Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2010C04

A medical institution sending email to patients must ensure that the email does not contain other people's personal data

The Complaint

In a email ("the Email") sent to patients (including the Complainant) by a medical institution, a file containing the name, occupation, address, name and telephone number of an emergency contact person of many patients (including the Complainant) ("the File") was attached. Therefore, the Complainant filed a complaint with this Office against the medical institution.

The medical institution explained that when sending electronic Christmas cards to patients using the data in the File, its staff had mistakenly sent the File which was placed together with the electronic Christmas cards on the desktop.

Outcome

Apparently, by mistakenly sending the file, the medical institution disclosed patients' personal data to unrelated third parties. Following the recommendations of the Commissioner, the medical institution took several steps: (1) requesting through email that the relevant recipients destroy the Email; (2) reviewing the relevant internal guidelines, including using software to set passwords to all files containing patients' personal data; (3) setting up an internal review procedure to ascertain whether the data need to be sent; and (4) applying specified penalties for non-compliance with the guidelines by its staff.

uploaded on web in July 2013


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :