I have sent an email to the wrong recipient - have I caused a privacy breach?

Recent statistics from the Office of the Privacy Commissioner (OPC) show that email errors are the most common type of notifiable privacy breach in New Zealand.  The OPC has identified that in the first few months since reporting of notifiable privacy breaches became mandatory, 25% of serious privacy breaches arose from email errors.

There are some common mistakes that can lead to email privacy breaches:

• Forgetting to carbon copy (cc) or blind carbon copy (bcc) the appropriate person or people;
• Mixing up similar names and sending emails to the wrong address;
• Forgetting to delete email tails, leading to confidential information being sent along with your email;
• Documents not being thoroughly reviewed and extra pages being sent; and
• Use of shareable workspaces such as Sharepoint and Google, where a link to a document is sent to the wrong recipient.  (These types of workspaces have some privacy settings which can offer protection, but this is not guaranteed).

If you send an email to the wrong recipient, the OPC sets out four key steps that you should follow as quickly as possible.

1.    The first step is to contain the breach immediately and find out what went wrong.

This means contacting the unintended recipient/s and asking them to immediately disregard and delete the email. You may also be able to recall the email, which will remove it from the inbox of the recipient if they have not yet opened it.  Not all mail accounts provide this option, and even if available it does not always work (for example sometimes it just sends an email that says the sender wants to recall a message). 

2.    The second step is to assess the risks of the privacy breach.

This is important because it will help you figure out your next steps. Things you should consider include:

• The types of personal information involved;
• Whether the personal information is sensitive or easy to access from other sources;
• The cause and extent of the breach;
• The potential harm that may have resulted from the breach; and
• Who now holds the information.

3.    If you determine that the breach is “notifiable” (i.e. there is a likelihood of serious harm to the affected individual/s), the third step is to notify the OPC and owner of the personal information that there has been a notifiable privacy breach.

Recent guidance indicates that you need to notify the OPC within 72 hours of the notifiable breach being discovered, and the sooner the better.  For more information on reporting a notifiable privacy breach, see our article here.

The first three steps should be done either at the same time or in quick succession.

4.    When the first three steps have been completed, the fourth step is to prevent future privacy breaches.

The most effective way to do this is to establish a privacy policy and plan for the way your organisation or business collects, stores, uses, and discloses personal information.  This plan should be reviewed regularly to make sure it is being used effectively.  After a privacy breach has occurred, it is important to investigate how it happened and update your plan.

There are some key processes and practices which can be implemented to prevent future privacy breaches, including:

• Reviewing workplace policies and procedures, and updating them to minimise risk;
• Reviewing employee training practices to ensure employees are aware of your organisation’s plan and how to minimise the risk of a privacy breach;
• Auditing both physical and technical security and storage measures; and
• Reviewing any delivery service partners who may have been caught up in the breach to make sure their processes are compliant.

If you are concerned that your organisation may have experienced a privacy breach, or you would like to put in place a robust process for managing privacy compliance in your workplace, talk with an experience privacy professional who can provide advice to best suit your situation.