Data Security Breach Advice

1813

Savvy_Sue said:

1813 said:

I’m not sure savvy Sue does this make a difference?

Well, possibly. I've seen some which are half a screen long, stating that if you've been sent an email in error you must tell the sender, but also not misuse information you shouldn't have. It is possible that the 'wrong' recipient's actions are what they're instructed to do by the signature, and they're following that to avoid finding themselves in the wrong. For example, I've had an email from my GP surgery recently which had the following: 

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

Sending someone's name and hospital number outside the organisation would, IMO, be a lot more serious. 

We haven't asked yet: are you in a union? If you are, contact your rep and ask for their support. 

I am a bank member of staff but I have considered asking citizens advice or ACAS. I have talked at length with my mother and I think she is fearful if I stir the pot it could be a lot worse for me because I could be, in her thinking, making more out of this than it’s worth, but I want to be prepared as much as I can in case anything does happen. 

1813

Dakta, 

The email contained their name and hospital number, nothing more. I agree it is easy to make when the email address is similar by one digit so I do feel any logical person would arrive at that same conclusion and I have asked multiple people the same question and they have all come to the same conclusion. 

The part about keeping us safe is really sound as well because if email addresses are being used where the information is that close in nature, surely they are opening themselves up to data security breaches because these sorts of mistakes can happen, a very intriguing point. I argued that email addresses for everyone in the organisation should be unique or if you have the same surname perhaps use an alias or use another part of your name so this adds even more security to stop breaches.

definitely no malicious intent I just wanted to make sure the right person got the information so all I felt like I was doing was covering my bases. 

Thamks

1813

Elsien,

This is an intriguing answer. When you say it’s information they have the right to and nothing they shouldn’t know, is it arguable that everyone within the internal organisation has a right to this information and we are all bound to the same policy, regardless? 

Thanks

1813

PutpleLady65,

It was the number on their medical file, a unique identifier and their name, nothing more. Also, I ask why did this person who I sent the wrong emails wait until now to file a report when they should’ve seen the mistake the first time I sent the email and the use of a disclaimer and staff safety is really interesting as well. I know these things happen but I have mental health and anxiety problems and this really freaks me out. Whether or not I did the right thing, I left work early yesterday because I honestly was not happy but not before the essential work had been done. Then I did some investigations like as such on here so I want this matter resolved before I commit to going back to work otherwise I just wouldn’t be able to relax. I know I was making mistakes at work yesterday because I was nervous so obviously working under a dark cloud helps nobody. 

Thanks

subjecttocontract

Humans make mistakes. If you want perfection use a machine. We all make mistakes, even those that judge others. Apologise, try not to make the same mistake again and move on. 

elsien

1813 said:

Elsien,

This is an intriguing answer. When you say it’s information they have the right to and nothing they shouldn’t know, is it arguable that everyone within the internal organisation has a right to this information and we are all bound to the same policy, regardless? 

Thanks

I don’t know. I guess mainly because in practical terms there was actually zero impact on the person or the organisation. This is just how my organisation decided the matter, and I posted to let you know that it’s not always the worst case scenario.

Undervalued

Savvy_Sue said:

1813 said:

I’m not sure savvy Sue does this make a difference?

Well, possibly. I've seen some which are half a screen long, stating that if you've been sent an email in error you must tell the sender, but also not misuse information you shouldn't have. It is possible that the 'wrong' recipient's actions are what they're instructed to do by the signature, and they're following that to avoid finding themselves in the wrong. For example, I've had an email from my GP surgery recently which had the following: 

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

Sending someone's name and hospital number outside the organisation would, IMO, be a lot more serious. 

We haven't asked yet: are you in a union? If you are, contact your rep and ask for their support. 

Indeed but whilst we have all seen variations on these they carry little if any legal weight. Within a company it may be more relevant as it can at least remind people of the company's rules.

Outside of the company, if you by accident were to send me an email with such a disclaimer, whilst obviously I must not make unlawful use of the information I am under no obligation to follow your instruction to inform you of your mistake.   Nor am I required to forward the email to the intended recipient, even if I know who they were. The same it true of a letter posted to the wrong address.

Lorian

I have no experience of the NHS policy and I am not legally trained. In my experience this would not be a breach and certainly not notifiable to the ICO unless it contained further personal information. If I had done this I'd be expecting a ticking off, be told to ask the recipient to delete it, and expect some mandatory gdpr  re-training. 
Be careful though I've experienced people do far worse, and fear each day it will be me and I avoid ever emailing personally identifiable information for this reason.

mark_cycling00

The correct thing to do is to immediately report what has happened to your line manager or better still a data protection person/hotline in your organisation. Then that expert takes the correct steps and can put your mind at ease. 

Even If you are not sure if you've accidentally leaked data you should call and get advice immediately. 

You should also consider the person who's data was accidentally sent. It's essential that they get they get the correct advice asap if that is what is needed.

All organisations accept that mistakes happen there are jobs created to deal with these mistakes. 
Leaving it or hoping that it's all ok doesn't help you or the organisation.

Also don't listen to me. You should only get advice from the data protection people at your organisation. 

TELLIT01

Sending personal information to the wrong person is certainly a data breach but in this instance I would have thought it a fairly minor one.  As others have said, report the situation to your manager and never send any communication in future if you are unsure if you have the correct recipient.