Each of the ‘Privacy Fails’ we discuss in this series of short articles are real. They are based on things we have seen at the The Privacy Compliance Hub. They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied. These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.
The privacy fail
The most common data breach of this sort is sending an email to a long list of recipients (for example customers). The email addresses constitute personal data. And you have just disclosed (or processed) that personal data without any legal basis (such as consent) for doing so. The person who makes the error realises that instead of copying and pasting all the email addresses into the ‘Send to’ box, they should have put them in the ‘bcc’ box. They immediately get that sinking feeling when the first complaint is received by way of reply from one of the disgruntled recipients.
Other examples include sending letters (or emails) containing personal data to the wrong address. The Irish regulator (the DPC) even includes sending faxes (remember those?) to the wrong fax number in the same category.
A privacy statistic
A whopping 83% of data breaches in Ireland in 2019 were caused by unauthorised disclosure of personal data such as this. In the UK, two of the top five data breaches fall into this category. The first, personal data posted or faxed to the wrong recipient amounted to 10.2% of all data breaches in Q3 of 2019/20. This was closely followed by personal data emailed to the wrong recipient at 9.6%.
Real life example(s) with real life consequences
In 2016, an NHS Trust was fined £180,000 after a sexual health centre mistakenly disclosed the details of nearly 800 patients. In 2019 a London gender identity clinic mistakenly disclosed the email addresses of almost 2000 patients. Both cases involved the failure to use the bcc function.
In 2018, the UK government was forced to settle a claim made by an asylum seeker when their details were disclosed to their Middle East country of origin, thereby allegedly endangering their life and the lives of their family members.
How to avoid this privacy fail
Train your staff. Make them understand how easy it is to make such a mistake. Make them care by explaining the possible consequences of getting things wrong. And make them do what you train them to do. This is all part of creating any culture of continuous privacy compliance.
Some email software allows you to ‘Undo send’. For example, if you go to ‘Settings’ in Gmail, you can go to ‘Undo send’ and set a maximum time of 30 seconds in which to unsend an email. This may be all the time you need given that in our experience you realise your mistake immediately after you have hit the send button! In Outlook you can set a rule to delay all outgoing email by longer than the maximum of 30 seconds which Gmail gives you.
Be really, really, really careful with ‘copy and paste’. I know, easier said than done. But if you do train your staff and remind your staff to be careful, then it may just save you having to notify your organisation to the regulator.
Finally, if a mistake is made (and everyone does make mistakes) and you are deciding whether you do need to notify the regulator or the individual or individuals concerned, you are likely to find this article very useful. Be careful, under the GDPR you only have 72 hours to notify.