My boss forwarded personal details to my colleagues

bobsman

Hi folks. Won't go in to too much detail. I have access to my boss outlook. It's company policy. Access is granted. I had to take a day off due to personal issues at home. I sent email to my boss outlining why I needed to take day off. He said it was fine,

When I returned to the office, his viewing pane was visible. See he forward my email to 2 staff members. Both are friends of his but same grade as me. One of them replied with a not very nice reply.

What should I do in the situation folks??

sexmag

Report it too your hr department and go to union and state you want to lodge a grievance, this is a breach of gdpr id say

Gwen Cooper

Take it to HR.

bobsman

Thanks folks, I'm not in a union.

Can there be repercussions for me as it's in his email? I emphasise, that I do have permission to access his emails.

Gwen Cooper

bobsman wrote: »

Thanks folks, I'm not in a union.

Can there be repercussions for me as it's in his email? I emphasise, that I do have permission to access his emails.

Well if you have access and are allowed to read his emails, I don't see the problem.

Stanford

What was the nature of his referral of your e-mail to colleagues, was it for their info only to say you would be absent?

bobsman

The two colleagues in question do not work with me as such. Would make no difference to them if I was absent or not.

Sleeper12

sexmag wrote: »

Report it too your hr department and go to union and state you want to lodge a grievance, this is a breach of gdpr id say

How exactly?

Pelvis

I'm not seeing the problem, you emailed your boss saying you'd be out sick, he forwarded it to others.

Did you disclose sensitive info in the email?

Stanford

If your colleagues have no reporting relationship with you then your boss had no professional reason to e-mail them about your absence, it is a breach of GDPR imo as your boss failed to adequately protect your personal information and had no professional reason to share it with the others

professore

Sleeper12 wrote: »

How exactly?

Sharing personal information unnecessarily and without permission is a breach of GDPR.

bobsman

Pelvis, it was information which shouldn't have been sent to colleagues (IMO). The main issue is the bitchy response from one of the recipients. I feel the email was sent as a source of salacious gossip.

Pelvis

professore wrote: »

Sharing personal information unnecessarily and without permission is a breach of GDPR.

What personal information was shared?

Stanford

professore wrote: »

Sharing personal information unnecessarily and without permission is a breach of GDPR.

Absolutely agree

The Bishop Basher

OP - You need to report this to HR.

Sleeper12

professore wrote: »

Sharing personal information unnecessarily and without permission is a breach of GDPR.

That didn't happen here. At least OP hasn't said anything that would break GDPR.


OP emailed saying they would be out sick. Boss notified people he/she decided needed to know.



Please explain a GDPR breach in this case?

Gwen Cooper

Just one question - do the other people have access to his emails as well, since you mentioned that they're on the same level as you? Because in that case they would be able to read the email anyway.

Stanford

Rennaws wrote: »

OP - You need to report this to HR.

I agree, the Data Protection Commission has a standard letter of complaint which should be sent to HR (attached)

Stanford

Form attached

Sleeper12

Mountain & Mole Hill spring to mind here

bobsman

Pelvis wrote: »

What personal information was shared?

Regarding an issue with one of my children who is ill.

Not going into detail.

dudara

This would be a breach of protocol for me, and it also sounds like a breach of GDPR. Personal information should only be shared for legitatmite purposes. If your colleagues needed to know you were out, that’s fine, but they should not have been told the specifics of why you were out.

The question is if you want to complain officially, or do you think a quiet word with your boss would be best. He may not realise what he did.

Stanford

Sleeper12 wrote: »

Mountain & Mole Hill spring to mind here

Perhaps but its clearly important to OP

scamalert

id say bring it to your boss attention and speak to the person who made remark, nothing to do with gdpr as you say you have access they might as well, better to deal with it on personal level and outline next time that its for him only.

Sleeper12

Stanford wrote:

Perhaps but its clearly important to OP

We're still waiting to hear back from OP. Very important detail in the story is who else has access the company emails? It's extremely unlikely that OP is the only one.

Stanford

scamalert wrote: »

id say bring it to your boss attention and speak to the person who made remark, nothing to do with gdpr as you say you have access they might as well, better to deal with it on personal level and outline next time that its for him only.

Absolutely not!

This will prejudice any complaint to the Data Commission later if required

Stanford

Sleeper12 wrote: »

We're still waiting to hear back from OP. Very important detail in the story is who else has access the company emails? It's extremely unlikely that OP is the only one.

Access is strictly not the issue here entirely. OP has said about his colleagues

"The two colleagues in question do not work with me as such. Would make no difference to them if I was absent or not"

If so then what is the point in sharing the e-mail with them?

Sleeper12

Stanford wrote:

This will prejudice any complaint to the Data Commission later if required

You are VERY quick to jump on GDPR & data commissioner bandwagon without OP explaining who else in the company has access to the company emails?

Sleeper12

Stanford wrote:

"The two colleagues in question do not work with me as such. Would make no difference to them if I was absent or not"

Says op. His boss might disagree.

You shouldn't jump to conclusions or even offer advice until you have all the facts.
It may end up being a breach of GDPR but no one can say it is till op gives all of the details

lawred2

I doubt GDPR covers a note about sick children.

Either way - I would expect that your boss was informing colleagues that you would be absent. Not the most appropriate way to do it but forwarding emails is fairly standard practice.

It's the response from your colleague I'd be taking exception to.

Stanford

Sleeper12 wrote: »

You are VERY quick to jump on GDPR & data commissioner bandwagon without OP explaining who else in the company has access to the company emails?

It doesn't matter who has access, it is the company's responsibility to ensure that private correspondence is protected from parties who don't need to see it

bobsman

Gwen Cooper wrote: »

Just one question - do the other people have access to his emails as well, since you mentioned that they're on the same level as you? Because in that case they would be able to read the email anyway.

They don't. I'm his assistant

Stanford

lawred2 wrote: »

I doubt GDPR covers a note about sick children.

Either way - I would expect that your boss was informing colleagues that you would be absent. Not the most appropriate way to do it but forwarding emails is fairly standard practice.

It's the response from your colleague I'd be taking exception to.

His boss could simply have e-mailed the relevant colleagues to say OP was absent, forwarding his e-mail which might have contained sensitive personal info is not reasonable

Sleeper12

Stanford wrote:

It doesn't matter who has access, it is the company's responsibility to ensure that private correspondence is protected from parties who don't need to see it

I'm sorry but you are mistaken there. Sharing information that someone already has on the same network is not a breach of the GDPR.

We still need op to tell us who has access to the emails. Otherwise no one should be giving advice here. Run to HR might be the worst thing in the world to do if there was no breach.

lawred2

Stanford wrote: »

His boss could simply have e-mailed the relevant colleagues to say OP was absent, forwarding his e-mail which might have contained sensitive personal info is not reasonable

I did say it wasn't the most appropriate but doesn't sound like there was much to it other than a snotty response from a peer.

Get Real

GDPR was brought in to clarify issues regarding the likes of information stored about you on websites, cookies, by businesses you deal with, which may have been sold to 3rd parties (marketing companies etc) without your express permission.

It also has many things which were already covered by the Data Protection Act, which was in place for years anyway. The publicizing and awareness of the amendments make everyone scream GDPR at the drop of a hat.

At worst, this is essentially water cooler talk. How many employment places up and down the country have heard "oh john/mary is off sick today/has a day off, he/she has x, y or z"

I think you may be peeved and rightly si, at whatever snarky response was recieved in relation to being off. But goodness knows, how many snarky comments are made about other peoples business in the workplace in a gossip scenario?

I wouldn't be relying on GDPR in this, but if you are, then don't you find it ironic that you have access to your bosses emails, and could potentially read something from someone containing data that doesn't involve you whatsoever?

If the GDPR route is gone down,then you have to practice what you preach, and no longer access your bosses emails. Ridiculous right? Exactly, it doesn't work in practice and has a hrey scope.

Gdpr wasn't brought in for this kind of thing. In that case I couldn't ring say a hotel and ask the receptionist what the managers name is.

Stanford

Sleeper12 wrote: »

I'm sorry but you are mistaken there. Sharing information that someone already has on the same network is not a breach of the GDPR.

We still need op to tell us who has access to the emails. Otherwise no one should be giving advice here. Run to HR might be the worst thing in the world to do if there was no breach.

Agree somewhat, however HR files on any network can have access restrictions in place to protect private data, the fact it was on a shared network is all the more reason why access needs to be restricted and the absence of such restriction is not a defence under GDPR.

OP you need to come clear, who else had access?

Stanford

Get Real wrote: »

GDPR was brought in to clarify issues regarding the likes of information stored about you on websites, cookies, by businesses you deal with, which may have been sold to 3rd parties (marketing companies etc) without your express permission.

It also has many things which were already covered by the Data Protection Act, which was in place for years anyway. The publicizing and awareness of the amendments make everyone scream GDPR at the drop of a hat.

At worst, this is essentially water cooler talk. How many employment places up and down the country have heard "oh john/mary is off sick today/has a day off, he/she has x, y or z"

I think you may be peeved and rightly si, at whatever snarky response was recieved in relation to being off. But goodness knows, how many snarky comments are made about other peoples business in the workplace in a gossip scenario?

I wouldn't be relying on GDPR in this, but if you are, then don't you find it ironic that you have access to your bosses emails, and could potentially read something from someone containing data that doesn't involve you whatsoever?

Valid points all, OP needs to clarify your last sentence, how does he deal with personal e-mails in his boss' absence?

bobsman

His immediate boss has access to his emails as do I. No one else.

Stanford

bobsman wrote: »

His immediate boss has access to his emails as do I. No one else.

So is there a procedure if you intercept e-mails concerning personal info in your boss's absence?

sexmag

bobsman wrote: »

They don't. I'm his assistant

There you go.

Your boss forward information meant for him only to other colleagues, not appropriate at all and a breach in my opinion

Sleeper12

Get Real wrote:

It also has many things which were already covered by the Data Protection Act, which was in place for years anyway. The publicizing and awareness of the amendments make everyone scream GDPR at the drop of a hat.

I've followed threads here from months before GDPR came into effect. One such thread was actually about how boards.ie would implement GDPR. I have found that 95 percent of posters on all of these threads have no grasp of what GDPR is, what it is supposed to do etc. It's not a one size fits all bat to beat someone with

I totally agree with your water cooler talk analogy.

Stanford

Stanford wrote: »

So is there a procedure if you intercept e-mails concerning personal info in your boss's absence?

OP could you answer this please

Stanford

Sleeper12 wrote: »

I've followed threads here from months before GDPR came into effect. One such thread was actually about how boards.ie would implement GDPR. I have found that 95 percent of posters on all of these threads have no grasp of what GDPR is, what it is supposed to do etc. It's not a one size fits all bat to beat someone with

I totally agree with your water cooler talk analogy.

The water cooler analogy is fine but GDPR is very clear on the holding and sharing of personal info and the responsibilities of those who has access to same

nikkibikki

Get Real wrote:

At worst, this is essentially water cooler talk. How many employment places up and down the country have heard "oh john/mary is off sick today/has a day off, he/she has x, y or z"

It would be up to John/Mary to tell people why they were absent, not their boss.

Mr. Incognito

https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data

Mailing that you are out sick is personal data. If this is not processed in accordance with the correct company policy, then yes. It is a breach of GDPR. A company could seek to rely on an exemption that it was required for legitimate processing but the unauthorised forwarding of personal data in this way is clearly a breach of GDPR. Someone's physical health and sick leave is medical information which clearly is sensitive data.

Secondly this person could, and should be sanctioned for it. It is not merely gossip. It is a form of incideous bullying and could form the basis of a complaint for activation of the grievence process.

The person's trust has clearly been affected. They should not have their sensitive personal issues circulated and ridiculed in such a way.

I'd open a complaint to HR

Stanford

nikkibikki wrote: »

It would be up to John/Mary to tell people why they were absent, not their boss.

We need to distinguish between office gossip and genuinely personal info provided to the boss in professional confidence

nikkibikki

Stanford wrote:

We need to distinguish between office gossip and genuinely personal info provided to the boss in professional confidence

It's clear that the reason anybody is absent is personal information. Even if it's a manager telling their team "John is not in today, he has a cold." Now John might have been coughing the day before and told his colleagues he's feeling rough from his cold. So they can surmise that it's the reason he is absent. All the manager should be telling the team is that John is absent and this is what I need you to do to cover his workload. That's my experience anyway.

Stanford

nikkibikki wrote: »

It's clear that the reason anybody is absent is personal information. Even if it's a manager telling their team "John is not in today, he has a cold." Now John might have been coughing the day before and told his colleagues he's feeling rough from his cold. So they can surmise that it's the reason he is absent. All the manager should be telling the team is that John is absent and this is what I need you to do to cover his workload. That's my experience anyway.

So you would agree that disclosing why "John" is absent is unnecessary information to disseminate amongst colleagues?

Gwen Cooper

Stanford wrote: »

So you would agree that disclosing why "John" is absent is unnecessary information to disseminate amongst colleagues?

It's definitely an unnecessary information. All the colleagues need to know is that John is not coming in today. It's up to John if he decides to share the reason with his colleagues when he comes back.

Stanford

Gwen Cooper wrote: »

It's definitely an unnecessary information. All the colleagues need to know is that John is not coming in today. It's up to John if he decides to share the reason with his colleagues when he comes back.

Agree entirely, so disclosing the personal reasons why he is out is a clear breach and simply forwarding his e-mail is outraegous