My sickness files shared with team member

[glassof]

As title, i have recently had some time off due to an injury. my manager sent all HR emails between myself, manager, HR (including sick notes, emails about why I was off, return to work meetings, everything to do with me being off work) to another member of the team. This was done by accident as she was emailing the team member about their sickness.

She recalled the email but the team member had already opened it. Team member has contacted me to say that it happened.

I've seen manager twice since it happened, nothing has been mentioned. She doesn't know that I know. Although she may have an idea (we are a close knit group)

What should she be doing? Do I need yo be notified? Manager tends to be by the book so think she would have raised an incident.
I'd like to also add, whilst I am annoyed, I know it was an accident and I like my manager, I just want to make sure it's handled properly and doesn't happen again.

You should have been immediately informed that confidentiality has been breached, especially considering the sensitive nature of personal information involved. This is wholly unacceptable and where I work would lead to disciplinary measures regardless of who is to blame.

It's a GDPR breach. Is your manager aware that your colleague opened the email? Perhaps they thought they hadn't, but that doesn't override your right to privacy. Speak to your manager and HR.

Ok, thanks for replying. We'll this isn't great then!
It is unacceptable where I work. Massive company, big HR dept.
Hmm maybe she hasn't reported it then.

I think it's usual to have to report any breach internally within an hour, which then kicks the full GDPR reporting into action.

I'm not sure if she knows it was opened. I will speak to manager on Monday. This thread is already making me more annoyed. She must not have reported the breach

Puts you in an awkward position. In all appreciation of it being accidental and we all make errors sometimes its one that should have been owned by the sender immediately and you as the subject of the personal data informed straight away 🙁

Yes where I work it's irrelevant whether the information has been viewed. Its the breach that counts regardless.

It is really awkward. I am going to speak to her on Monday. This makes it clear that she has not reported it.

Like I say she is a good manager and I like her, the team have been under pressure bla bla bla but it's that she hasn't told anyone.

Yes it is just that- too much time has already passed where proper procedure doesn't appear to have been followed. You're definitely best to address this tomorrow 👍

Did she recall the email by any chance? Is it a case of she tried to recall it at least?

Or does she know full well that someone else has access to your information and has had time to read it?

Really sorry this happened.

Yes she should have spoken to you and reported it but I find it strange you have seen her twice and not mentioned it? Comes across as you not being that bothered. Maybe she doesn’t know it was opened? (I appreciate she still should have done something!)

Why didn’t you say?

Your manager is hoping if she ignores it you will too!! Contact HR and copy her in to the email

why did your colleague carry on reading your private info? As soon as they realised it was about someone else not them they should have stopped!!

If someone has opened the message I didn’t think you could recall it?

This would be a very big deal where I work

Yes, I think that's correct
But the person would have evidence that they tried to recall it

It doesn't make a huge amount of difference. I just thought it might at least show some awareness on the part of person who did it.

Yes, it's a breach and should have been reported but it was also human error and humans make errors. Personally I think your colleague telling you and winding you up is the bigger deal and indicates someone who isn't a team player

What harm has been done @glassof? That's what you need to focus on. The team gossiping because you are r recovering from broken ribs associated with domestic abuse is very different in my opinion from Glassof has broken a metatarsal and has been signed off. For me it's more about the potential conduct of your colleague and the team rather than a genuine mistake made by your manager who I guess trusted the colleague not to tell you. The manager should have been open and honest but now you know your colleague is a little sneak.

Agree with @RosesAndHellebores. Did email receiving colleague not report it either?
Is that not frowned on too?

all gdpr and it security training I’ve had emphasises that mistakes happen but reporting swiftly is crucial. She absolutely should have but perhaps your policies are too punitive to encourage it as well? Doesn’t really matter if it was opened or not

If I’d received someone’s medical information in error I would raise it both with the sender and the person whose data had been breached. That isn’t trouble making - the victim of the breach has a right to know,

Yes its most likely human error and people make errors but we don’t prevent future errors unless we understand what went wrong and consider how to prevent future breachers.

The vast majority of small data breaches are human errors, nothing improves when we sweep breaches under the carpet and blame those who alert on them.

clear breach of UK GDPR legislation.

Read up on your work’s policy on who it should be reported to within the organisation as there will be a name or email address, so you know the deal when you speak to your manager.

Nobody should chin you for asking for procedure to be followed. Although your manager will be in trouble if she didn’t report immediately so she may wish to sweep this under the carpet…

There can be large fines involved. Have a google and see.

It doesn't matter if she thinks the email wasn't opened or not. She potentially breached your personal data, including special category data, by emailing it to the wrong person. She should follow your company's reporting procedures for a potential data breach and immediately report that it has happened internally so there can be an investigation to establish whether or not your colleague has accessed the data and what the likely impact on you will be. Once they've established the facts they should speak to you and make you aware of what has happened. Given that the data has been accessed and the level of sensitivity of that data I'd suggest that this breach may be reportable to the ICO, but your DPO would make a call on that. You need to act quickly on any breach because the deadline for reporting to the ICO is 36 hours after the breach happened or became known, and given this happened before the weekend they've almost certainly missed it. Disciplinary action would be determined by your internal policies and procedures, but could be escalated because she didn't immediately report the breach, which is very poor practice.

Personally I'd just ignore as it was an accident but I seem to be alone in that

Both times I have seen her it was in meetings and then either I had to or she had to leave before the end. I think I've been laid back as there was nothing in there I wouldn't share but the more I think about it, the more annoyed I get. Its not the details but that she hasn't reported it

The team member that received the email told me, I have asked what happened further, did she raise it etc but her reasons for being off work are sensitive and she has been quite unwell. So I feel she may have not said anything and just let me know

The team member wasn't winding me up. We get on well, the whole team do.
No harm to me has been done, the team knew why I was off work, I was open about it. I had mentioned that my mh was suffering due to the injury, I hadn't told the team that but I would have done if it came up.
I think I'm just annoyed that it's not been reported, had I done something similar, my manager would have done it all by the book