CEA was aware it was shared with people outside of HR by Riley, even if they themselves did not share it outside HR.
And it seems then like any confidentiality obligation on HR is expunged, given that this Riley shared the document themselves. Or at the very least there’s no case for them failing to act because of the need to keep the document/its author confidential, as they had already shared it widely.
Yeah so I think they still have strong HR confidentiality obligations regardless of which staff Riley personally shares the document with, but I think at that point it is no longer strictly a “confidential HR complaint” and calling it such is an obfuscation on CEA’s part. Riley’s conduct also immediately triggers obligations to me under both GDPR and the Worker Protection Act. So I think it basically separates into two distinct issues: Riley’s complaint, whatever it was, and then his conduct within the document itself towards me (harassment). I think CEA should basically have treated these as almost independent events, even though they exist within one document.
If Riley had truly only shared it with HR, I think that’s probably still bad but it’s also completely manageable. The flow could be something like: one person, HR, receives document → identifies potential harassment and GDPR violation → sends back something like, “do not share this document further, I intend to quarantine it. Please rewrite your document to exclude any personal information about other employees. We will now need to treat this as two separate issues. First, the complaint you’re disclosing, which is your right to do and which we take seriously. Second, the additional conduct in the document, as it pertains to other employees, which we will need to address separately as it does not constitute a complaint.”
At the point it’s shared outside HR, the whole thing changes and I felt like I couldn’t seem to get that message across internally, even though it feels so obvious to me. Not to mention that the CEO is, well, the CEO. Everyone is in their direct reporting line. I was at the same reporting level to the CEO as Riley, and he had now read explicit sexual content about me without my consent or knowledge. That just seems so obviously indefensible and bad that I sometimes feel like I’m losing it.
You’re not losing it: it is obviously indefensible. I think you’ve provided more than enough information to make this clear, and anybody who doesn’t get it at this point is probably not worth your time engaging with.
You can ask the following question to any chatbot and you will get the same answer:
I work in HR. Employee A has sent me a long complaint about the conduct of another employee B. However, inside the complaint, employee A has included a detailed description of the sexual activities of a different employee C, which is unrelated to the company. What should I do?
I tested this on Chatgpt, Claude, Gemini, and Grok, and every single one urged me to separate the complaint from the sexual content and redact the sensitive information. And this is a much tamer situation than the one that actually happened!
They could have literally just asked a chatbot what to do, and it would have done a better job than their professional HR department.
One thing it might be useful for people to look at here when reflecting on the causes of the failure was how much experience the HR team had of working outside of EA organizations. If the answer is “very little” then maybe bringing in more experienced non-EA pros would help, but if the answer is “a decent amount” it’s less likely that will prevent future errors on its own.
CEA was aware it was shared with people outside of HR by Riley, even if they themselves did not share it outside HR.
“If the description is accurate.” The document is unequivocally harassment, as determined by two independent investigators. This is not disputable.
And it seems then like any confidentiality obligation on HR is expunged, given that this Riley shared the document themselves. Or at the very least there’s no case for them failing to act because of the need to keep the document/its author confidential, as they had already shared it widely.
Yeah so I think they still have strong HR confidentiality obligations regardless of which staff Riley personally shares the document with, but I think at that point it is no longer strictly a “confidential HR complaint” and calling it such is an obfuscation on CEA’s part. Riley’s conduct also immediately triggers obligations to me under both GDPR and the Worker Protection Act. So I think it basically separates into two distinct issues: Riley’s complaint, whatever it was, and then his conduct within the document itself towards me (harassment). I think CEA should basically have treated these as almost independent events, even though they exist within one document.
If Riley had truly only shared it with HR, I think that’s probably still bad but it’s also completely manageable. The flow could be something like: one person, HR, receives document → identifies potential harassment and GDPR violation → sends back something like, “do not share this document further, I intend to quarantine it. Please rewrite your document to exclude any personal information about other employees. We will now need to treat this as two separate issues. First, the complaint you’re disclosing, which is your right to do and which we take seriously. Second, the additional conduct in the document, as it pertains to other employees, which we will need to address separately as it does not constitute a complaint.”
At the point it’s shared outside HR, the whole thing changes and I felt like I couldn’t seem to get that message across internally, even though it feels so obvious to me. Not to mention that the CEO is, well, the CEO. Everyone is in their direct reporting line. I was at the same reporting level to the CEO as Riley, and he had now read explicit sexual content about me without my consent or knowledge. That just seems so obviously indefensible and bad that I sometimes feel like I’m losing it.
You’re not losing it: it is obviously indefensible. I think you’ve provided more than enough information to make this clear, and anybody who doesn’t get it at this point is probably not worth your time engaging with.
You can ask the following question to any chatbot and you will get the same answer:
I tested this on Chatgpt, Claude, Gemini, and Grok, and every single one urged me to separate the complaint from the sexual content and redact the sensitive information. And this is a much tamer situation than the one that actually happened!
They could have literally just asked a chatbot what to do, and it would have done a better job than their professional HR department.
One thing it might be useful for people to look at here when reflecting on the causes of the failure was how much experience the HR team had of working outside of EA organizations. If the answer is “very little” then maybe bringing in more experienced non-EA pros would help, but if the answer is “a decent amount” it’s less likely that will prevent future errors on its own.