A law firm sent a private letter to a general email address of the data subject’s workplace, resulting in disclosing the letter to a third party — DPP4
The Complaint
A law firm, acting on behalf of the complainant’s husband, sent a letter regarding the complainant’s divorce, which was underway, to a general email address of her workplace.
According to the law firm, it initially sent the letter to the complainant’s personal email address but received no response. It subsequently sent the letter to the general email address of the complainant’s office, which had been obtained from the Internet. It clearly marked “Private and Confidential” in the subject heading of the email. Being unable to confirm other means of contact of the complainant from the information provided by her husband, the law firm had not contacted the complainant to ascertain whether she would personally check the emails received through the general email address of her office, before sending the email to her. The law firm explained that it sent the letter to the complainant through the general email address of her office in the hope of getting her prompt response.
Outcome
If the law firm needed to send the letter to the general email address of the complainant’s office, it should ascertain in advance if the complainant personally checked the emails received via that office email address, or send the letter encrypted. We considered that the law firm had failed to take all practicable steps to ensure that the complainant’s personal data was protected against unauthorised or accidental access, hence in breach of DPP4.
After the PCPD’s intervention, the law firm undertook that when they had to deliver documents containing personal data or sensitive information to others under similar circumstances in future, they would communicate with the recipient in advance or encrypt the message.
(Uploaded in March 2019)