Disciplinary for gross misconduct.

FutureGirl

Hi all, needing a little help. 

I was investigated for gross misconduct due to a one time data breach and have been suspended on full pay whilst they complete the investigation. From what my manager has said, the report has been written, and I believe I will be invited to a disciplinary meeting shortly.

My question is, in relation to the outcome, do they take into account things like length of service etc? I've been with the company 10 years and this is my first indiscretion. Not sure if it matters, but my Line manager and Department manager are super supportive. Any advice will be greatly appreciated. I am absolutely petrified I will be dismissed. 

Brie

There's a lot of factors that I believe will come in to play. 

First and foremost is how serious the data breach was - big difference between giving out some info on an account, possibly to the actual account holder, without going through proper screening versus downloading a file with thousands of customers details and handing them over to your neighbourhood hacker.  

Next would be how good your DPGR training has been, how up to date it is, whether you're following a lax style prevalent in a department or if manager told you to do something you knew was wrong but they said they'd take responsibility.

if the breach was quite minor and training has been lax then I would expect a "retrain and no bonus this quarter" type approach.  if you sold info out of the company it should be instant dismissal.  

To prepare for whatever is happening I would prepare a written account of what happened in a straight linear fashion.  i.e. X rang, I said this, they said that, I did this, result was breach.  Non emotional, no pleading.  You could state mitigating factors (baby kept me up most nights for the last week and I was over tired).  and end with pointing out politely your exemplary service over the last decade.  Also inform your union rep if you have one or line up a suitable individual (not family) to accompany to any meetings that might happen.

Best of luck with it. 

FutureGirl

I didn't sell any data or anything like that. I used a work system to obtain someone's contact number, and I passed that information on to someone else (1 other person)... the non-emotional part might be difficult. I cried my eyes out in the investigation meeting as I actually love my job and really scared. 

Annisele

If I was the hearing manager in something like this I'd care about why you did that, and about what the impact was. For example, if "someone else" is your current partner's ex partner, and if "1 other person" is your current partner, and the result was that "1 other person" harassed "someone else", I'd be very likely indeed to dismiss you regardless of length of service.

On the other hand, if "someone else" is a person in your team, and "1 other person" is your former joint manager, and the result was that "1 other person" sent "someone else" a text message wishing them happy birthday, I'd give you a metaphorical slap on the wrist and make you go through training.

There are of course lots of options in the middle, and for some of those I might take into account length of service and for others I wouldn't. But unfortunately it's impossible to know what the hearing manager in yoru case might think.

Are you in a union? Even if not, if there's a union rep at your employer they might be prepared to give you an indication of how your employer has handled things like this in the past.

housebuyer143

FutureGirl said:

I didn't sell any data or anything like that. I used a work system to obtain someone's contact number, and I passed that information on to someone else (1 other person)... the non-emotional part might be difficult. I cried my eyes out in the investigation meeting as I actually love my job and really scared. 

That is a clear GDPR breach and potentially goes against company policy? You would normally be required to report a data breach like that to a person in your company, but I imagine you didn't because it wasn't an accident?  I know many places which specifically state in their policy documents that you can't use the information for personal gain etc. 

Who was the number for? Someone else in the company or your mate? 

As others have said, how much GDPR training do you get? If none, then pleading ignorance could be your best bet. If you were only sharing internally you could definitely say how you were not aware it would be a problem. 

The problem is, they are probably concerned you have done it before and just not been caught, so you will need to somehow convince them it's a one off and hope for leniency. It really depends where you work though in my opinion and why you shared the number and with who. 

SiliconChip

Unfortunately I think their staring point for such an offence will be dismissal, to avoid it you would have to be able to present some mitigating factors as to why you would do it, so if you have any make sure that you document them and take them with you to the meeting.

LunaLater

FutureGirl said:

I didn't sell any data or anything like that. I used a work system to obtain someone's contact number, and I passed that information on to someone else (1 other person)... the non-emotional part might be difficult. I cried my eyes out in the investigation meeting as I actually love my job and really scared. 

That’s going to be a dismissal then, as it’s right up at the top end of misuse of data.

turnitround

I think the fact that you have been in the job for 10 years is a negative rather than a plus for your defence as it will be difficult to argue that you didnt know what you were doing was wrong. I also wouldn't use the word 'indiscretion' at the meeting as I dont think your managers will see it that way.  

General_Grant

Annisele said:

If I was the hearing manager in something like this I'd care about why you did that, and about what the impact was. For example, if "someone else" is your current partner's ex partner, and if "1 other person" is your current partner, and the result was that "1 other person" harassed "someone else", I'd be very likely indeed to dismiss you regardless of length of service.

On the other hand, if "someone else" is a person in your team, and "1 other person" is your former joint manager, and the result was that "1 other person" sent "someone else" a text message wishing them happy birthday, I'd give you a metaphorical slap on the wrist and make you go through training.

There are of course lots of options in the middle, and for some of those I might take into account length of service and for others I wouldn't. But unfortunately it's impossible to know what the hearing manager in yoru case might think.

Are you in a union? Even if not, if there's a union rep at your employer they might be prepared to give you an indication of how your employer has handled things like this in the past.

I think the "someone else" and "1 other person" is one and the same, that the OP was trying to show how the information wasn;t shared more widely, the "other" being not the OP..

General_Grant

LunaLater said:

FutureGirl said:

I didn't sell any data or anything like that. I used a work system to obtain someone's contact number, and I passed that information on to someone else (1 other person)... the non-emotional part might be difficult. I cried my eyes out in the investigation meeting as I actually love my job and really scared. 

That’s going to be a dismissal then, as it’s right up at the top end of misuse of data.

Given there was no financial gain for the OP, I think that "right up at the top end of misuse" is slightly overstating it.

Brie

I'm with Annisele on this in that it may depend on the who and why.  

Like I said though - write it all down so there's a coherent description.  And without emotion I mean that in the written narrative you don't say "sorrysorrysorrysorry" but stick to facts.  With that you (or your representative) can read it out in a meeting and then submit a copy - and that won't be effected by you bursting into tears at the first meeting or at the next.