Guidance for Individuals who Accidentally Receive Personal Data
Risk of Accidental Disclosure
Information and communication technology plays an increasingly large role in our working and private lives and has many advantages, including convenience. However growth in the processing and transmission of personal data can also increase risks to privacy, and means that there is a need for guidance. One such risk arises when a data controller (a person, company, or other bodywhich collects and uses personal data) accidentally discloses personal data to another individual.
These incidents are known as personal data breaches and there are many ways they can unfortunately happen:
- A bank accidentally issues statements or other correspondence to the incorrect recipient via post or email.
- A government body accidentally issues correspondence to the wrong recipient or address.
- A clinic mistakenly puts a medical report into the wrong envelope and sends it to the wrong patient.
- A business disposes of an old laptop without erasing a disk drive containing HR data.
- A mistyped email address sends confidential financial information to an unconnected third party.
- A USB drive containing customer contact details is left behind on a train.
Mistakes like this can lead to an individual’s personal data being disclosed to another individual who had no intention or expectation of receiving it. It is easy to imagine how sensitive that data may be. It is also easy for a person who has accidentally received someone else’s personal data to imagine how distressed they might be if their own data was accidentally disclosed to a stranger.
The rights of data subjects – that is, individuals personal data may identify – have special protection under the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the European Convention on Human Rights, the EU’s Charter of Fundamental Rights and other laws. An individual who accidentally receives another individual’s personal data should recognise and respect those rights.
Dealing with Accidental Disclosure
The Data Protection Commission (DPC) recommends that an individual who accidentally receives personal data that is not their own should act promptly and take steps to reduce the risks to the rights of the individual/s the data relates to:
- Identify the data controller (for example from the sender’s email address or letterhead) and inform them of the mistaken disclosure. Do not wait for them to contact you.
- Avoid opening email attachments, files or papers that are not yours to open.
- Agree with the data controller how to resolve the mistake. It may be sufficient to permanently delete an email from your ‘inbox’ and ‘deleted files’ folders. The data controller may arrange to collect a misaddressed letter or parcel from you, or you may agree to destroy it, for example by securely shredding the information and confirming in writing to the data controller that you have done this.
- If you cannot identify or contact the data controller, contact the DPC.
- Do not attempt to identify and contact the person the data belongs to as this is further processing the information.
- Do not share the data with another third party including publically uploading information to social media platforms.
Source: Data Protection Commission