Password protection

Published: 20 June 2024

A health organisation emailed sensitive information relating to several patients to an incorrect and unintended recipient.

Background 
A health organisation emailed sensitive information relating to several patients to an incorrect and unintended recipient. Fortunately, the incorrect recipient notified the organisation of the error shortly after receipt and deleted the patient data upon request.

Following this incident, the organisation amended its policy so that whenever patient data is to be sent by email it must be password protected. Specifically, the password should be shared with the patient separately to the document where the password is required.

Learning points
  • Emails being sent to the wrong person is the most widely reported personal data breach in the Bailiwick. So, it is essential that all organisations put in place working practices that ensure that any personal data contained in emails is afforded appropriate safeguards.
  • Staff who are emailing personal data (or, as in this case, special category data) should be encouraged to do a ‘pre-mortem’ by focussing on what the impact could be if the information they are handling was emailed to the wrong place.
  • It is important to maintain a workplace culture that allows for supportive development and learning when things go wrong.