Hello

It is possible that what you've described is a breach of data protection. Under the GDPR there are a number of principles that your employer must comply with in relation to processing of your personal data. Some of those principles require your employer to:

1. Collect or process your data for the purpose in which is was agreed or specified and they should not process your personal data that is inconsistent with the specified or agreed purpose.

2. Your personal data should be processed that ensures an appropriate level of security which would include protecting against any unauthorised or unlawful processing of data (this would include accidental disclosure or loss) by using technical or organisational measures.

Dealing with your first question, your personal email address is considered to be personal data but there won't be a breach unless it has been processed in a way that you have not agreed. Ordinarily, you would supply HR with a personal email address for contact purposes such as if you are on sick leave or if HR need to contact you regarding your employment contract or for disciplinary reasons.

If the manager had used your personal email address that fell outside the purpose for which it was intended to be used then that would likely be a breach of data protection. What has perhaps aggravated matters is that the person did not BCC everyone so that all those part of the email chain have access to other employee's personal email. Even if the use of the personal email wasn't a breach then the fact that all personal emails were exposed could amount to a data breach - see my second point above about the use of technical or organisational measures, the manager should have used measures to protect the identity of employees' personal email i.e. by using the BCC feature.

From the sound of things, this person has sent a generic work-related email so I would agree with you that in the first instance, your work email should have been used, assuming you didn't consent for your employer to contact you by using your personal email address for work-related purposes.

As to the second question of whether or not it should have been reported to the ICO, that will depend on the nature of the email. You need to understand that not all data breaches are reportable to the ICO, but you have to ask yourself this question:

Is the breach severe enough to result in physical, material or non-material damage such as loss of control over your personal data or limitation of your rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage?

It is not always easy to determine whether or not a breach should be reported and in your current situation, I am not sure I would report it. Yes, the manager has disclosed everyone's personal email address but the personal data is limited to that, and I don't think that would be severe enough to cause you any physical, material or non-material damage unless there are some underlying circumstances that you've not told us about.

That said, you do have the right to lodge a complaint to the ICO who must investigate but before you do, you may want to consider your position particularly if you have only worked within the business for a short period of time, also your work life could potentially be made difficult by your employers or particular persons such as the manager who disclosed the information. Just have a good think about it and maybe an informal chat to someone senior in the first instance might suffice, but it all depends on what resolution you are seeking.

Can I ask, when you raised the issued, who did you raise it to and did they give any reason why they thought it was not a data breach?