Sending and receiving emails has become our primary way of communicating at work. An estimated 269 billion emails are sent globally every single day (source: www.radicati.com). It's therefore not surprising that occasionally some emails are sent to the wrong recipient by accident.
Veritau estimates that emails sent to the wrong person make up 35% of data breaches reported to our information governance team. Here's our advice about what you should do if an email has been sent to the wrong person.
If you discover that you’ve sent an email to the wrong person, then naturally you're likely to panic. Especially if that email contains confidential and/or sensitive data.
Try to stay calm. If you panic, then you are likely to make further mistakes which could worsen the situation. If you remain calm, you are more likely to be able to handle and contain the situation with confidence.
Contact the recipient
In the first instance, you should contact the recipient as soon as you notice the error. Ask them to delete the email without reading it and confirm that they have done this.
This is the best way to contain the incident.
Can you recall the email?
In some circumstances you may be able to recall the email. However this will only work if both email addresses are within the same organisation and use Office 365 or Microsoft Exchange account.
Email recall will not work when sending an email outside of your organisation, or if the email has already been opened. You can't rely on this method to guarantee the email has been contained.
If you do attempt an email recall, always follow up and check it has worked by either separately emailing the person again or calling them. Never assume it has worked.
Report the incident
Once you have made an effort to contain the incident, you need to report it to your line manager. You also need to report it to the person responsible for data protection in your organisation. For smaller organisations (such as schools), there is likely to be a single point of contact who manages data breaches.
For larger organisations (such as councils or housing associations), it is likely you need to report an incident through an intranet e-form or make contact with the information governance team.
You should report incidents within your organisation even if the email has been contained or if the email didn’t contain personal data. Your organisation needs to know about all ‘near misses’ as well as actual incidents so that it can implement safeguards to mitigate against any future potential incidents.
When to report it
It is crucial that you tell your organisation about these incidents within 24 hours wherever possible. That way the incident can be managed. For the most serious cases, the organisation will have to report it to the data protection regulator within 72 hours. In the UK, this is the Information Commissioner's Office.
Tips for preventing future incidents
- Take your time. Quite often the primary reason for mistakes being made is because the sender is rushing when completing the task. We know how busy work can get, but remember you will be even busier if you have to manage a data breach too. Take your time when sending emails.
- Check the recipient list for spelling mistakes and organisation names. This might seem obvious, but quite often it's easy to assume you've entered the correct name. It's especially easy if you have the auto-fill function turned on.
- Configure your email settings. Many email providers have tools and settings which can be configured. You can turn off auto-fill, which is a major cause of emails getting sent to the wrong person. You can also automatically flag when an email is being sent outside your organisation.
- Check the email trail and attachments. Are all the recipients in the distribution box authorised to see earlier emails in the trail and/or the attachments?
Still not sure?
For more information about data breaches, contact your organisation’s data protection officer or look at your data protection and information security policies.
Contact us to find out more about our information governance and data protection officer service.