Salary details forwarded in error

kormak

I recently queried something with my payroll dept concerning a payment on my salary. For some bizarre reason, they forwarded my mail to another payroll correspondant for info but also included a normal staff member of workplace colleague of mine on the mail!!
The email had my salary details all over the mail. The HR manager of the companny has immediately mailed me with an unreserved apology and that's it...
bit annoyed and feel like they're quite happy to just brush it under the carpet. what's the situation here with data protection laws. I feel a bit annoyed by the whole matter!! :mad::mad:

whomitconcerns

They have apologised for what is of course a VERY serious breach of confidentiality.

So now what would you like them to do about it?

kormak

well that's just it... they've apologised profusely and have said what's done it done!
Just curious where employees stand in such a scenario? how serious of a breach is this in legal terms? not that I'm planning any legal routes, but the whole things is far too easy for such HR people to simply sweep aside.
I'm sure the person responsible has got a fair bollicking none the less... and rightly so.

Bandana boy

A mistake is a mistake ,they have acknowledged the mistake and apologised as long as they put something in place to stop it happening again then I think they have covered their bases.

With regards your own suffering ,You would have to show that this has cost you something if you want reperations. While its clear you are annoyed you have not lost anything or incurred any costs here so not sure what you could sue for.

Bogger77

they, the company, need to
1) take steps to ensure that your details are removed from that persons inbox and any personal folders
2) verify that the unintended recipient did not forward or otherwise share that information
3) have the recipient, state in writing, that they will not disclose the information to anyone
4) state what steps they will be introducing to ensure it doesn't happen again
5) state what disciplinary or other reviews have been completed, and what the outcome was.


after that, they can apologize

No Pants

Bogger77 wrote: »

they, the company, need to
1) take steps to ensure that your details are removed from that persons inbox and any personal folders
2) verify that the unintended recipient did not forward or otherwise share that information
3) have the recipient, state in writing, that they will not disclose the information to anyone

1) I would not consider that to be an appropriate response and as wrong as the initial mistake.
2) Can be done in email, but would be of limited value.
3) I would not make such a statement.

bbam

Bogger77 wrote: »

they, the company, need to
1) take steps to ensure that your details are removed from that persons inbox and any personal folders
2) verify that the unintended recipient did not forward or otherwise share that information
3) have the recipient, state in writing, that they will not disclose the information to anyone
4) state what steps they will be introducing to ensure it doesn't happen again
5) state what disciplinary or other reviews have been completed, and what the outcome was.


after that, they can apologize

I'd be hardline but I think that's OTT

4th horsemen

No Pants wrote: »

1) I would not consider that to be an appropriate response and as wrong as the initial mistake.
2) Can be done in email, but would be of limited value.
3) I would not make such a statement.

They should definitely delete the mail from the unintended recipient. They should not have received it and they definitely should not have it so why would that not be an appropriate response?

Not sure bout point 3 but the email trail needs to be erased and no harm checking with the unintended recipient, But I would have thought that the unintended recipient might have brought this to the attention of payroll anyway. (who will have seen the error they made)

Bogger77

4th horsemen wrote: »

They should definitely delete the mail from the unintended recipient. They should not have received it and they definitely should not have it so why would that not be an appropriate response?

Not sure bout point 3 but the email trail needs to be erased and no harm checking with the unintended recipient, But I would have thought that the unintended recipient might have brought this to the attention of payroll anyway. (who will have seen the error they made)

a persons company emails and the content of the email store is not their property, it belongs to the company, chances are it's a company supplied PC, so stores on that pc, belong to the company.
it's not OTT for the company to erase such mails from a persons inbox.
also, as it's company mail, it's not a big deal, or a lot of effort to check if that mail, or the contents of it, were forwarded on to others, or out of the company.

the unintended recipient, while they were not active in receiving the mail, they are now affected by it.

A company would be remiss in it's obligations on data protection, and it's own guidelines, if it did not perform an inquiry into why this occurred, and what they plan on doing to resolve this, and ensure what steps will be taken to avoid re-occurrence.

In a previous company, a payroll person included pay details of 5 people in a mail to another member of staff, bluntly put, that payroll person ceased to have a job with the company. In my contract with this company, it's stated that pay details are highly sensitive and should be even discussed with unauthorized persons.

4th horsemen

I agree with you Bogger77, my post was in reply to "No Pants" !

No Pants

Once you send someone an email, it no longer belong to you, it belongs to them. I would get legal advice before deleting an email from someones mailbox, even if the PC, the mail server and the network belong to the company. I have seen companies, not in Ireland mind, get into bother over such actions.

Bogger77

deleting it from the mailbox, not deleting it's record so for audit purposes the mail still exists, and the reason it's removed from a mailbox would be documented.

again, as mail is sent within a company, ownership of the mail is not in question, it always belonged to the company.

No Pants

Maybe that's fine in Ireland. It wouldn't be in certain other EU countries. The employee has a right to privacy, even on a company email system.

Mrs OBumble

No Pants wrote: »

Maybe that's fine in Ireland. It wouldn't be in certain other EU countries. The employee has a right to privacy, even on a company email system.

Links please ....

gizmo555

Mrs OBumble wrote: »

Links please ....

http://www.citizensinformation.ie/en/employment/employment_rights_and_conditions/monitoring_and_surveillance_at_work/surveillance_of_electronic_communications_in_the_workplace.html

No Pants

Mrs OBumble wrote: »

Links please ....

I work for the service centre of a large multinational. Deleting emails from someones mailbox is a no-no. I have received several calls along the following lines:
Senior manager and sometimes even a HR person has drafted an unflattering email about Person A.
In order to spell Person A's name correctly, they use the CC or BCC field.
Person's name is then forgotten about and left in the field.
Unflattering emails, or sometimes emails of an even more serious nature concerning HR matters have thus been sent to the subject of the email.
Escalation upon escalation changes nothing. We do not delete the email.

That's all I have to say on the matter. I've derailed the thread long enough. Everyone can make their own decisions on how to proceed.

Mrs OBumble

gizmo555 wrote: »

http://www.citizensinformation.ie/en/employment/employment_rights_and_conditions/monitoring_and_surveillance_at_work/surveillance_of_electronic_communications_in_the_workplace.html

I'd have a hard time inferring an absolutely statement like "The employee has a right to privacy, even on a company email system." from that link.

Sure there are rights.

But there are counterbalancing responsibilities, and a number of other factors that need to be taken account of.

IMHO the only safe approach to work-email is to assume that nothing is private, and that you could have to front up to Joe Duffy or News at Six to explain anything that you write.


In the OPs case, what's appropriate is proportionate to the amount of harm caused. If they're a senior manager or well-paid specialist and most people won't be able to guess what they earn, then it's harmful. But if they're a relatively junior person and most people can guess their salary range anyway, then probably there's very little harm involved.

Jim2007

No Pants wrote: »

Maybe that's fine in Ireland. It wouldn't be in certain other EU countries. The employee has a right to privacy, even on a company email system.

The DPA is based on the an EU directive and is more or less the same in all countries. It is true that some countries have stricter laws regarding email privacy, however usually in such countries your employment contract states that everything in you company email account belongs to the company or failing that you are not given a specific company account, but general one shared by more that one employee.

No Pants

You'd be surprised. In Germany they get really funny about things like phone logs. I think they consider phone numbers sensitive personal information, but I'm no expert. They also don't like this info leaving Germany.

gizmo555

Mrs OBumble wrote: »

I'd have a hard time inferring an absolutely statement like "The employee has a right to privacy, even on a company email system." from that link.

The statement you quote isn't an absolute statement, nor is the employee's right to privacy. No right is, not even the right to life.

But a right to privacy on a company email system does exist, and in particular - as the Citizen's Information website says - covert email monitoring can only be done where criminal activity is suspected.

Jim2007

No Pants wrote: »

You'd be surprised. In Germany they get really funny about things like phone logs. I think they consider phone numbers sensitive personal information, but I'm no expert. They also don't like this info leaving Germany.

In Germany phone numbers are not by law considered sensitive and in accordance with the EU directive data can be transferred to another member state or Switzerland. We sell a lot of software that is used to capture and share personal financial data across the EU, so knowing what is acceptable and legally correct is part of the job.

Mrs OBumble

gizmo555 wrote: »

But a right to privacy on a company email system does exist, and in particular - as the Citizen's Information website says - covert email monitoring can only be done where criminal activity is suspected.

Agreed.

But every job that I've started for years has had me sign in IT policy which includes the fact that overt email monitoring will occur, and that company email is company property.

Frynge

Jim2007 wrote: »

In Germany phone numbers are not by law considered sensitive and in accordance with the EU directive data can be transferred to another member state or Switzerland. We sell a lot of software that is used to capture and share personal financial data across the EU, so knowing what is acceptable and legally correct is part of the job.

Is that right or am I misunderstanding it.


On a similar note, we have everyone's email backed up to a separated inbox from their own. We have done this because too often people were deleting emails that they then needed and also saying emails were not working when they were working fine. Only person with access would be MD and sysadmin and the sysadmin wouldn't know who is who.

Mrs OBumble

Frynge wrote: »

On a similar note, we have everyone's email backed up to a separated inbox from their own. We have done this because too often people were deleting emails that they then needed and also saying emails were not working when they were working fine. Only person with access would be MD and sysadmin and the sysadmin wouldn't know who is who.

My understanding is that this is fine so long as you are up-front about it.

It's when you get into hidden monitoring that there can be problems.