Problem colleague - giving my confidential file to intern to take home

Hannaho

Hi! I posted here a while ago about my colleague who was making remarks about me being a single parent. Now, yesterday, as I was about to go home and was looking for my personal work folder, my colleague said she had given it to the intern to take home to do some extra reading. The file was a mix of resources for work, and confidential letters belonging to clients social care records that were to be filed the next day. It had my name clearly marked on it She only told me that she had given it to the intern when I wanted to put something in it before I left work yesterday. I explained to my colleague that her actions had led to a breach of confidentiality, and emphasised that all files were supposed to stay in the office, and that also resources were not supposed to be taken out of the office, but copies could be made of them (i.e. non-confidential information). My colleague said that the intern would bring the file back the next day.

I came home and talked to a friend in the same profession, who said I would have to notify my line manager immediately as it was a breach of confidentiality, as there were very serious consequences under data protection legislation and also under our organisation's policy for same - I emailed my line manager about what happened when I came home.

Needless to say the intern did not bring the file back today, and both the intern and my colleague tried to say I had given the impression that the file could be taken out of the office, this is despite the fact that the intern had never mentioned taking the file home to me, and the fact that she had asked my colleague and not me to take the file home, even though my name was on the folder.

I feel that I am going to be blamed or this and/or shafted - I was working in another office today not in my usual office - has anyone been through anything similar to this or have any sound comments on what is the best way to handle this situation.

ElleEm

You did right by contacting your line manager. Breaching confidentiality in Social Care is a very serious thing.
You did nothing wrong so if you are questioned further, tell the truth. You may also want to get your line manager to refresh people's minds about confidentiality and boundaries. Should an intern even be accessing full files?

Tigger99

You definitely did the right thing. I'd be very concerned as to where the intern has left the file as well. Could housemates etc have access to it?

delthedriver

Dreadful carry on altogether.


Impress upon your Line Manager that you want this matter addressed immediately.

ABajaninCork

I would not only address this with your Line Manager, but also escalate to HR immediately, as there is a DP breach (and a very serious one too).

GarIT

You should contact the data protection commissioner rather than people,internal to the company. One would hope legal proceedings are taken against your colleague rather than just internal discipline.

ABajaninCork

GarIT wrote: »

You should contact the data protection commissioner rather than people,internal to the company. One would hope legal proceedings are taken against your colleague rather than just internal discipline.

Most definitely! Why this idiot thought you'd give permission for your confidential information to be seen by an intern, I have no clue.

What was the 'extra reading' and why was it required?

Crazyteacher

Don't let up on that one. That's disgraceful.

Ann Landers

OP, are they still trying to pin it on you? If so, aren't you a bit concerned about that as it's two against one?

ABajaninCork

Ann Landers wrote: »

OP, are they still trying to pin it on you? If so, aren't you a bit concerned about that as it's two against one?

I think that would be least of the OP's worries, TBH. The fact the intern still has the file lying God knows where would be a much more immediate worry.

Plus the fact I'm sure there are procedures in place for handling sensitive data which clearly have not been followed, regardless of who said what.

Hannaho

Hi! All, you'll never believe it! My manager thinks it's no big deal, and I shouldn't have reported my colleague for giving my file, with confidential information on it, to him or his line manager - that it was a rash decision - the file was away for two days - if it was found in the ditch somewhere, with my name on it, or in a rubbish bin, then I would lose my job!

ABajaninCork

Ignore this idiot. Report the breach to HR and the Data Commissioner. Is the file back now?

looksee

OP, you are in the right here. And you are right to be concerned. If any of the information in the file became public knowledge, you would be held responsible. I think you should write a memo giving the exact situation that happened, do not offer any opinions or speculation, just the very bare facts of who did what, and when (dates) and what was said. Send this to HR or whoever is the appropriate official with a covering note to the effect that you wish the situation to be on record, you understand from your manager that this was not a serious incident and you accept that, but you wish to make your situation clear. Don't sound annoyed, don't lay any blame, just state the facts. Then hide your files :-) - oh, and keep a copy of the email, separate from your work computer.

Hannaho

Thanks to you both for your replies. Yes, the file is back. Re reporting to HR - I'm going to do this - my colleague who gave the file away is very close to my manger!

ABajaninCork

In other words - send a blind copy to your home e-mail addy! I'd get delivered and read receipts too...

delthedriver

There is both a civil and criminal wrong involved here.


The remedies are a civil case and a criminal case against your Employer.


The sooner you talk to your Solicitor and the Gardaí the better.

GarIT

You really need to talk to the data protection commissioner and possibly the gardaí, what happened was illegal and you colleague and possibly manager will most likely get charged and possibly have to do community service or jail time for an issue like this.

The purpose of the data protection commissioner is specifically issues like this, they absolutely must be notified.

the_syco

Hannaho wrote: »

Thanks to you both for your replies. Yes, the file is back. Re reporting to HR - I'm going to do this - my colleague who gave the file away is very close to my manger!

Consider forwarding the email that you sent to your manager to HR, with a bit more info. This email trail will show HR that you had contacted your line manager when it happened.

Double check (if it's possible) that no files are missing. Query your HR by email about the legalities of an intern reading the sensitive files, and see what their response is. I say by email, so that they'll respond by email. Then forward said emails to your personal non-work email account for backup.

Gongoozler

I really can't see what HR have to do with anything here.

You do need to contact the DPC though, you should have done this the minute you knew it was missing. I don't know the size of your organisation but if your manager isn't taking this seriously you also need to inform someone above him. Do it all via email.

It sounds like a very relaxed organisation, especially towards data protection, which really needs to change. Your bosses need to concern themselves with this and set out rules and procedures regarding this, as it seems they have not already done so.

ABajaninCork

Gongoozler wrote: »

I really can't see what HR have to do with anything here.

You do need to contact the DPC though, you should have done this the minute you knew it was missing. I don't know the size of your organisation but if your manager isn't taking this seriously you also need to inform someone above him. Do it all via email.

It sounds like a very relaxed organisation, especially towards data protection, which really needs to change. Your bosses need to concern themselves with this and set out rules and procedures regarding this, as it seems they have not already done so.

The matter needs to be escalated to HR ASAP. If the OP goes to the Data Commissioner (as she must), then I would imagine they will need to be informed. If this goes to HR, then there'll be a trail showing what happened, when and what if any action was taken.

OP - I wouldn't speak to anyone any more about this. Put EVERYTHING in writing, and send blind copies to yourself at your home address. If you can, get delivered and read receipts for everything you send.

Gongoozler

ABajaninCork wrote: »

The matter needs to be escalated to HR ASAP. If the OP goes to the Data Commissioner (as she must), then I would imagine they will need to be informed. If this goes to HR, then there'll be a trail showing what happened, when and what if any action was taken.

OP - I wouldn't speak to anyone any more about this. Put EVERYTHING in writing, and send blind copies to yourself at your home address. If you can, get delivered and read receipts for everything you send.

I agree that it would be helpful to have a written trail of action taken etc, but again HR really have nothing to do with it.

Mrs OBumble

Gongoozler wrote: »

I really can't see what HR have to do with anything here.

You do need to contact the DPC though, you should have done this the minute you knew it was missing.

I'm not up on the latest whistleblower legislation.

But I strongly suspect that an employee should only be contacting outside organisations if their internal resolution processes aren't working. HR would be the logical next step internally.

Also, no data is missing, and no breach is known to have occurred. The file is not where it is supposed to be (ie on company premises), but its location is known, and you have no evidence that housemates etc have accessed it.



OP - you need an email trail of reporting your concerns. But you should also have a face-to-face discussion with HR as soon as possible too.

donegal11

To be honest if it was me I'd just tell the intern and co-worker not to do it again/contact manager. It's all very well saying contact the data commissioner etc but it'll be you that will be working with them again and If I was a manager I don't think I be happy with workers going on solo runs. You reported it to your manager and I'd leave it at that, honestly what do you want to happen? get your co-worker fired, hurray!

GarIT

donegal11 wrote: »

To be honest if it was me I'd just tell the intern and co-worker not to do it again/contact manager. It's all very well saying contact the data commissioner etc but it'll be you that will be working with them again and If I was a manager I don't think I be happy with workers going on solo runs. You reported it to your manager and I'd leave it at that, honestly what do you want to happen? get your co-worker fired, hurray!

The OP has a legal responsibility to contact the data protection commissioner. If the OP fails to report the incident the they could be charged with failing to ensure the security of the data especially as it would appear that the OP was responsible for this data. If the OP becomes aware of a data breach the OP is legally responsible for resolving the issue, if the data is still unsecured the issue hasn't been resolved.

If reported it is unlikely the manager will remain there. The company could easily be fined 50K for an incident like this. If the OP received any unfair treatment as a result of obeying the law they could sue. The co-worker doesn't deserve to be employed and possibly doesn't even deserve to be free to walk the streets. Too many people think data protection isn't important at all.

goldenhoarde

GarIT wrote: »

The OP has a legal responsibility to contact the data protection commissioner. If the OP fails to report the incident the they could be charged with failing to ensure the security of the data especially as it would appear that the OP was responsible for this data. If the OP becomes aware of a data breach the OP is legally responsible for resolving the issue, if the data is still unsecured the issue hasn't been resolved.

If reported it is unlikely the manager will remain there. The company could easily be fined 50K for an incident like this. If the OP received any unfair treatment as a result of obeying the law they could sue. The co-worker doesn't deserve to be employed and possibly doesn't even deserve to be free to walk the streets. Too many people think data protection isn't important at all.

hmmm as all parties work for the company i would say that there was no breech as the data was in the possession of a company employee (even if they were an intern!!!!) at all times.

with regards the work file has the OP brought it off site before. is there company policy saying it must be on the premises at all times? just seen the OP say that files are not supposed to be taken offsite so that makes a difference but i would say there are exceptions to that which the company might now use if the DPC gets involved

remember the lost laptops a few years ago issue was the security of the data and not the fact it was offsite

eviltwin

I'm disgusted at the attitude of your manager to this, not to mention your colleague and the intern. I also work in social care and information like that is on a need to know basis, we don't have access to files unless we are directly involved in the cases ourselves and no way are they ever allowed leave the office, they are kept under lock and key. If I took that kind of info home I would be told to pack my bags and go. Do go further with this, I remember your previous post about the comments made to you and I wouldn't let it drop.

GarIT

goldenhoarde wrote: »

hmmm as all parties work for the company i would say that there was no breech as the data was in the passion of a company employee at all time.

with regards the work file has the OP brought it off site before. is there company policy saying it must be on the premises at all times?

remember the lost laptops a few years ago issue was the security of the data and not the fact it was offsite

The law requires that only employees that require access to the data to use it for its intended purposes can do so. e.g. a production manager can't be looking up info on customers. Under no circumstances should an intern be able to view data marked as confidential in or out of the workplace.

There is a major difference here, you cannot compare digital records to paper ones, anyone can read paper records and they should never leave the office. The records being out of the office would mean they are not secure. It is illegal for an employee to view confidential data for any purposes other than to fulfil their job, an intern studying the data doesn't fall under this nor does any employee viewing the records outside of work.

If you read the thread you would see that the OP has not taken the file out of the workplace although they are allowed to make copies of the non confidential data.

GarIT

eviltwin wrote: »

we don't have access to files unless we are directly involved in the cases ourselves

I think it needs to be pointed out that this is not a company policy this is the law. Way too many people don't take this seriously enough.

Any document that contains even just the name or email address of a client must be kept confidential.

looksee

I don't know enough about data protection to comment on that, but the OP needs to defend himself by providing a 'papertrail' to someone higher in the organisation, HR is as good as any. It is not about getting anyone sacked, its about covering his back in a situation that was not of his making.

Hannaho

Hi! Thanks to all of you for your comments. I didn't know that so many people would think this is an important issue - it's reassuring!

The boss of my organisation who is a medical professional (not saying which one) as well as my line manager think that it's no big deal, and are blaming me for 'making' my colleague feel bad, and daring to forward my email over my manager's head to the ultimate boss of the organisation - I only did this as my line manager seemed to think there was no major issue here. They are going on about how I shouldn't have emailed my manager without telling my colleague - my colleague told me at five minutes to five that she had allowed someone to take the file home - I was so stunned I could hardly speak - yet she said I ranted at her. I had to ring another professional friend who works in a similar area to me for advice on the way home from work, as I was so consumed with worry about the breach of confidentiality. Yet my manager and line manager are just concerned with how my colleague felt - this was the same colleague one of you noted who made derogatory comments to me previously about being a single mother.

Because of the issue of the breach of confidentiality and their attitude to it, as well as all the negative comments about being a si
ngle parent, I am thinking about initiating the steps of the Dignity at Work Policy, but I know they will make my life hell if I do, and completely back up my colleague - so not sure if it's worth it.

Thanks again for all the comments/advice.

the_syco

Consider getting legal advice, to ensure your ass is covered in case they try to hang you with it at a later stage. Maybe not going all the way to the Data Commissioner, but the steps you took with someone else.

With your previous threads in mind, maybe consider moving to another company?

Hannaho

Hi! Syco, thanks for your reply. Yes, that is what they are trying to get me on. I forwarded the email to my manager, and then when I heard the co-worker deny what she had done, I forwarded it to his manager, stating that in no way had I given permission to anyone to take the file home. I though this was a reasonable action as I was so worried about the consequences of what happened. They couldn't get me on anything else as in fact the other worker did act in a discriminatory manner.

Mrs OBumble

OP - are you a health professional yourself? Could you get some support from your own professional body, perhaps?

NB I totally disagree with the poster above who says that an intern should never have access to confidential files, and that files can only be used in the office. Unless the poster knows your organisation, we here cannot say that much.

GarIT

Mrs OBumble wrote: »

OP - are you a health professional yourself? Could you get some support from your own professional body, perhaps?

NB I totally disagree with the poster above who says that an intern should never have access to confidential files, and that files can only be used in the office. Unless the poster knows your organisation, we here cannot say that much.

The law stated that any employee can only view collected data if it is necessary to carry out their job. Unless the intern actually needs it to do some work they can't look at it, they certainly can't use it for the purpose of studying.

Hannaho

Thanks for your replies. No, the intern is not allowed to use confidential information for study purposes. The rule is that resources, not confidential information, can be used for study purposes, that is, that they can be copied and taken home. However, confidential information is not supposed to be allowed out of our office. The other issue, apart from the confidentiality, is that the file was my personal file, with my personal resources - which seems to be a minor issue in all this. I would never give anyone else's personal file, marked with their name, for someone to take away from the office, whether it is intern, student etc.

?Cee?view

Mrs OBumble wrote: »

NB I totally disagree with the poster above who says that an intern should never have access to confidential files, and that files can only be used in the office. Unless the poster knows your organisation, we here cannot say that much.

Disagreeing or not is immaterial. It's a matter of law.

Personal Data can only be processed or controlled by one for whom access is required for the purpose for which the information is collected, and that does not include an intern in the vast majority of circumstances. Sensitive Personal Data (such as that which a social worker would control and/or process) is held to a higher standard. There is no way that an intern could be allowed to handle such data.

In this particular case, the intern has accessed data which they are not directly working on. The data are under the OP's control.

A breach of the data protection legislation has most definitely occurred here. A breach does not require someone to actually read or access the data. A breach occurs when the data is put at risk by being handled inappropriately and without due regard to its security.

Unfortunately medical and allied services have a very poor track record when it comes to Data Protection. One only needs to read the published findings to see this.

There's new enhanced European legislation coming on this, most likely next year, and the penalties are shooting up, which in my opinion is great news.

Someone above mentioned jail and huge fines over this incident. That's not going to happen.

Mrs OBumble

?Cee?view wrote: »

Personal Data can only be processed or controlled by one for whom access is required for the purpose for which the information is collected, and that does not include an intern in the vast majority of circumstances. Sensitive Personal Data (such as that which a social worker would control and/or process) is held to a higher standard. There is no way that an intern could be allowed to handle such data.

So how do trainee whatever's learn, if they're not allowed to look at real examples? What on earth is the purpose of an intership, if they cannot have access to clients / client data?

Just like insurance companeis, healthcare orgs that provide training almost always have "training and quality purposes" amongst the purposes for which data is provided to them. If a client wants to opt out of that, they have to opt out of the whole service.

BurnsCarpenter

OP - I would take everything you read hear with a grain of salt. Yes, you were treated badly and the company/colleague was 100% in the wrong but it seems like all the advice here is very gung ho. In reality you should consider your own circumstance as well i.e. are you planning to stay in this job long term, etc.

Hannaho

Yes, I am planning to stay in the company long-term, so there is no way I would go to the data commissioner - my profession is very small so there is no way I would do that and there is no way I would want to draw that sort of conflict on myself - but the whole think is part of a general bullying campaign.

ABajaninCork

I'd be getting my CV in order and looking to get out of Dodge, then.

Hannaho

Hi! Abajanin, I can't move really - for lots of different reasons - so I'll just have to tough out the bullying and get some support. I have decided to instigate the Dignity at Work Policy. I have also got an appointment with a psychologist who specialises in helping those who are being bullied at work, and I have an appointment with an employment law solicitor next week to discuss how I should/should not handle everything.

?Cee?view

Mrs OBumble wrote: »

So how do trainee whatever's learn, if they're not allowed to look at real examples? What on earth is the purpose of an intership, if they cannot have access to clients / client data?

They are allowed to look at examples, but "access" and "looking" must be controlled and appropriate. For instance, in a healthcare context, one would expect data to be anonymised when an intern is being allowed access. How that is done differs depending on the type of data. For instance, an Xray could be considered Sensitive Personal Data if when looking at it you can tell that it belongs to Joe Bloggs because (even though there's no name on it), Joe Bloggs was/is the only patient in a particular hospital with a rare lung disease which is obvious from looking at the Xray.

Personal Data must be handled and classified appropriately. Allowing an intern to take confidential Sensitive Personal Data off the premises could never be considered appropriate (as apparently occurred in this case). Allowing them to view anonymised sections of the data might be appropriate.

Mrs OBumble wrote: »

Just like insurance companeis, healthcare orgs that provide training almost always have "training and quality purposes" amongst the purposes for which data is provided to them. If a client wants to opt out of that, they have to opt out of the whole service.

The second sentence is simply not true. In addition, comparing healthcare orgs to insurance companies when it comes to Data Protection is not a valid comparison. Indeed insurance companies have run into difficulties with the data protection commissioner when they have attempted to gather information extraneous to their purpose, which information would be considered entirely routine in a healthcare context.

?Cee?view

Hannaho wrote: »

Hi! Abajanin, I can't move really - for lots of different reasons - so I'll just have to tough out the bullying and get some support. I have decided to instigate the Dignity at Work Policy. I have also got an appointment with a psychologist who specialises in helping those who are being bullied at work, and I have an appointment with an employment law solicitor next week to discuss how I should/should not handle everything.

While I'm sure both will give good advice, please be careful on how you act on it. Don't act in haste. If the employer becomes aware that a solicitor is acting for you matters can become more tense.

D3sperado

Some very shaky data protection claims being put forward in this thread. While this was a potentially serious breach of the data protection obligations, there is zero chance that the persons involved would face jail time or fines. Its unlikely even that an actual offence under the legislation has been committed that would give the data protection commissioner the power to bring a prosecution.

The obligations under the legislation fall on the data controller which I guess would be the company which employs the OP. What happened was a serious data security breach (as this includes loss of control of data even if only temporarily) that should be reported to the data protection commissioner (and the persons whose information was compromised) under its breach notification guidelines (I assume that the information contained medical information) within 48 hours of the breach occurring by the data controller. (http://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm). The obligations in this regard as well as the other data protection obligations are on the data controller and as such its not the OP's responsibility to report it to the data protection commissioner.

That said, this organisation appears to have an appalling disregard for people's personal information and I would love to see them getting audited by the data protection commissioner. OP - You could make a complaint yourself and given the serious nature of the breach it is likely that some form of enforcement action would be taken by the DPC. However, as I think you mentioned in one of your posts, it would be clear that you were the whistleblower and that could make your working life even more uncomfortable than it is at the moment. It depends how you want to deal with these people.

Is there a person in your organisation with responsibility for data protection or even for other regulatory type matters? If so I would report this to them and point out the requirements of the breach notification guidelines. Additionally, and as has been mentioned numerous times above, I would keep very detailed records of what happened, who you informed and when this occurred. A good idea is to write out a detailed summary and then e-mail this to yourself so that it has a time stamp on it. You never know when this type of leverage might be useful to you in the future in dealing with the sort of characters running this organisation. This will also be of interest if you decide to get in contact with a solicitor in respect of bullying etc., although make sure that your summaries don't contain anything that could identify the people whose information was put at risk.

Ray Palmer

I have to agree that people are making it out as every breach has swift and severe consequences. It doesn't happen like that. The OP should have let the process in place deal with it and after that point if they were unhappy raise the issue to a higher level.

I would consider their action over the top because they did not wait to see the outcome. It was a procedural mistake not an intended purpose to wholesale breach all personal data. A verbal warning and a repeating of policy would have sufficed.

I would see this as a personal dispute between two people that is dragging in others now as the OP already has issues with the person involved. I would expect the manager to be looking in that direction much more than the data issue.

The fact that something wrong was done starts pale when you look at the disruption and upset being caused by two people who obviously have an issue with each other

Barely There

The OP's Line Manager and Boss both feel the incident is no big deal, yet the thread is full of the usual Board's hysteria, suggesting everyone from the DPC to the Gardai be informed - maybe she should contact Interpol while she's at it eh?


I suspect there was nothing of importance in the folder and the OP has exaggerated it's contents because of a previous grievience against her colleague.

sopretty

"The file was a mix of resources for work, and confidential letters belonging to clients social care records that were to be filed the next day."

The above information is not information which should be randomly accessed and/or distributed willy-nilly to unqualified and unemployed interns. It drives me MENTAL that some people disregard the privacy and sensitivity of some information held in their possession.

Little Acorn

I definitely agree with keeping an electronic trail of emails of you reporting this event. I agree too with sending blind copies of these emails to yourself but would also suggest that you send the blind copy emails not only to your own work email but also to a private email of your own, just in case there is a way your work email account could be deleted. I don't even know if that's possible but just in case I'd also be sending and saving the blind copy emails to an email address that work didn't have. (as well as to my work email address). Probably being over the top paranoid here but that's what I would do myself.

Hannaho

Hi! Thanks to all of you again for your replies. If anything it's probably made me more conscientious about confidentiality going forward. I'm not going to go any further with the issue than my manager or his manager. Even if there wasn't anything confidential in the folder, I can't figure out why one employee would given another employee's personal folder with their personal resources to an intern to take home. For me this is completely off the wall!

Re. the other stuff - another issue has arisen since and I have had to provide a paper trail and a witness to counter what this person stated. It's so tiring!