The majority of data breaches currently being reported to the supervisory authorities by controllers are cases of documentation containing personal data being sent to the wrong person. This is without doubt an important topic for training sessions, as well as in terms of the underlying business processes.
It is very common for documents containing personal data to not get to where they should.
“Invoices to private patients mixed up” – “Tax documents sent to wrong address” – “Legal communication containing confidential documentation posted to wrong address” – “Parliament temporarily paralysed by mistakenly sent e-mails (reply all)” – “Data scandal: pension insurance sends letters to wrong addresses” are just a few examples of headlines that we see time and again.
Mis-sending represents a breach of the protection of personal data. Controllers must report this breach to the responsible supervisory authority if it is likely to result in a risk to the rights and freedoms of natural persons (Art. 33 Para. 1 General Data Protection Regulation, GDPR). And that is very often the case.
Three main categories
There are three main categories of mis-sending. Letters may be incorrectly addressed and therefore end up with the wrong recipient. Faxes may be sent to the wrong fax number, or e-mails may be sent to one or more wrong e-mail addresses.
These are the most common cases in which the wrong recipient receives personal documentation.
Accidental or caused by technical errors
Very few cases of mis-sending are deliberate, and the majority could have been avoided.
If, for example, the technology isn’t working properly, employees generally have no way of preventing mis-sending. Since the switchover from ISDN to Voice over IP (VoIP) there have been more and more examples of faxes from the fax machine’s memory being sent with the right fax number but being received by a different fax machine.
These do seem to only represent a few cases. Nevertheless, such an incident is particularly annoying as it gives rise to an obligation to report to the responsible supervisory authority even though it was not your fault.
Causes of mis-sending
Primary cause 1: Stress
If you investigate mis-sending incidents, you will see some patterns. Firstly, mis-sending often occurs when employees are under stress and time pressure. This leads to the usual care not being taken.
Alongside their other tasks, the staff on the reception at a clinic are responsible for preparing invoices compiled in house for dispatch to private patients. Particularly in a place like this, which has many points of contact with the public, several circumstances can easily converge to make a data breach almost inevitable.
The following is an example: The postal service worker collects the post – bagged by reception – at 5pm.
However, the outgoing invoices are not printed out until between 4 and 5pm. On top of that, this can often be the main visiting time, during which the reception has the most visitor questions to answer.
In this situation, stress can quickly lead to documentation being sent erroneously, despite the usual care that is taken – not to mention the fact that visitors may see the invoices or recognise the addressees (see Häcker, Data protection in receptions, book 01/17, p. 6–8).
The solution: the stress at work must be reduced. Make it clear during a training session, for example – including to the management, which is responsible for reducing the pressure! – that care must take precedence over speed.
Employees must know that they can, and must, leave time to double-check actions that cannot be undone, such as the packaging of invoices and the sticking of envelopes. The post that is not ready by 5pm will have to go out in the next batch.
If dispatch of invoices on a specific day is essential, there must be a change in the process to allow the employees to work carefully.
Create a work instruction that highlights the risks and make it clear how important it is to carefully check when sticking an envelope that the address on the envelope matches the recipient at the top of the letter. Although it may sound banal, it is very important to point this out.
Primary cause 2: Lack of rules
Mis-sending frequently occurs simply because no one has made the effort to come up with rules. Fax machines are a clear example of this. They are an indispensable part of the working day, even in the age of digitalisation. This particularly applies in the highly sensitive medical sector, for example when sharing data between doctors’ practices or clinics and medical labs.
A typical case is typos made when an employee enters a fax number. This hazard and the resulting risk that unauthorised persons will gain access to special categories of data as set out in Art. 9 GDPR must be recognised by everyone that sends faxes.
A sensible rule in a medical lab could, for example, be that every doctor’s practice must be stored in the system’s memory before documentation is sent for the first time. Then a test fax must be sent. Only when the right practice confirms receipt of the fax should the employees send the documentation. This procedure also makes it possible to always verify the fax numbers to be used, which can change.
Primary cause 3: Lack of training
The best rules are no use if the employees are not aware of them. This is often the case with temporary assistants or new employees, who have not yet taken part in an induction.
As such, internal processes must be used to ensure that such people receive appropriate instruction – and that all employees involved are also aware of the information.
Primary cause 4: Unnoticed technical errors
Around 200 written reminders are being prepared for dispatch. The content is two DIN A4 sheets. An older enveloper machine is being used for this task. An error occurs with one of the letters: three pages are put into an envelope instead of two. This means that each of the following letters has one sheet for Customer A and one for Customer B. No one notices the error and the letters go out unchecked.
In this case, it is impossible to know exactly how many envelopes have been mis-sent without further investigation. Even if there are no account details on the reminders, you are obligated to report the data breach to the responsible supervisory authority.
Whenever a controller works with a piece of technology that employs mechanical enveloping or automatic checking, he must monitor the enveloping and dispatch process.
The simple “random sample” method can be useful here, i.e.: an employee looks at the last, the 150th, the 100th and then the 50th envelope. If the content in the envelope is as it should be, it can be assumed that there have not been any problems. If there is a mistake, the envelopes in between must be checked.
Primary cause 5: Error with the service provider
Controllers often use service providers to put customer letters or payroll documents into envelopes. If the process takes place by hand, such as in sheltered workshops, it can happen that an employee places two wage slips in one envelope, and none in another envelope.
If there is an envelope or a wage slip left over after all have been counted and addressed, the whole batch needs to be examined. Ensure that the contract with the service provider contains appropriate agreements, and that someone on site checks whether the service provider is complying with the agreements.
Tips for training
First it is important to establish which of the described scenarios could arise, or have already arisen, within the company or authority.
For example, have reminders ever been sent erroneously? There are numerous real-life cases of mis-sending to be found on the internet.
Using these practical examples, work with the training participants to work out the hazards associated with different types of sending, as well as the resulting risks and countermeasures.
Put together scenarios that could have made mis-sending more difficult. If there are already rules that the employees are not aware of, work with these as well.
Summary: everyone makes mistakes …
Mis-sending will never be able to be avoided completely. After all, everyone makes mistakes from time to time.
However, being aware of the causes of mis-sending and constantly addressing them in training sessions makes it possible to significantly reduce the likelihood of such data breaches.
The things that employees need to remember when using e-mails are set out in a subsequent part to this post.
Eberhard Häcker gained years of experience in staff development before coming to data protection, including as a teacher at a vocational school and as the head of department for vocational education at a chamber of trade.