Outcomes - Selected Case Summaries



Financial regulator inadvertently discloses personal data

Informal Resolution | 10 March 2022

An employee of a financial regulator inadvertently sent an email with a spreadsheet containing a tab with personal data of numerous individuals, intended for internal use only, to an external party. The data included applications for director, officer and shareholder positions, and included names, approval status, queries raised by the supervisor and payment of fees. We determined that this breach could likely cause damage to reputation, psychological distress and embarrassment on the part of the individuals concerned.

Attempts were immediately made to recall the email and attachment. However, the message had already been delivered to external servers. The unintended recipients were contacted by email and phone, requesting that all emails containing the attachment be deleted, and be removed from inboxes and servers. We received confirmation of the deletion, as intended, and the overseas IT team was asked trace the email and permanently remove it from the servers.

The regulator intends to introduce a data classification scheme, encrypt outgoing emails to external parties, replace use of email for sharing confidential information with a shared folder or a secure file-sharing site, expand review/approval levels to additional workflow, and facilitate staff training and advisories. We concluded that no further action was required since the regulator took swift action. However, we noted that the affected individuals were not notified within the period allowed by law (in some cases more than two months late), which can be partially explained by the high number of individuals concerned and the fact that contact information was not held on all of them.