Accidentally viewed my colleague's HR record at work, what should I do?

[overtheclover]

We operate off a shared drive at work that we all have access to - no areas are it are off limits as we all do each other's jobs.

We also often have temps in the office who have free access to the entire shared drive.

On Friday I went into an open access area of a shared drive which had a generic title on it, nothing to indicate that it was confidential or private.

Opened it and discovered that it was actually an account of a series of discussions between my manager and a close colleague about mental health issues (listed as being PTSD due to sexual assault).

Obviously I;m mortified to have seen this and will raise with my boss next week but I feel so awful that I've seen this.

I guess I may get disciplined for having opened the file, but as there was no indication as to what it was it wasn't like I did it on purpose.

I'm prepared to risk disciplinary action if it gets this removed from the access of everyone else in the office as I know it's the right thing to do.

Should there be a protocol for storing this kind of stuff so that staff know not to access it? I'm feeling gutted about knowing this.

You don't need to admit you read it or know what's in it. Just say you opened the file by accident, could see it was hr related and closed it again, but just wanted to flag it so that steps can be taken to prevent something like this happening again.

Regan that's a good point, thanks, I would really like to protect my colleagues dignity but don't want her knowing I know deeply private stuff about her.

I've never had issues like hers but I am also now a bit worried about where they're storing stuff relating to me. But of course right now my main priority is making sure my colleague's stuff is safe.

It’s possible that that would be classified as a data breach, so you really need to tell your manager. Confidential and identifiable information needs to be securely stored, and the punishment for not doing so is severe.

Yes this is a GDPR issue. Anything with names on, which makes a person identifiable should be stored confidentially, certainly not on a shared drive that any staff can access.

"Confidential and identifiable information needs to be securely stored, and the punishment for not doing so is severe."

This is what I thought, but I'm worried my boss is going to turn it onto me and say it's my fault for opening it.

I've never been told there are areas of the shared drive I shouldn't go in, but maybe I've breached a policy or something?

But then they've given temps access to it too.

Like I say I'm most concerned about my colleague's privacy and if it comes to it I'm prepared to be disciplined or fired but I do feel the company had some responsibility to make sure this couldn't just happen so easily.

It's not your fault. Employers have to idiot-proof everything or they're liable, the buck stops with them. Not saying you're an idiot ofc, but you know what I mean.

The person who didn't store the information securely is the one who should get it in the neck for this, not you.

The system shouldn't have allowed access. Tell your boss - you haven't breached policy, secure data should be so secure that unauthorised staff can't access it.

Years ago it would all have been on paper and locked in a filing cabinet. Much safer.

Regan, thank you and no problem re: idiot!

I feel like I've done something horrible and bad. This record dates back to five years ago and anyone could have seen it in that time.

Not recently but quite a few years back in a different workplace I had similar issues to my colleague which I had to discuss with my line manager in my last place. The idea of those conversations just sitting around accessible to anybody in the offie for years has kicked off major anxiety for me.

I just know how it feels to go through that stuff myself, the shame and the feeling youre the odd one out and that people would shun you if you knew...so the idea that people very easily could know is just horrifying.

I need to ground myself a bit though, this is about my colleague not her and my old workplace was much more official, an American plae with a huge HR funtion and processes.

Definitely report it. Whoever put it there needs to be trained in where to put things and how to safely store data.

If your company has a public facing website, the person responsible for data protection and GDPR may well be on there; usually on the privacy policy. Otherwise talk to your manager

Your company have got bigger problems than you having accidentally opened a file you couldn't have known was confidential. As you say, what on earth are they keeping on that shared drive without even basic information security?

Have a scroll down to 'access controls' on this page. Among the many other requirements of data protection that seem to have passed your company by is the 'principle of least privilege', which means staff should have access to the minimum amount of data necessary for them to do their job effectively. Your company has no idea whether all of these temps have read the file on your colleague, printed it, made copies or anything. I hope they'll be reporting themselves to the ICO when you notify them.

I can appreciate it is very difficult for you, knowing you've seen something that, if the roles were reversed, you would never have wanted your colleague to have seen about you. You have done nothing wrong (other than not notifying your boss at once, possibly) but I guess the company may want to notify your colleague that the file has been seen, and who by. You should never have been put in that situation.

Thank you're all making me feel better.

Tripbot you're right I should have said something straightaway - it was just before I went home and my boss was in a meeting but I think I should have stayed to speak to him.

I went into a complete panic about it feeling like it was my fault and got into a spiral thinking I'd be fired. I do have issues with anxiety but I wish I'd steeled myself and dealt with it there and then instead of fretting all weekend.

over you’ve done nothing wrong but your office certainly has. Files like that should be password protected or in non shared folders.

They need a full overhaul of how they store and protect their data. All employee records must be kept private. I would say this is a serious GDPR breach.

www.gov.uk/personal-data-my-employer-can-keep-about-me

very different responses to the last time this scenario popped up, which was very recently. That thread was deleted IIRC so not possible tp compare.

Hi Chic,

I'm sorry but I don't know the thread you're referring to so can't really respond to your comment.

Report it to your manager. However surely as soon as you knew it was about a colleague and he related, so say the first sentence you should have stopped reading, closed the file and reported it straight away. The only way you know so much about it is you read it, and that is wrong of you

Oh OP.
It isn’t your fault; I really hope they see that.
I stumbled across something a bit like that early on in my current job; I was looking for something with a title that shared some key words and inadvertently opened a disciplinary letter. I feel sick and came clean about having seen it and apologised; it actually led to a helpful tightening of general practice. I really hope it does for you too.

I didn't read the whole thing. That level of detail was in the opening paragraph and I clicked off it strasightway.

As if I'd want to know that level of detail about my colleague when that's exactly the thing I'm upset about?!

I don't think I want to work there anymore.

That place has never really been the right fit for me and I feel like this confirms it.

Chic very different scenarios. It sounds like OP stopped reading and closed the document; which her IT system will be able to prove. The other OP read it for extended time, made a copy and provided a copy to her DH to filter for her...

That's very different, as was the information in the file.

This isn't your fault. I wouldn't mention that you saw this specifically but I would be very concerned that highly confidential files are lying around for everyone to see. This sounds like a grossly incompetent company.

Thanks for opinions.

I don't know what the other thread is about so I'm not finding the comparison helpful with my issue.

As I've said in the OP, and repeated further down, I did not want to know this information, am horrified that I now do know it and want to know what can be done primarily to protect my colleague.

I've said I'd rather be fired over it than keep it to myself - I think that indicates there is absolutely not gratifiation for me in this scenario.

I think I might tell him and then resign. I've been offered other work on a friend's business which I declined as this job feels more stable.

But a job that makes me feel this anxious just isn't worth it.

" The only way you know so much about it is you read it, and that is wrong of you"

The fact that some people have this opinion is why I just wouldn't say anything about it to my boss. Some people obviously would blame you, so just let it go. Unless you are the data controller, GDPR breaches are not your responsibility.

" a job that makes me feel this anxious just isn't worth it."

I think you're in a bit of a panic at the moment. There's no need to be SO anxious about this or to change jobs. You need to take some time away from the situation to realise it's not something to get so worked up about.

GDPR issue, definitively, your company/boss/colleague should have not stored confidential info in a shared drive.

But with all due respect, why on Earth did you think it was ok to continue reading after you realised it was confidential stuff??? I’m sure that you realised that document was not aimed at you as soon as you read the title/first line?

I really don’t think you need to resign over this unless you want to leave for your mental health. I’m sorry that seeing a badly stored confidential file has triggered your bad memories / PTSD.