data protection breach
Options
melymay
Posts: 113 Forumite
Just after some advice on what to do next.
I am a manager in a large company and have just had approximately a month off sick with stress/anxiety bought on by a work related incident. As part of the process of getting me back to work I was asked if I would speak to a therapist from OH to discuss the incident and the proceeding events.
I returned to work yesterday and in checking admin had to access a shared drive (shared by the management team, admin team and support team) which contains information on members of staff. the protocol is that you have access to the staff that are accountable to you and not your peer group.
On accessing this file I discovered a very detailed report from the therapist regarding my consultation . . which up until this point I had not seen. The report contained very personal details about the incident and also commented on my mental state.
Where do I go next with this ?
Would it be best to put something in writing or speak directly to my superiors ??
Any information anyone could provide to help me deal with this issue would be gratefully appreciated.
MM
I am a manager in a large company and have just had approximately a month off sick with stress/anxiety bought on by a work related incident. As part of the process of getting me back to work I was asked if I would speak to a therapist from OH to discuss the incident and the proceeding events.
I returned to work yesterday and in checking admin had to access a shared drive (shared by the management team, admin team and support team) which contains information on members of staff. the protocol is that you have access to the staff that are accountable to you and not your peer group.
On accessing this file I discovered a very detailed report from the therapist regarding my consultation . . which up until this point I had not seen. The report contained very personal details about the incident and also commented on my mental state.
Where do I go next with this ?
Would it be best to put something in writing or speak directly to my superiors ??
Any information anyone could provide to help me deal with this issue would be gratefully appreciated.
MM
0
Comments
-
I'm sorry but I don't understand what your are saying? Just because you have access to your own file, does that mean others do? If so, why didn't you speak to your manager straight away about this and get it moved?
I'm not clear that this is an "issue" - it can be resolved with one two minute conversation, can't it?0 -
I'm not clear that this is an "issue" - it can be resolved with one two minute conversation, can't it?
It is a very big issue if sensitive (medical) data has been stored in a way which makes it accessible to more than the intended / essential reviewer.
OP - This is a data breach - take screen shots of the file properties to demonstrate the lack of access controls. Print off the report for your own records. Move the file to your personal drive.
Write immediately to your manager, copying in HR and second line manager, and ask for an immediate investigation.
It is not an overreaction, sensitive medical data should NOT be stored in a way which makes it accessible to your peers or even to other managers without your consent.:hello:0 -
Tiddlywinks wrote: »It is a very big issue if sensitive (medical) data has been stored in a way which makes it accessible to more than the intended / essential reviewer.
OP - This is a data breach - take screen shots of the file properties to demonstrate the lack of access controls. Print off the report for your own records. Move the file to your personal drive.
Write immediately to your manager, copying in HR and second line manager, and ask for an immediate investigation.
It is not an overreaction, sensitive medical data should NOT be stored in a way which makes it accessible to your peers or even to other managers without your consent.
I don't disagree. If that is what has happened. I meant it when I said that I am not clear what the OP was saying.
And if what you are saying is the case you do not move the file. You tell your manager immediately and get them to move it. If you move it there is no evidence that it was ever anywhere else on the drive.
But I am still unclear exactly what is being said. For example, in my workplace I can see every file on the system. That does not mean that I can open every file on the system. I can open my personnel files. So can my manager. But my colleague can only see that there are files - not what is in them.0 -
I don't disagree. If that is what has happened. I meant it when I said that I am not clear what the OP was saying.
And if what you are saying is the case you do not move the file. You tell your manager immediately and get them to move it. If you move it there is no evidence that it was ever anywhere else on the drive.
But I am still unclear exactly what is being said. For example, in my workplace I can see every file on the system. That does not mean that I can open every file on the system. I can open my personnel files. So can my manager. But my colleague can only see that there are files - not what is in them.
IT Geek here. Definitely sounds like the OP's personal health docs are sitting in a level of a shared storage area that can be accessed by people other than those authorised to access.
Sangie's advice is sound, leave it exactly where it is. If you move it you may lose any date stamps that support your claim as to when it was saved in the shared area. What do the properties say? You'd have a pretty good inkling who saved it there if the user who last modified it is in the file properties.0 -
Thanks all,
Yes the file was stored in a shared drive that could be accessed by the entire management team on site as well as some admin and support staff whom I am responsible for managing.
On finding the file I took a copy of the link and sent it to my site manager - who is on leave - and asked another senior manager to remove the file and email a verification that it was she that relocated the file to its more secure location.
I managed to get in contact with the site manager late last night who ensures me this will be investigated, but I am nervous of the detailed content of the information being communicated to others in my organisation. As the report contains details of my mental health issues and actually names individuals that contributed to my being signed off from work, I'm worried about future repercussions this may have in my work life.
My details have been out there for about a month for anyone to access and despite my breach I want to ensure that procedures are in place so that this does not affect anyone else.
Thanks again for your advice,
MM0 -
Thanks all,
Yes the file was stored in a shared drive that could be accessed by the entire management team on site as well as some admin and support staff whom I am responsible for managing.
On finding the file I took a copy of the link and sent it to my site manager - who is on leave - and asked another senior manager to remove the file and email a verification that it was she that relocated the file to its more secure location.
I managed to get in contact with the site manager late last night who ensures me this will be investigated, but I am nervous of the detailed content of the information being communicated to others in my organisation. As the report contains details of my mental health issues and actually names individuals that contributed to my being signed off from work, I'm worried about future repercussions this may have in my work life.
My details have been out there for about a month for anyone to access and despite my breach I want to ensure that procedures are in place so that this does not affect anyone else.
Thanks again for your advice,
MM
In that case yes, that should not have happened. But you have reported it and it has been dealt with. Beyond that, what do you wish to do about it? You can report it to the Data Commissioner if you wish, but that won't change what has happened and it probably won't do much other than annoy the employer. You could put in a grievance, but again, it doesn't change what has happened already. So what do you want to happen here?
In relation to the incident that cause your sick leave, is this the subject of any action?0 -
the protocol is that you have access to the staff that are accountable to you and not your peer group.
It looks like that rule is for managers like yourself if you know what i mean.
I may be wrong of course.
Oh yeah no data protection breach here, so dont wave that one about at work, breach of company policy, i can agree especially if all managers can see it too.0 -
xapprenticex wrote: »Oh yeah no data protection breach here, so dont wave that one about at work, breach of company policy, i can agree especially if all managers can see it too.
No - there is definitely a data breach.
Medical data (amongst other topics) falls within the 'sensitive data' category and MUST be treated with the utmost security and protection.
Here is a quote from the ICO's guidance for employers:
'Keep information about workers’ health particularly secure. This might mean allowing only one or two people to have access to it, for example by password-protecting it, or keeping it in a sealed envelope in a
worker’s file.'
'Remember that, as an employer, your interest is mainly in knowing whether a worker is or will be fit to work. As far as possible it should be left to doctors and nurses to have access to and interpret detailed medical information for you.'
Click here for guidance
Placing a medical report on a shared drive is NOT correctly handling sensitive data. Full stop. No excuses. It is a data breach.
The ICO has a helpline:
https://ico.org.uk/global/contact-us/:hello:0 -
Im not seeing what you're seeing. the drive is secure as only select people can access it, if i can go there and access it too then its not secure but as stated by op, only managers and those who maintain the drive have access. maybe you're hung up on the 'shared' aspect of it, its only shared between those who are cleared to have access to it.
so no data protection breach imo.0 -
xapprenticex wrote: »Im not seeing what you're seeing. the drive is secure as only select people can access it, if i can go there and access it too then its not secure but as stated by op, only managers and those who maintain the drive have access. maybe you're hung up on the 'shared' aspect of it, its only shared between those who are cleared to have access to it.
so no data protection breach imo.
But the "select people" are more than have a need to see it and therefore it is a data breach. Most (if not all?) of those people would have no need to see what was written and should not have been given access, which access they had been given by virtue of the fact that it was placed in that drive.
In my opinion you are wrong on this one.0
This discussion has been closed.
Categories
- All Categories
- 343.5K Banking & Borrowing
- 250.2K Reduce Debt & Boost Income
- 449.9K Spending & Discounts
- 235.6K Work, Benefits & Business
- 608.6K Mortgages, Homes & Bills
- 173.2K Life & Family
- 248.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards