Security/GDPR Breach

[Hoppinggreen]

I do some Freelance work online for a large PS organisation. What I do has to be confidential, I am not allowed to let anyone see what I am doing. My family know WHAT it is but not the specific people involved as it could be dangerous for them.
Everyone who does my job has to be Security cleared. There have been some changes handled very badly with contradictory emails sent out which is a bit annoying and takes up a bit of my time to sort but no biggie.
I had an email yesterday concerning a training update with over 100 emails CC'd in, presumably other Freelancers who do my job and I am assuming it was supposed to be BCC as normal.
I imagine they know by now but I have had nothing else from them.
I mentioned it to DH (also security cleared but not involved and I haven't shown him the email) and he says that its VERY serious and I should report it. I thought it was a GDPR issue but DH says its a Security Breach which is far more serious
Should I and to who?
Its obviously just a cock up by someone who will no doubt get a slapped wrist at least so I am inclined to do nothing
Other opinions welcome

You should have someone at work in charge of this, and it should be reported to the Information Commissioner's Office by them. They will investigate and decide what action to take.

I am a Freelancer

So none of the security procedures are important, in your view? If it was me I’d pass this up I wouldn’t want this to reflect on me or to seem like I was covering up or concealing a breach.

Even though you’re a freelancer, someone in the company who sent the email should have a DPO or someone responsible for data protection, you should report it to them and then they can take approach action.

Is there any info on their website about an HR company? Id forward it to them, with the subject 'GDPR breach'

I think its important but I am not sure what to do. If I was employed I would have a manager or HR dept or similar but its just me at home.
I have had GDPR training with other organisations so have some understanding of it but I don't know who to report to in this instance

And its not a company its a large PS organisation

Just reply to the sender of the email advising them that you don't think the email should have been cc'd to all and are flagging so they can follow their internal procedure for logging as a breach.

The sender email is a generic one so not a person as such but I think I should do as you suggest (if it accepts replies)
I have had training on what to do in similar situations but it doesn't really cover this

I would ask for a named contact in HR and email and speak to them.

no offence to you OP but I’m wondering who did your training. Basics are being lost in our working culture.

What is a PS organisation? If it is an organisation they must have a Data Protection Officer.

I’ve just had to do extensive online training for this kind of thing, and other internal procedures, for a company I’m doing freelance consultant work for. The contract signed makes it clear that not reporting issues that fall under the training makes me, if not complicit, then certainly in breach of contract. Is yours similar? Even if it doesn’t fall completely in to the category you have done training for, then in your position I would contact whichever department/individual it is that is responsible for something you think is similar and they should be able to advise from there. Certainly don’t just leave it though.

Our training was online and was mostly based around what WE should and shouldn't do and how to handle things if the people we dealt with did anything that breached security or GDPR (they don't work for the organisation)
I didn't get any training on what to do if someone who actually worked there caused a breach with external people.
I have always know what to do within companies where I have been an employee and another large organisation I work for (also Freelance) has a process for something like this that I am well aware of but I have a clear management structure there.

I work in a similar type of environment with mandatory SC checks for most staff and contractors.
If you think there has been a breach then you need to find out who to report it to. You will be responsible for reporting. I'd assume your organisation has a cyber security department? Ask them.

I am very very certain that there will be a Cyber Security dept but other than Google I have no idea how to contact them
I have now emailed the mailbox the email came from to report it so hopefully thats enough.
Thanks to everyone who replied

This is something to be reported to the Data Protection Officer, not HR.

HR might well be involved down the line if the person who sent the email is investigated/disciplined for a breach of policy, but HR isn't responsible for dealing with the data breach itself.

Unless we know what the risk of the breach might be, what the facts of your job are, nobody can give a sensible answer.

I appreciate that you can’t tell us those facts, but without them this is pointless.

Identities and email addresses disclosed to people without good reason is generally a DP breach. But it can range from the absolutely trivial to the very, very serious. All depends.

I appreciate that.
Its the emails of all the other Freelancers who also do my job that have been shared.
Its the identity of individuals who are would like to join the PS organisation that we have to keep confidential AND we are not supposed to tell people that we have access to the identity of these indivduals if that makes sense?
The email addresses in themselves is not a risk but IF it was widely known exactly what we did we could be targetted for the information we have.
No other Freelancer has my email or knows my full name - if in a group session its camera off and first names only.
The risk is if another person on the email list shares it with other people as some people have their full name in an email so can now be identified

Reply to the sender only and leave it up to them. It's not your problem, it's theirs.

Thank you - and I do appreciate that you have to be careful and reserved.

I am conjuring up images of you being a freelance hitwoman working for MI6. All plastic explosives in your shoes and a dagger on your hip.

Back in the real world, I’m sorry I can’t give an opinion. I just don’t know!

And it sounds like it's something like intelligence operatives who have cover names, still not your problem, it's the sender's problem, you don't need to report it, just take note and make sure you never do it!

Or you're a vetting officer and these are employees awaiting vetting. In which case it probably is a breach but again, not up to you to do anything other than notify the sender.

OMG how did you guess?
I am afraid I will now have to kill you

Sadly its not as exciting as that but the principle is similar

I meant that HR will know who to forward on to. The HR dept are often more accessible to 'outsiders' than Security/DPO.

Not really sure why you turned to Mumsnet on this??!! Surely you just let the sender and the data protection person know at the organisation in question?