It’s happened to all of us – that inadvertent ‘reply all’ in which you ridicule the managing partner’s male pattern baldness, or email the wrong Darren who receives a link to a cat Vine instead of your learned legal advice.
In what must be one of the grandest email stuff ups of all time, just prior to the recent G20 Summit an employee at the Commonwealth Department of Immigration and Border Protection inadvertently emailed personal details of several world leaders to the wrong person. Yes, WORLD LEADERS. And we’re talking really serious ones like the Presidents of the US, China and India, and Mr Putin (who we believe is quite prone to crankiness). Details included name, date of birth, passport and visa numbers. The pesky autofill function in Outlook was to blame.
While there is no requirement under the Privacy Act to disclose breaches, the Department thought it best to advise the Privacy Commissioner of the stuff-up (they didn’t think it was necessary to advise the world leaders though).
In its fessing up letter, the Department noted “The risk remains only to the extent of human error, but there is nothing systemic or institutional about the breach”. We don’t know whether the Privacy Commissioner will take any action against the Department, but he has found in the past that breaches of the privacy laws caused by human error are OK, as long as the entity has appropriate policies and procedures in place to avoid breaches. Back in 2010 Telstra inadvertently sent customer details of about 60,000 customers to the wrong people. The breach was due to human error and, while the breach was significant, the Commissioner took no action against Telstra as it generally took reasonable steps to protect personal information.
The short answer: accidentally emailing personal information to the wrong person is fine, as long as you have procedures in place to prevent what happened from happening. Even though it actually did happen. One of those situations where having a rule and failing to follow it is better than having no rule at all.