PanicStation.org
UK USA
uk Work & employment crises personal contact details shared at work • phone number shared with colleagues • home address shared at work • personal email shared internally • contact info leaked internally • employee data shared without consent • workplace privacy breach • internal directory exposure • doxxed at work • manager shared my details • hr shared my contact information • personal information disclosed at work • internal data breach workplace • coworkers have my private number • safety concern after info shared • unwanted contact from colleagues • personal details circulated in workplace • uk employee data protection issue

What to do if…
you learn your personal contact details have been shared internally at work without your consent

Short answer

Ask your employer to stop any further sharing immediately and to remove or restrict access to your personal contact details to “need-to-know” only, in writing.

Do not do these things

  • Do not confront individuals in a heated way or send an angry all-staff message (it can escalate and create more copies of your details).
  • Do not delete emails, chats, or screenshots that show what happened (you may need them to explain the issue clearly).
  • Do not assume it was “allowed” just because it was internal (internal sharing can still be inappropriate and may breach workplace policy or data protection rules).
  • Do not share extra personal details to “explain” the problem (keep communications minimal and factual).
  • If you feel unsafe, do not keep attending usual routines without telling someone at work (you can ask for practical safety adjustments).

What to do now

  1. Get to a calmer, safer pause and write down the basics. Note what details were shared (mobile, home address, personal email), how you found out, when, and to whom (team, whole company, named people). Save the evidence (email, Teams/Slack post, HR system screenshot).
  2. Send a “stop and contain” message to the right person today. Email your line manager and HR (and your Data Protection Officer/data protection contact if your workplace has one) asking them to:
    • confirm exactly what was shared and who could access it,
    • stop further distribution,
    • remove/recall the message where possible and delete unnecessary copies,
    • restrict access going forward (need-to-know only), and
    • tell you what immediate safeguards they’re putting in place.
  3. Ask them to log it as a personal data incident and assess risk. Use plain language: you want it treated as a personal data incident/breach, investigated, and contained. If you are being contacted because of it (calls, texts, visits), say so clearly.
  4. If there’s any safety risk, request immediate workplace adjustments. Examples (choose what fits):
    • remove your personal number/address from internal directories and staff lists,
    • replace with a work extension/work email only,
    • add a note that your personal details must not be shared,
    • change rota/location visibility if needed,
    • ask for reception/security to be briefed if you’re worried about someone turning up.
  5. Make a clear, limited “what I need” list. For example: (a) confirmation of who could see it, (b) confirmation it’s been removed where possible, (c) what remains stored and why, (d) what new access limits are in place, (e) who to contact if it happens again.
  6. Use a subject access request (SAR) if you need a clearer map of where your details sit. You can ask for a copy of the personal data they hold about you, and for supporting information about how it’s used. In this situation, that can include where your contact details are stored (systems, directories, spreadsheets) and information about disclosures (often as recipients or categories of recipients). Some details may be limited where other people’s data is involved, so keep the request focused and specific.
  7. If your employer won’t act, escalate through the grievance route (in writing). Keep it factual: what happened, the impact (including safety impact), what you asked for, and what response you received. Ask for a written outcome and practical remedies (restriction, deletion where possible, process changes, and reassurance about retaliation).
  8. If you have a grievance meeting, ask to be accompanied if you want support. Where the right applies, you can bring a companion (for example a colleague or trade union representative). Even where it’s not strictly required, many employers will allow it as good practice.

What can wait

  • You do not need to decide today whether to resign, threaten legal action, or “go public”.
  • You do not need to argue about whether it was malicious or accidental right now—focus first on containment and safety.
  • You do not need to collect lots of opinions from colleagues; keep your circle small and communications controlled.
  • If you later want to complain to the regulator, that can wait until you’ve raised it with your employer and you have the key facts in writing.

Important reassurance

It’s normal to feel exposed, angry, or unsafe when your personal contact details spread at work. You are not overreacting by asking for containment, access limits, and a clear written explanation.

Scope note

These are first steps to reduce harm and stop further spread. Later steps may involve formal processes (grievance, data protection complaint) or specialist advice depending on the impact and what data was shared.

Important note

This is general information, not legal advice. Workplace processes and what’s appropriate can vary by role and sector. If you feel at immediate risk of harm, prioritise personal safety and contact emergency services.

Additional Resources
Support us