Of all the privacy breaches reported to the office of the Privacy Commissioner in the past five months 30% relate to emails.
Feilidh Dwyer, writing on the commissioner’s website, says examples of a breach can include sending an email containing personal information to the wrong person, or drafting an email containing sensitive information to a list of people Cc’d to the email rather than Bcc’d (which hides each recipient’s email address).
“In each of these instances, a breach could be avoided if – just before clicking ‘send’ – you realise your mistake and take appropriate action to rectify the mistake,” writes Dwyer.
“More than a third of all privacy breaches reported to us since Privacy Act 2020 came into force were the result of email errors.”
Dwyer says if sensitive information relating to someone’s health, family, finances or other categories is attached to emails, it could easily cause someone serious harm.”
He recommends a number of steps be taken before sending an email:
- Double-check the list of recipients. Is it going to the intended person or people?
- Check your attachments. Make sure you only send what you intend to
- For mass emails, ensure all email addresses are contained in the ‘Bcc’ section rather than ‘Cc’ field
- Implement a send delay to give you some ‘checking time’ (an option with some email apps)
- If sending information in spreadsheets, check there isn’t any sensitive information hidden behind document tabs and in pivot tables, unless the sheet is password protected
“Only staff who need access to personal information should have access to it,” says Dwyer. “If possible, implement a system to keep track of who is accessing personal information on your systems.
“Many privacy breaches reported to our office are categorized as employee browsing. Employee browsing is when staff members access personal information they have no right to e.g. a bank teller searching the account information of people they know out of curiosity.”