis whatsoever. They've decided that Nicola is always making mistakes and that Ruth is a brave whistle blower who saved the company from certain ruin, and of course OP is an incompetent manager who speaks and acts exactly the same in work as on an anonymous chat forum!

Whereas what OP has actually said is that Nicola reported the matter herself but just did so in a slightly incorrect manner ( perhaps something like sending an email to the info gov manager rather than completing an incident form) and, to me, is completely understandable - she probably panicked after realising she had made a mistake, and, as an otherwise conscientious member of staff who ISNT always making mistakes (as OP has confirmed) felt guilty and stressed. All Ruth had to do was tell her "hi nicola just FYI you actually need to fill out the incident form (or whatever) and send it to xyz".

Instead she took it upon herself to tell senior staff who undoubtedly had better things to do and wouldnt be in a position to fix anything anyway, and, it sounds like, a load of other colleagues who didn't need to know at all. Ironically fir all the people criticising nicola it seems that ruth was also not following the right process!

In my workplace at least, this would have just caused a load of confusion and extra work with the info governance manager having to also reassure the senior staff it was in hand and manage both upwards as well as downwards, rather than just concentrating on sorting the issue.

Ruth sounds very unpleasant and i find it very odd that so many people are intent on sticking up for her!

But Nicola didn’t use the correct process?