What is your process for checking outgoing email attachments?

This case really showcases the importance of keeping track of all of the information that comes from your business!

On 2 August 2011 a member of the public reported that they had received an email from HMP Cardiff with a file accidentally attached that contained the details of 1,182 inmates. As if that wasn’t bad enough, it wasn’t the first time the mistake had been made - on 4^th and 5^th July 2011 the prisoner details had been sent to two other unintended recipients who hadn’t yet contacted the data controller or the prison. 

A total of three emails with the attachment had been sent to three different individuals, after a new prison booking clerk had been arranging the prison visits. The clerk had only meant to email a family member about a visit but had accidentally pasted the text file as an attachment. All three mistakes were made by the same clerk, doing the same thing by accident. Because the file had to be manually cut and pasted on a daily basis onto a disk, and then saved onto a database, the paste action had picked up the last file from the clipboard instead of the correct one and accidentally sent the sensitive data - three times.

Once the mistake had been discovered, the police became involved and each recipient was asked to confirm in writing that the message had been deleted and not shared. The police even accessed their email accounts to make sure that it had been fully deleted. 

HMP Cardiff has since put in place measures to stop this ever happening again; existing training and on-going support is now topped up with monthly checks and the data transfer procedure has been changed so that rather than a disc, an encrypted memory stick is used for data transfer. And instead of copying and pasting it to the stick, staff are told they have to locate the text file and use the ‘send to’ function, which stops it being left on the clipboard to be pasted where it ought not to be.

Most of us would cringe, just thinking about a mistake like this - how many times have you attached the wrong document to an email or not attached it at all? When you’re dealing with sensitive data though, the repercussions can be extremely serious. The National Offender Management Service was fined £140,000 for the breach.

This error, made by an inexperienced member of staff, would not even have come to light if the third person who had received it hadn’t realised the seriousness of the mistake and reported it. Is it possible that this sort of thing could happen to you? What measures do you have in place to prevent sensitive data being accidentally shared with the wrong people?

Do you have a contingency plan in place for emails, and for protecting sensitive information? If you need advice on procedures and policies that keep your information safe, contact me and I will be delighted to provide you with guidance and advice.