Mix-up

Background 
An individual received an email in error from an organisation. The email contained personal data about another, unrelated, individual. It transpired that two emails were mixed up with each of the two individuals receiving each other’s personal data. One of the individuals made a complaint to the ODPA about the mishandling of their personal data. 

The ODPA contacted the controller to establish what steps they had taken following the breach. The controller clarified the procedures they had followed. The ODPA issued advice to the controller to ensure they had a clearer understanding of steps that should be taken to mitigate personal data breaches.

The complainant and the other individual received apologies and assurances from the organisation. The complainant was satisfied with the informal resolution of their case.

Learning points

• The data protection law exists to protect people’s rights over their data, and the ODPA’s formal enforcement activity acknowledges when serious harm has been caused to someone. In cases where no significant harm has occurred 
• the ODPA will consider resolving cases informally. 
• Informal resolution depends on controllers being open, cooperative, and having a sincere wish to put things right. 
• When things go wrong, organisations should ensure that lessons are learnt to reduce the likelihood of any recurrence.