Had an email today providing an inappropriate amount of detail on a colleagues recovery from cancer. It probably went to about 500 people; very few would even know the person. In 2 minds about whether to complain about it or just ignore – I’ve no idea if affected person consented to it.

Would you be comfortable to have your medical info shared with your colleagues?

Strange its gone to 500 people – wouldn’t GDPR prevent the sharing of private information, unless of course consented?

I myself wouldn’t want private medical information shared, except to maybe the boss, line manager and occupational health

Complain and report it…that isn’t right on any level.

I guess the question needs to be addressed to the affected person, if they consented then I don’t know on what grounds you could complain.

Would you be comfortable to have your medical info shared with your colleagues?

With my consent, yes. In fact that very thing happened last year. Without my consent not so much, is that even legal?

Would you be comfortable to have your medical info shared with your colleagues?

If it saved me being asked, 500 times, how I was, do I need help, I’m so brave etc. by people I don’t even know then frankly I’d even send videos of the surgery and details of my recovery coitus sessions. But thats just me I suppose.

You need to provide more info OP.

And find out if it was with consent.

Perhaps the person involved does consent to the sharing of the info ?
Obviously you’re not going to share the level of info revealed to us, so it is hard to make a judgement, but asking if the subject was OK with the info being shared would be better than starting with a complaint.

Yeah won’t go into great detail but for me, acceptable might have been along the lines of

“xxx is recovering well but still has a bit of a journey ahead of them”

rather than

“xxx has a nasty infection caused by surgery. 10 rounds of chemo to go. Mentally finding life quite tough at the moment…”

level of detail

Maybe I’m being a snowflake, but to me it feels like a line has been crossed.

Would you be comfortable to have your medical info shared with your colleagues?

Without consent, definitely No.
With consent, only those people that need to know.

Fine if they’ve consented.

Five-six figure fine from ICO if they haven’t.

Possibly.

Without consent, definitely No.
With consent, only those people that need to know.

Thoroughly agree. In my workplace it would be a complete no and a major disciplinary offence, but that’s because a chunk of the workforce would probably be involved in the patient’s care.

In a none healthcare workplace, whether the information was circulated on a work email system or a work based social media group, to my mind it is still a concern. If it was being circulated on the patient’s behalf then that should have been made clear and if the detail involved was in any way excessive the person passing the information around could/should have been querying the level of detail even if that was what the patient had asked then to circulate.

I suspect if it has circulated to as many people as you suggest then you won’t be the only person expressing concerns and somebody needs to establish whether this was with consent, well meaning but by the sound of it inappropriately detailed or rather more serious than that. Either way, there needs to be clarity in the future as to what is acceptable and also appropriate support for the person whose information was circulated.

If they asked for the info to be shared, it’s a good thing. If not, a very bad thing.

I had some recent medical issues and I talked about it as widely as possible and posted the tale on our team chat site – it helped me deal with it and saved telling the same story many, many times.

You need to provide more info OP.

yes copy and paste the email into the thread so we can all have a look

I was hoping for details about someone having their testicles removed because of a broken coffee table.

As others have said, the crucial determinant of acceptability is almost certainly* consent and if it is there then no problem, if not: problem.

I’m not sure what grounds you would have to make a complaint however, since you are not the person potentially negatively impacted by the inappropriate disclosure (unless you are claiming mental distress maybe, if the details are particularly unpleasant, gruesome or upsetting). If you’re concerned and you have direct contact, maybe make sure the individual is aware of it, and from there it’s up to them to complain if they think it’s appropriate.

FWIW I’ve received such emails about a former colleague and it was with their explicit consent – in fact they had provided the detail of the update themselves and asked that we “let everyone know” so it’s not a preposterous scenario by any means.

*There could conceivably be other lawful bases, e.g. if the message includes “and Bob has now been confirmed as having Coronavirus so anyone who’s been in a room with him in the last fortnight needs to…” but it sounds like, from the details provided, consent is the only likely one here.

OP – I’m assuming you had a need to be informed about your colleague’s medical condition?

I doubt very much that 500 people had a requirement to be told about it. Sounds a bit dodgy, think I’d be inclined to do some more digging.

The responsible thing to do (from both the company and the individual concerned POV) is to contact the sender directly, asking for confirmation that they obtained permission (ideally a prior read through and acceptance email?) from the ‘subject’ before sending the email to the 500 recipients.
Note that if they didn’t obtain any permission there may be a GDPR issue.

But you should highlight your concerns, most people have had GDPR stuff drilled into them over the last year but you shouldn’t assume everyone took it on-board…

If they’d started the email:

“Bob’s asked us to pass on some details of his illness and treatment as he’d prefer not to discuss it in detail with everyone on his return…”

and all this could have been avoided.

As has been pointed out it all comes down to consent

That said, not entirely sure why you would feel you need to get involved either way. As long as the person involved is aware of the mail then if they have an issue then im sure they would be first to bring it up.

That definitely sounds questionable to me – but perhaps the person has asked that all their colleagues are told – save them the trouble. But worth raising the point with whoever sent it.

Most data breaches are human error – according to recent ICO report. Problems with the biological interface rather than systemic.

not entirely sure why you would feel you need to get involved either way.

Putting myself in the OP’s shoes and thinking from a purely ‘selfish’ point of view if a company I worked for (or one of their employees) don’t manage a colleagues information properly, I’d be worried about how they might manage my own personal data…

From a company/organisational reputation and legal standing point of view is it going to inspire confidence in your customers, and/or is it going to cost the organisation money if you can’t even get these (quite basic) aspects of GDPR compliance right?

Find out who the Data protection officer is for your company and ask them if they are aware. Do not forward it to ANYONE not even the DPO when you notify them.

I wouldn’t say anything officially as it could end up with the sender loosing their job.

If it is something that you feel you need to act on, then speaking to the sender in person is probably the best. It would give them the opportunity to hand themselves in, so to speak.

though if it went to 500 folk, then the chances are it was seen by someone whose job it is to deal with these sorts of things.

I wouldn’t say anything officially as it could end up with the sender loosing their job.

And if they thought it was a good idea to send emails like this without a good reason – surely that may not be a bad thing?

Of course, the most logical reason for the email, in fact the only rational reason I can imagine anyone sending such an email is because the subject of the email asked them to do so. Otherwise you need to not only be aware of GDPR and a long standing general expectation that medical information is confidential but also be a totally insensitive ****

the only rational reason I can imagine anyone sending such an email is because the subject of the email asked them to do so.

Agreed.

And the OP’s lack of clarity on the subject suggest’s he doesn’t have a close relationship with the subject, or he’d know if permission was given.

Feels a bit like moral rubbernecking to me.

Definitely not right (assuming no permission given) I can’t imagine a scenario where 500 people NEED to know

I don’t even know 500 people, who does, really

If I didn’t know the person I think I’d have read it then deleted it and then minded my own business, why people feel the need to get involved and overthink everything is beyond me.

https://xkcd.com/386/

surely that may not be a bad thing?

It would be if the job is the family’s only means of income and being sacked for gross misconduct means the sender can’t find employment elsewhere and the family is plunged into poverty.