I asked a member of my voluntary organisation to email me her complaint about the conduct of other members of the organisation. She then sent me a file which contained potentially libellous allegations against a non-member. I forwarded the file to an another officer to be considered. In the meantime, the complainant has circulated that file without authorisation to other members of our organisation. Is the organisation or myself in breach of GDPR security, although I have only circulated the file to one other officer, whose advice was that we are not competent to consider the case of the person named in the file in connection with criminal misconduct (without any supportive evidence). Or is it only the complainant who may be guilty of a breach, for circulating her own personal and original copy of the file to others?