PanicStation.org
UK USA
uk Work & employment crises sent confidential info wrong recipient • misdirected email at work • emailed sensitive data to wrong person • wrong recipient attachment • accidental data disclosure workplace • shared confidential document externally • sent client data to wrong address • personal data breach at work • uk gdpr misdirected email • emailed payslip to wrong person • leaked employee details by email • wrong cc bcc privacy mistake • shared link to wrong person • confidential info in email body • accidental disclosure to vendor • data breach human error work • sent spreadsheet to wrong contact • information security incident email

What to do if…
you realise you sent confidential information to the wrong recipient at work

Short answer

Act immediately to contain it (recall/revoke access where possible) and report it to your organisation’s data protection / security contact so it can be assessed and recorded without delay.

Do not do these things

  • Don’t try to “fix it quietly” by deleting your sent email or keeping it off the record.
  • Don’t send more sensitive detail while explaining (e.g., repeating the confidential content in follow-up emails).
  • Don’t blame the recipient or threaten them; keep contact brief and practical.
  • Don’t assume it’s “not a breach” just because it was a mistake or “only one person”.
  • Don’t rush to contact the ICO yourself unless you’re the designated person in your organisation’s process.

What to do now

  1. Pause and capture the essentials (60 seconds). Note exactly what was sent, when, to whom, and by what method (email body, attachment, link, shared drive permissions).
  2. Contain access immediately (use every “stop” lever you have).
    • If your email system supports it, try to recall/withdraw the message (or “undo send”).
    • If you sent a link (SharePoint/OneDrive/Drive/portal), disable the link, restrict permissions, or remove the recipient’s access.
    • If it was sent through a ticketing/HR system, contact the system admin urgently to restrict or remove access.
  3. Contact the recipient quickly and neutrally. Ask them to:
    • Not open the content (if they haven’t),
    • Delete it (including from deleted items),
    • Confirm in writing that they have deleted it and not shared it.
  4. Report it internally right away as a data protection/security incident. Follow your organisation’s process (often: line manager + IT/security + Data Protection Officer (DPO) / privacy team). If you’re unsure, report to IT/security and your manager and state: “possible personal data breach – misdirected email”.
  5. Preserve what your incident team will need (without spreading it).
    • Keep the sent message details (recipient address, time sent, subject, attachment name, link URL/permission settings).
    • Don’t forward the original message or attachment around the workplace “for awareness” unless your incident process tells you to.
  6. Start an incident log while it’s fresh. Record:
    • What data was involved (names, addresses, NI numbers, bank details, health info, salaries, client data, etc.),
    • How many people are affected (even a rough estimate),
    • Whether the file was password-protected/encrypted,
    • What containment actions you’ve already taken,
    • Any confirmation from the recipient.
  7. Help your DPO/security team assess risk (quickly, not perfectly). Be ready to answer:
    • Is the recipient internal/external? Known/unknown? In a role that should not receive it?
    • Could the data cause harm if misused (identity fraud, discrimination, financial loss, distress)?
    • Was it sent to a generic mailbox (e.g., info@…) or a named person?
  8. Expect your organisation to decide on notifications and recording.
    • If it’s a notifiable personal data breach, organisations generally must notify the ICO without undue delay and within 72 hours of becoming aware; if later, they should explain why.
    • Even if it isn’t notifiable, it should still be recorded internally with the facts and outcome.

What can wait

  • Writing a perfect explanation or apology. (Containment and reporting come first.)
  • Debating “whose fault it was” or whether disciplinary action might happen.
  • Deciding whether it is reportable to the ICO yourself—your DPO/privacy team should assess this.
  • Longer-term fixes (training, process changes, technical controls).

Important reassurance

This is a common human-error incident, and the most important thing is that you noticed and acted quickly. Early containment and prompt internal reporting usually make a big difference to limiting harm.

Scope note

These are first steps to stabilise the situation and prevent irreversible mistakes. Next steps (notification decisions, communications, remediation) are usually handled with your DPO/privacy team, IT/security, and management.

Important note

This guide is general information, not legal advice. Follow your employer’s incident reporting policy and any instructions from your DPO/privacy team or IT/security, especially where regulated data or contractual confidentiality obligations apply.

Additional Resources
Support us