My boss forwarded personal details to my colleagues

bobsman

Gwen Cooper wrote: »

Just one question - do the other people have access to his emails as well, since you mentioned that they're on the same level as you? Because in that case they would be able to read the email anyway.

They don't. I'm his assistant

Stanford

lawred2 wrote: »

I doubt GDPR covers a note about sick children.

Either way - I would expect that your boss was informing colleagues that you would be absent. Not the most appropriate way to do it but forwarding emails is fairly standard practice.

It's the response from your colleague I'd be taking exception to.

His boss could simply have e-mailed the relevant colleagues to say OP was absent, forwarding his e-mail which might have contained sensitive personal info is not reasonable

Sleeper12

Stanford wrote:

It doesn't matter who has access, it is the company's responsibility to ensure that private correspondence is protected from parties who don't need to see it

I'm sorry but you are mistaken there. Sharing information that someone already has on the same network is not a breach of the GDPR.

We still need op to tell us who has access to the emails. Otherwise no one should be giving advice here. Run to HR might be the worst thing in the world to do if there was no breach.

lawred2

Stanford wrote: »

His boss could simply have e-mailed the relevant colleagues to say OP was absent, forwarding his e-mail which might have contained sensitive personal info is not reasonable

I did say it wasn't the most appropriate but doesn't sound like there was much to it other than a snotty response from a peer.

Get Real

GDPR was brought in to clarify issues regarding the likes of information stored about you on websites, cookies, by businesses you deal with, which may have been sold to 3rd parties (marketing companies etc) without your express permission.

It also has many things which were already covered by the Data Protection Act, which was in place for years anyway. The publicizing and awareness of the amendments make everyone scream GDPR at the drop of a hat.

At worst, this is essentially water cooler talk. How many employment places up and down the country have heard "oh john/mary is off sick today/has a day off, he/she has x, y or z"

I think you may be peeved and rightly si, at whatever snarky response was recieved in relation to being off. But goodness knows, how many snarky comments are made about other peoples business in the workplace in a gossip scenario?

I wouldn't be relying on GDPR in this, but if you are, then don't you find it ironic that you have access to your bosses emails, and could potentially read something from someone containing data that doesn't involve you whatsoever?

If the GDPR route is gone down,then you have to practice what you preach, and no longer access your bosses emails. Ridiculous right? Exactly, it doesn't work in practice and has a hrey scope.

Gdpr wasn't brought in for this kind of thing. In that case I couldn't ring say a hotel and ask the receptionist what the managers name is.

Stanford

Sleeper12 wrote: »

I'm sorry but you are mistaken there. Sharing information that someone already has on the same network is not a breach of the GDPR.

We still need op to tell us who has access to the emails. Otherwise no one should be giving advice here. Run to HR might be the worst thing in the world to do if there was no breach.

Agree somewhat, however HR files on any network can have access restrictions in place to protect private data, the fact it was on a shared network is all the more reason why access needs to be restricted and the absence of such restriction is not a defence under GDPR.

OP you need to come clear, who else had access?

Stanford

Get Real wrote: »

GDPR was brought in to clarify issues regarding the likes of information stored about you on websites, cookies, by businesses you deal with, which may have been sold to 3rd parties (marketing companies etc) without your express permission.

It also has many things which were already covered by the Data Protection Act, which was in place for years anyway. The publicizing and awareness of the amendments make everyone scream GDPR at the drop of a hat.

At worst, this is essentially water cooler talk. How many employment places up and down the country have heard "oh john/mary is off sick today/has a day off, he/she has x, y or z"

I think you may be peeved and rightly si, at whatever snarky response was recieved in relation to being off. But goodness knows, how many snarky comments are made about other peoples business in the workplace in a gossip scenario?

I wouldn't be relying on GDPR in this, but if you are, then don't you find it ironic that you have access to your bosses emails, and could potentially read something from someone containing data that doesn't involve you whatsoever?

Valid points all, OP needs to clarify your last sentence, how does he deal with personal e-mails in his boss' absence?

bobsman

His immediate boss has access to his emails as do I. No one else.

Stanford

bobsman wrote: »

His immediate boss has access to his emails as do I. No one else.

So is there a procedure if you intercept e-mails concerning personal info in your boss's absence?

sexmag

bobsman wrote: »

They don't. I'm his assistant

There you go.

Your boss forward information meant for him only to other colleagues, not appropriate at all and a breach in my opinion

Sleeper12

Get Real wrote:

It also has many things which were already covered by the Data Protection Act, which was in place for years anyway. The publicizing and awareness of the amendments make everyone scream GDPR at the drop of a hat.

I've followed threads here from months before GDPR came into effect. One such thread was actually about how boards.ie would implement GDPR. I have found that 95 percent of posters on all of these threads have no grasp of what GDPR is, what it is supposed to do etc. It's not a one size fits all bat to beat someone with

I totally agree with your water cooler talk analogy.

Stanford

Stanford wrote: »

So is there a procedure if you intercept e-mails concerning personal info in your boss's absence?

OP could you answer this please

Stanford

Sleeper12 wrote: »

I've followed threads here from months before GDPR came into effect. One such thread was actually about how boards.ie would implement GDPR. I have found that 95 percent of posters on all of these threads have no grasp of what GDPR is, what it is supposed to do etc. It's not a one size fits all bat to beat someone with

I totally agree with your water cooler talk analogy.

The water cooler analogy is fine but GDPR is very clear on the holding and sharing of personal info and the responsibilities of those who has access to same

nikkibikki

Get Real wrote:

At worst, this is essentially water cooler talk. How many employment places up and down the country have heard "oh john/mary is off sick today/has a day off, he/she has x, y or z"

It would be up to John/Mary to tell people why they were absent, not their boss.

Mr. Incognito

https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data

Mailing that you are out sick is personal data. If this is not processed in accordance with the correct company policy, then yes. It is a breach of GDPR. A company could seek to rely on an exemption that it was required for legitimate processing but the unauthorised forwarding of personal data in this way is clearly a breach of GDPR. Someone's physical health and sick leave is medical information which clearly is sensitive data.

Secondly this person could, and should be sanctioned for it. It is not merely gossip. It is a form of incideous bullying and could form the basis of a complaint for activation of the grievence process.

The person's trust has clearly been affected. They should not have their sensitive personal issues circulated and ridiculed in such a way.

I'd open a complaint to HR

Stanford

nikkibikki wrote: »

It would be up to John/Mary to tell people why they were absent, not their boss.

We need to distinguish between office gossip and genuinely personal info provided to the boss in professional confidence

nikkibikki

Stanford wrote:

We need to distinguish between office gossip and genuinely personal info provided to the boss in professional confidence

It's clear that the reason anybody is absent is personal information. Even if it's a manager telling their team "John is not in today, he has a cold." Now John might have been coughing the day before and told his colleagues he's feeling rough from his cold. So they can surmise that it's the reason he is absent. All the manager should be telling the team is that John is absent and this is what I need you to do to cover his workload. That's my experience anyway.

Stanford

nikkibikki wrote: »

It's clear that the reason anybody is absent is personal information. Even if it's a manager telling their team "John is not in today, he has a cold." Now John might have been coughing the day before and told his colleagues he's feeling rough from his cold. So they can surmise that it's the reason he is absent. All the manager should be telling the team is that John is absent and this is what I need you to do to cover his workload. That's my experience anyway.

So you would agree that disclosing why "John" is absent is unnecessary information to disseminate amongst colleagues?

Gwen Cooper

Stanford wrote: »

So you would agree that disclosing why "John" is absent is unnecessary information to disseminate amongst colleagues?

It's definitely an unnecessary information. All the colleagues need to know is that John is not coming in today. It's up to John if he decides to share the reason with his colleagues when he comes back.

Stanford

Gwen Cooper wrote: »

It's definitely an unnecessary information. All the colleagues need to know is that John is not coming in today. It's up to John if he decides to share the reason with his colleagues when he comes back.

Agree entirely, so disclosing the personal reasons why he is out is a clear breach and simply forwarding his e-mail is outraegous

razorblunt

There's a few things confusing me here:

- Why did the boss fwd your mail? Was it simply to notify the others? Or was it a case of saying "look at the state of this"?
If it was the former then I'd have a word with him and tell him using fwd is not appropriate, if it was the latter I'd go to HR.
I definitely would go to HR anyway for the reply, speaking to them individually may lead to a "he said / she said" situation.

givyjoe

Stanford wrote: »

If your colleagues have no reporting relationship with you then your boss had no professional reason to e-mail them about your absence, it is a breach of GDPR imo as your boss failed to adequately protect your personal information and had no professional reason to share it with the others

It's not personal information unless the details of the illness/reasons for absence were disclosed.

Gwen Cooper

Stanford wrote: »

Agree entirely, so disclosing the personal reasons why he is out is a clear breach and simply forwarding his e-mail is outraegous

Exactly. Especially if we consider that OP was talking about their child in that email. Like I said in my first post, OP should take it to HR.

Not sure about Data Protection Commissioner - what would that achieve exactly? To clarify, I don't think that OP wouldn't have a case there and if they feel up to it, they can report it, just from my own point of view, would that accomplish anything apart from the company being fined?

nikkibikki

Stanford wrote:

So you would agree that disclosing why "John" is absent is unnecessary information to disseminate amongst colleagues?

Yes I certainly would. All colleagues need to know is that he is absent. That's how it's been done in my experience anyway. It's nobody else's business.

Sleeper12

givyjoe wrote:

It's not personal information unless the details of the illness/reasons for absence were disclosed.

This was the email explaining to OPs boss why they wanted the day off. OP has said that it had information about their child.

Stanford

Sleeper12 wrote: »

This was the email explaining to OPs boss why they wanted the day off. OP has said that it had information about their child.

Yes, OP said it contained sensitive information about his child

givyjoe

Sleeper12 wrote: »

This was the email explaining to OPs boss why they wanted the day off. OP has said that it had information about their child.

I see. Anywho, folks suggesting making a big deal about this are absolutely on another planet. Simply talk to the boss and say they saw the emails being forwarded and ask why it was done. No good reason, politely ask for it not to happen again should there be no appropriate reason. A little bit of common sense is needed here, going in guns blazing talking of gdpr etc will not end well for the op.

JDxtra

Probably should have just called in sick.

Or said nothing in the email. You sent the details, it's reasonable to expect they may be forwarded.

Move on and learn from it, don't even raise it as an issue.

Stanford

OP said the e-mail contained sensitive information about his child

""Regarding an issue with one of my children who is ill""

professore

I think some people are in strong denial about GDPR.

Firstly the boss needed a GOOD BUSINESS REASON to share with colleagues why the OP was out. I don't see that here. He could have informed them that the OP was off sick. That was enough for them to work around any absence and plan accordingly. Absolutely zero need to share the reason behind it.
Strike 1.

Secondly, the OP was out because of a health issue of their child. There is a whole section on the protection of children's information and also on medical records, both of which meet an even higher standard than personal information such as name, date of birth etc of adults. Strike 2.

By the way I don't see this as some endorsement of the GDPR. The GDPR is a legal nightmare and a huge liability for business.

I've discussed with Germans about GDPR and they are taking it to the nth degree over there, even to the extent of blocking internet access for their employees.