Outcomes - Selected Case Summaries



RCIPS inadvertently release third party personal data in collision report

Informal Resolution | 04 October 2022

The RCIPS inadvertently released sensitive personal data belonging to a third party to an unintended recipient when a collision report was disclosed. The unintended recipient provided verbal confirmation that the email received in error was deleted without disclosure. However, due to the severity of the breach, we asked the data controller to obtain confirmation in writing from the individual to ensure containment.

The breach occurred when an employee did not correctly apply internal policies on reviewing and summarizing information in collision reports before disclosing them to the requester. The data controller agreed to provide further staff training on this issue, and amended their policy by adding an additional step to review and verify reports before they are released to the public.

The data controller took all appropriate steps and the case was closed without further action.