Data Security Breach Advice

Hello, 

I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

Unfortunately, I sent an email to the wrong person. For example, I sent it to [email protected] instead of [email protected] - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

The email itself was sent within the organisation so it never left the organisation per se. 

My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

I work for the NHS.

Thank you,



«134

Comments

  • Marcon
    Marcon Posts: 9,949
    First Anniversary Name Dropper Combo Breaker First Post
    Forumite
    1813 said:
    Hello, 

    I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

    Unfortunately, I sent an email to the wrong person. For example, I sent it to [email protected] instead of [email protected] - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

    This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

    The email itself was sent within the organisation so it never left the organisation per se. 

    My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

    I work for the NHS.

    Thank you,



    Talk to your manager - now. Explain what happened as calmly as you can (not easy, I know) and see what they have to say.
    Googling on your question might have been both quicker and easier, if you're only after simple facts rather than opinions!  
  • lincroft1710
    lincroft1710 Posts: 17,452
    Photogenic Name Dropper First Anniversary First Post
    Forumite
    edited 11 October 2023 at 2:56PM
    Unless the email contained highly sensitive or personal information and the "wrong" John Smith is quite high in management or is a data protection officer, I am wondering why they would pursue this.


    I can't see you have any "defence" especially as you sent the email to both addresses which could indicate you were unsure which address to send it to. Admitting to this will only be met with "you should have checked first".


    You made a mistake, it is as simple as that. All you can do is see what transpires. Obviously if it does go further then all you can do is apologise profusely. I cannot advise whether you ought to admit the error to your lone manager before the "wrong JS" puts the wheels in motion although this might not be a bad idea. 
    If you are querying your Council Tax band would you please state whether you are in England, Scotland or Wales
  • 1813
    1813 Posts: 101
    First Anniversary First Post
    Forumite
    Marcon said:
    1813 said:
    Hello, 

    I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

    Unfortunately, I sent an email to the wrong person. For example, I sent it to [email protected] instead of [email protected] - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

    This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

    The email itself was sent within the organisation so it never left the organisation per se. 

    My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

    I work for the NHS.

    Thank you,



    Talk to your manager - now. Explain what happened as calmly as you can (not easy, I know) and see what they have to say.
    I included their name and their hospital number 
  • Savvy_Sue
    Savvy_Sue Posts: 45,809
    Name Dropper First Post First Anniversary
    Forumite
    Does your email signature have a disclaimer, saying what to do in the event of receiving an email which clearly wasn't intended for you? 
    Signature removed for peace of mind
  • 1813
    1813 Posts: 101
    First Anniversary First Post
    Forumite
    I’m not sure savvy Sue does this make a difference?
  • NCC1701-A
    NCC1701-A Posts: 332
    First Anniversary First Post Name Dropper
    Forumite
    1813 said:
    Hello, 

    I am afraid that I have experienced quite a distressing situation at work that I need some advice on. 

    Unfortunately, I sent an email to the wrong person. For example, I sent it to [email protected] instead of [email protected] - I sent this email to both addresses, assuming they were one and the same. The actual name of the person I sent this email to had quite an uncommon name and I thought nothing more of it.

    This morning, I got a response from the other John Snith who said that I had breached security by sending this email to them instead of the proper John Smith and they were going to raise a security report against me. 

    The email itself was sent within the organisation so it never left the organisation per se. 

    My question is, do I have any defence here and what next steps should I take because as I explained, I am in distress and my mental health isn’t the best so I appreciate any advice. 

    I work for the NHS.

    Thank you,



    Report yourself via Datix, setting out the impact of your actions.

    Much better to admit your mistake rather upfront.
  • Savvy_Sue
    Savvy_Sue Posts: 45,809
    Name Dropper First Post First Anniversary
    Forumite
    1813 said:
    I’m not sure savvy Sue does this make a difference?
    Well, possibly. I've seen some which are half a screen long, stating that if you've been sent an email in error you must tell the sender, but also not misuse information you shouldn't have. It is possible that the 'wrong' recipient's actions are what they're instructed to do by the signature, and they're following that to avoid finding themselves in the wrong. For example, I've had an email from my GP surgery recently which had the following: 

    This message may contain confidential information. If you are not the intended recipient please:
    i) inform the sender that you have received the message in error before deleting it; and
    ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
    Thank you for your co-operation.

    Sending someone's name and hospital number outside the organisation would, IMO, be a lot more serious. 

    We haven't asked yet: are you in a union? If you are, contact your rep and ask for their support. 
    Signature removed for peace of mind
  • Dakta
    Dakta Posts: 550
    First Post First Anniversary Name Dropper
    Forumite
    As above, ask to speak to your manager or log it with the risk management system (as appropriate or both). This is a serious issue but a lot will depend on the content of the email as well.

    It's also important beyond your mistake to let them know because from the description of your mistake it does sound really easy to make, so it will help the company be aware of how unintentional disclosures could happen and give them some insight whether things need to be changed or whatever to help keep customers data safe and keep you safe from accidentally disclosing as well. 

    As hard as it will be - try not to beat yourself up, whilst this is a serious matter accidents do happen, and it doesn't sound like it was malicious. 
  • elsien
    elsien Posts: 32,256
    Name Dropper Photogenic First Anniversary First Post
    Forumite
    I’ve just done similar. Sent the wrong information to someone by mistake, but it was information they did actually have the right to. They reported me for a data breach. 

    My organisation has decided it’s not a data breach because it’s nothing they shouldn’t know. I have to do refresher training on a GDPR policy and that’s the end of the matter. Obviously I’ll be more careful in future.
    All shall be well, and all shall be well, and all manner of things shall be well.

    Pedant alert - it's could have, not could of.
  • When you say the other person’s hospital number was disclosed do you mean their ESR number? If so yes it’s a breach but not that big a deal really. It’s not as if you’ve disclosed lots of personal information or medical history.  As it’s an internal breach id suggest you should inform your line manager, complete an IRE and then send an apology to the person whose number was inadvertently sent to the other person. It’s interesting that the person saying they are going to report you isn’t the person whose data has been breached. It was a genuine mistake and these sort of things happen more than you might think they do. 
Meet your Ambassadors

Categories

  • All Categories
  • 341.5K Banking & Borrowing
  • 249.7K Reduce Debt & Boost Income
  • 449K Spending & Discounts
  • 233.6K Work, Benefits & Business
  • 606K Mortgages, Homes & Bills
  • 172.3K Life & Family
  • 246.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.8K Discuss & Feedback
  • 15.1K Coronavirus Support Boards