Accidentally viewed my colleague's HR record at work, what should I do?

[overtheclover]

We operate off a shared drive at work that we all have access to - no areas are it are off limits as we all do each other's jobs.

We also often have temps in the office who have free access to the entire shared drive.

On Friday I went into an open access area of a shared drive which had a generic title on it, nothing to indicate that it was confidential or private.

Opened it and discovered that it was actually an account of a series of discussions between my manager and a close colleague about mental health issues (listed as being PTSD due to sexual assault).

Obviously I;m mortified to have seen this and will raise with my boss next week but I feel so awful that I've seen this.

I guess I may get disciplined for having opened the file, but as there was no indication as to what it was it wasn't like I did it on purpose.

I'm prepared to risk disciplinary action if it gets this removed from the access of everyone else in the office as I know it's the right thing to do.

Should there be a protocol for storing this kind of stuff so that staff know not to access it? I'm feeling gutted about knowing this.

Each user should only have access to the drives relevant to their role. Everything else should be restricted. Even before gdpr and in small businesses everywhere I've worked has had the sense to set their systems up that way.

Also not difficult to password protect confidential documents

It's the business that failed to protect the information.

That said, if your colleague were to read this thread, would she be able to recognise herself from what you've posted? If so, I'd ask for it to be deleted now you know what you're going to do.

GDPR breaches are everybody's responsibility.

You need to report this data being accessible to non-entitled staff. Someone in HR needs training. The next file made accessible might be yours.

I’m sure that you realised that document was not aimed at you as soon as you read the title/first line?

There was no title and this information was in the first line.

"I’m sure that you realised that document was not aimed at you as soon as you read the title/first line?"

Loads of things at work are not 'aimed at you' but still useful to you. Any email your cced into is not 'aimed at you'.
I read anything useful I come across because any information makes me better at my job. And yes, in many of the places I've worked I've had access to people's wages and HR files.

Just don't say anything about it OP and move on with your life.

Bearing in mind you've described the IT setup, where your boss was at a particular time on a particular day, the timeline for the creation of the document, and the discussion it detailed.

If I were her I think that would be enough to recognise my workplace and that it was my HR record and my trauma being discussed.

oneforthepain Sat 08-Jun-19 22:06:47
Bearing in mind you've described the IT setup, where your boss was at a particular time on a particular day, the timeline for the creation of the document, and the discussion it detailed.

I changed most of the details, including whose record I saw.

I have just done staff p11d’s and had to lock my computer down and put all paper information in a locked cupboard if I needed a pee!

I wouldn't make any immediate decisions about whether you should leave the company, OP. I think I'd probably base my decision on how the company reacts when you notify them of the breach. If they take it seriously and put immediate changes in place to stop this happening again, that's one thing. If they kind of shrug and go 'well, we have to store the info somewhere, don't we?' that's quite another.

I would agree with oneforthepain that this thread may be too identifying and could cause further distress to your colleague.

Just forget about it, and move on. Opening your mouth could backfire.

I agree with crop

Is saving unpassword protected personal files on a shared (by whole company) file space a gdpr breach? What parts of GDPR does it break as it's internal?

Randomly, I suppose it's personal/sensitive information so doesn't matter if it's internal.
But like I said above, I would just keep quiet about it.

I'm the OP of the other thread, which I had taken down in case it was identifying, but I am happy to help and advise the OP of this thread via private message if she wants

I have been in communications with the ICO and a lawyer.

I'm not going to post anymore about my situation but will be watching this thread.

surely you should report it because if you were able to access confidential information so could others

Mortified?

Oh OP.
You’re reacting partly out of being a good person and partly out of your own trauma. I hear you (this is a triggering subject for me too), but try not to let the trauma run your brain- don’t make any big decisions yet about your future.

Thanks the adventures I don’t really want to know about the other thread and all the references to it are just muddying the waters for me but I appreciate your offer.

I’m not going to ignore it because that would be completely unethical and I’d rather be fired than carry on working there knowing that anybody else could see it.

And yes, it is a trauma reaction because the place doesn’t feel safe to me now.

I'd be surprised if you were sacked for it. Unless it was obvious you were snooping based on the folder and file titles (e.g folder was titled 'HR Confidential' and you have no reason to be accessing HR files regardless of the lack of security.)

I once came across a list of everyone's salary in the company. I had been emailed a file with my department's salary review from the finance director. When I did an email search for a different colleague's name this file came up in the search results, which I couldn't understand because they weren't in my department. I checked the file and there were hidden sheets which I unhid... and one had the entire companies salaries on. From CEO down to minimum wage entry level staff. I think I had found it at the end of the day too so I just went home in shock and debated what to do.

I did report to my finance director the next day. With concerns that MY salary had also been sent to other managers.
She was more shocked than anything. I wasn't in trouble and was thanked for reporting it. I don't know who compiled the files or what the outcome was but I was told only 3 or 4 department managers had been sent it and they had all been asked to delete it.

It did make my own salary review a few weeks later more awkward though!

You should have alerted HR or your line manager immediately.

If I were you I'd report it. It might not be the same at your place of work but on some systems it logs the last person to look at a file.

I'd report and say you opened the document looking for something else and it should have been fine to open as there was no classification on it i.e. Confidential, immediately that you realised it was confidential you closed the document and are reporting it now as that data is unsafely stored and needs actioning so it is moved to a secure location.

I've seen things I shouldn't have seen in similar circumstances. I alerted the correct person and carried on. No one took any action form me as someone else was in the wrong for allowing the information to be accessed by someone who shouldn't have seen it.

You did nothing wrong.