Incorrect recipient

Published: 15 February 2024

An email, intended for the complainant, was sent by an employee of the company.

Background 
An email, intended for the complainant, was sent by an employee of the company (“the controller”). This email contained sensitive financial information as well as references to the complainant’s health. The information was included in the body of the e-mail (i.e. not sent as an attachment) and the email was not encrypted.

The controller sent the email to an incorrect recipient having missed out a letter in the email address. The incorrect recipient of the e-mail happened to be an acquaintance of the complainant, further exacerbating the situation. The complainant was made aware of the error when the acquaintance forwarded them the email. This incident caused considerable distress to the complainant.

The complainant contacted the controller regarding the error and as a result, the controller self-reported the breach to the ODPA. An e-mail was sent by the controller to the unintended third-party recipient requesting the email be deleted but no 
response was received. The complainant was left feeling exposed in light of the personal and sensitive information that had been shared with someone they would never have chosen to share such information with.

Learning points
  • This incident demonstrates how seemingly minor errors can cause significant distress. 
  • Whilst mistakes are inevitable in any workplace, processes can be put in place to minimise the harm these mistakes cause, such as encrypting personal data or other appropriate measures.
  • Staff must also be trained regularly and reminded to consider the impact of the personal data they handle falling into the wrong hands.