How a simple email mistake breached over 100 people’s privacy…

An agency has breached over 100 people’s privacy after sending an email with email addresses included in the cc field.

Every person that received the email could see who else was sent a copy. Due to the content of the email, and who it was sent by, some of the recipients felt humiliated that their email addresses were visible to the other recipients.

The agency should have sent individual emails, or at the very least used the bcc function to hide the email addresses of each recipient.

Under the Privacy Act, there are very specific times when an agency can disclose a person’s personal information. Most often these are when:

• The disclosure is to the person that the personal information is about;
• The disclosure is for the reason that the personal information was collected, or directly connected to that reason; or
• The person (whose information it is) has agreed to the disclosure.

Outside of these circumstances (and a few other limited exceptions e.g. in an emergency), an agency cannot disclose an individual’s personal information.

The individuals affected in this breach have the right to complain to the Office of the Privacy Commissioner. The Commissioner may decide to investigate the agency, and if the agency cannot resolve the issue with the complainants, it could be taken to the Human Rights Review Tribunal.

Aside from the significant time and costs involved in investigations and Tribunal hearings, any published findings may publicly identify the parties involved. This may result in significant reputational damage to the agency.

Although the breach in this case was the result of human error, there are measures that agencies can put in place to reduce the risk of this happening, including implementing (and training staff in) internal privacy policies and procedures.

If your organisation regularly handles other people’s personal information, it is important to ensure that proper privacy policies and processes are in place, and that everyone involved is working in a privacy conscious manner.

If there are concerns about the personal information handling practices in your organisation, it is wise to speak with a professional experienced in the area.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-priced Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.