Manager told team about my health issue

[LaLobita]

Not sure what to think about this.

I have PMDD and last week it triggered a mental health crisis. I had to take a few days off and seek medical attention. Normally I work through it but it was not something possible this month. It was my first time in a year in the role where I have had to take time off due to it.

So anyway I’ve returned to work and it emerges that my boss has told my whole team (9 people) that I had a nervous breakdown. I can’t help feeling that this is invading my privacy? Not sure if I’m overreacting here but I already feel quite vulnerable due to last week and now I feel embarrassed that all my team know from a third party about my mental health issues.

Why are you going all round the houses trying to justify what he did?

That is shocking behaviour - but convenient that it is recorded. Ask HR to review the recording, ask for copies of the recordings and ask what they plan to do about what feels like targeted harassment and breach of confidentiality which just happens to coincide with lining his pockets.

Make sure you have saved the relevant bit of the recording. Send it as a clip to HR. Tell them you want to discuss this because you’re unhappy your manager discussed your private medical issue with your team, especially in a disrespectful way.

I can't believe there are people tying themselves in knots on this thread trying to make out this behaviour is ok

This is good advice. You’re not showing your hand that you have taken a recording of the meeting. You can save that for if it gets ‘lost’. You can also complain about stealing sales at the same time.

See, I thought there was such a thing as a GDPR relationship. I thought GDPR had all sorts of exemptions, and all sorts of inclusions. That GDPR only applies in certain situations where someone is a data subject, data user, etc. So in OP's situation, her boss is the "data processer" , is that right ? Who is the data controller? Very confusing legislation.

In my Amy-Beth situation, I think I have violated GDPR according to the logic of this thread. I admit I don't care so much about OP's situation (she has plenty of support anyway). I can't help but wonder about the edges of these types of legislation, what they seem to say.

Like someone (eg civil service) sends a message with their enormous long disclaimer at bottom "This message is not to be shared with anyone else". To deal with civil service person query, I need to share their request with others, so I ignore (probably delete) the stupid disclaimer & of course forward the message around to who I judge to be correct person. Pretty sure I just violated the 'terms' of their 10 line privacy statement but screw that, it's totally unworkable policy anyway. I've done this for 10 years & no one has moaned at me yet for it...

Sickness/absence/health issues, and medical notes are covered under GPDR and should always remain confidential, so your manager really needs to stop letting this sort of information become public knowledge. I would ask to see their up to date GPDR policy and highlight to them, how they're currently breaching protocol with their behaviour

*GDPR!

No, that is wrong. OP's boss is not the data processor.

In OP's situation, her employer is the data controller. Her boss works for the data controller. Her boss is not classed as either a data controller or a data processor. If there is a data breach (as there has been), her employer is responsible as data controller regardless of whether the breach was committed by her boss or someone else working for them.

A data processor is another organisation that processes the data on behalf of the data controller. So, for example, if you bank with Nationwide, your bank statements are printed by a third party. Nationwide is the data controller, the third party that prints your bank statements is a data processor. People that work for the third party are not classed as data controllers or data processors.

If there is data relating to you and you are identifiable, directly or indirectly, from that data, that is classed as personal data and you are the data subject.

GDPR does not have the concept of a data user.

If there is data relating to an identified or identifiable living individual, GDPR applies. The only complete exemption from GDPR is for personal data processed by an individual for the purposes of their personal, family or household affairs (including recreational purposes). In all other circumstances, GDPR applies and the organisation or individual controlling the data must comply with its provisions. However, depending on who they are and what they are doing, they may be exempt from some of the provisions. So, for example, if you are a suspect in a criminal investigation, the police will store personal data relating to you, but they do not have to inform you that they are processing your data.

I've answered your Jo and Sally situation up thread. Basically, you are forwarding the email either because it is needed to fulfil a contract your employer has with Jo's employer or because your business has a legitimate interest in you forwarding the email so that Jo's query is answered. That covers the fact Jo's email address is in the email. You need an additional justification for including her medical information but, in this case, you have that because she has chosen to publish this information herself. So you are not breaching GDPR by forwarding the email.

In your Amy & Beth situation, Beth has breached GDPR by telling you this information unless she has Amy's consent or one of the other justifications applies (which, in general, they won't). You have breached GDPR by sending a text. In both cases, this means your employer has breached GDPR. If Amy chooses to take action under GDPR for compensation, she must sue her employer. She cannot sue you or Beth.

Your Amy & Beth situation is the same as OP's situation - her manager has breached GDPR by telling her team about her mental health issues.

I have a meeting with HR tomorrow anyway so I will be mentioning it

That is staggeringly unprofessional behaviour. Don't mention it, lodge a grievance. Then forget about it and let your employer sort the issue- focus on getting well.

Make sure you email yourself evidence of what he's done.

That's kind what I thought, thanks prh47bridge.

What I mean is if someone chooses to publish something about themselves, that does not automatically place a responsibility on the recipient to treat it confidentially. It is a two-way relationship, I can't just decide you have responsibilities to me to keep something confidential that I decided to publish for my own reasons.

You've explained yourself why it would not be a breach - because Jo herself decided to put it in the signature.

Wow. I hope the manager is disciplined and re-trained. I'd be resigning and going for constructive dismissal if I were you.

I’ve resigned and been put on gardening leave, and had a full apology. I’ve also got a drs appointment on Monday to push for some more help with this.

Good for you. Best of luck.