Data Protection Breaches: Letter sent to wrong address?

If a letter containing personal information or data is sent to the wrong address then you may be able to claim compensation.

Your data protection rights are enshrined in law, which means that if your personal data is exposed or misused as a result of an organisation sending a letter or email to the wrong recipient, you may be able to claim compensation.

If you’ve been affected by a breach as a result of a letter or email being sent to the wrong address, get in touch for a FREE consultation.

Get In Touch

How often is personal data sent to the wrong person?

According to statistics compiled by the ICO, personal data being posted or emailed to the wrong person is the most common form of data protection breach to occur amongst organisations across all industries.

In the first quarter of 2021, there were 405 reported incidents of data being emailed to the incorrect recipient and 219 cases where data was posted or faxed to the wrong person. These breaches comprised just under 25% of all data breaches reported to the ICO during this period.

How do letters and emails get sent to the wrong address?

Clerical errors such as email or letters getting sent to the wrong address are amongst the most common of data breaches that occur in the UK. Whilst many communications rely on automated processes today, there’s still ample opportunity for human error.

Personal data is frequently posted or emailed to the wrong address, this can be as a result of a person inputting the wrong address, or bundling several messages into one envelope. Personal information can also find its way into the mail or messages incorrectly, for example, an attachment may be incorrectly fixed to an email.

Examples of personal information being sent to the wrong address

Legal documents sent to wrong address

Examples of data breaches resulting from legal documents being sent to the wrong address include:

  • Court letter sent to wrong address
  • Tax/HMRC letter sent to wrong address
  • Solicitor/legal documents sent letter to wrong address
  • Debt collection letter sent to wrong address
  • Disciplinary letter sent to wrong address
  • Confidential information sent to wrong email address

Medical documents sent to wrong address

There have been numerous cases resulting in breach of confidentiality NHS compensation. Examples of data breaches resulting from medical documents being sent to the wrong address include:

  • Hospital sent letter to wrong address
  • NHS letter sent to wrong address

Can I get compensation for a data protection breach when a letter is sent to the wrong address?

If a letter containing your personal information has been sent to the wrong address then you may be able to make a claim for compensation.

Letters being sent to the wrong address can have far-reaching consequences for the intended recipients.

Intimate personal information can be inadvertently dispersed to neighbours, abusive partners can be handed a victim’s address, or financial information can result in fraud or monetary

Even if no financial loss has taken place, it’s still possible to claim compensation for distress alone, if the circumstances can be proven.

How much compensation can I claim for a letter being sent to the wrong address?

The amount of compensation that you can claim for a letter being sent to the wrong address will depend on the personal data that was revealed and the extent of the damages caused.

Data breach compensation amounts have varied between £3,000 up to £4,300 over the years, with the biggest compensation awarded to those whose private information has been made public knowledge.

If you’ve been affected by a breach as a result of a letter or email being sent to the wrong address, get in touch for a FREE consultation.

Get In Touch

Case Studies

Council Postal Admin Error Results in £12,000 Compensation

A document containing details of a Social Service meeting and the name, age and gender of an entire family was posted to an unknown third party who lived within the local area. This breach caused significant stress and anxiety for all involved.

The Council incorrectly considered that there was no safety risk to the family, so failed to report the matter to the ICO. They failed to recognise the non-material risks posed to the family in question.

We were able to successfully seek a claim for compensation against the Council. Each family member received £3,000 for a total of £12,000 – and all their legal costs were covered.

Read the full case study

Local Authority Post An Unredacted Report Resulting in £4,300 Compensation

A Local Authority failed to redact a copy of a report which was sent to the victim’s former coercive and controlling partner. This resulted in the partner discovering the victim’s new address, something she had strived to avoid happening.

The Local Authority failed the victim on several counts. They were negligent in their actions, they failed to process her data lawfully and also exposed private information which she had reasonable expectation to be kept private.

We were able to assist the victim in making a successful claim for compensation, totalling £4,300, as well as her legal costs.

Read the full case study

Emails being sent to the wrong person

Is sending an email to the wrong person a GDPR breach?

Sending an email containing personal information to the wrong person constitutes a data breach according to the GDPR. Personal data is defined within Article 4(1) GDPR 2018 as ‘any information relating to an identified or identifiable natural person’.

Examples of personal data include ‘name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

Is an email address classed as personal data?

An email address can be classed as personal data when the email address itself can be used to directly or indirectly a person. For example, a person may use their full name in their email such as joe.smith@email.com.

Is sharing an email address a breach of data protection?

Sharing an email address can be considered a breach of data protection when that email address can be used to identify a person, directly or indirectly.

For example, if an organisation sends a mass email, failing to blind copy the recipients, and those email addresses feature a person’s full name, this may constitute a data breach.

What happens if your confidentiality is breached by the NHS?

If your confidentiality has been breached by the NHS, or you think that your data has been breached in any other way, then you may be entitled to claim compensation for damages caused.

Our data breach compensation process

Free Data Breach Consultation

You send us a message, or give us a call and tell us about how you’ve been affected by a data protection breach. We’ll ask you some questions and let you know whether or not we can assist you in making a claim.

Signing The Conditional Fee Agreement

If we believe that you have a strong case, then we’ll offer you our services. You’ll read and sign our CFA, and then we’ll be able to get to work investigating your claim.

Contacting The Defendant

We’ll get in touch with the business or organisation that has breached your data. Our team will deal with all these communications, and get in touch if they need any more information from you.

Talking To The Information Commissioner’s Office

We’ll find out if the organisation has reported the data breach (they’re legally required to).

Claiming Your Compensation

Once we have all the facts, we’ll be able to move your claim forward and try to win your compensation.

Resources

Common data protection mistakes (and how to fix them) – ICO 

Data security incident trends – ICO

Gender identity clinic leaks patient email addresses – BBC News

 

FAQs

Is sharing an address a breach of GDPR?

Sharing another person’s address through a letter sent to the wrong address, or a mass email can be a breach of GDPR. It can only be considered a breach when a person can be positively identified and linked to the address.

Can an individual be held responsible for a data breach?

Individuals can be held responsible for data breaches and infringements of the GDPR under national law. Unfortunately, it’s not practical for data breach compensation claims to be brought against individuals.

Can you sue a company for disclosing personal information?

Companies and organisations in England and Wales can be sued by individuals for disclosing private information.

The amount of compensation that can be claimed depends on the severity of the data breach; the financial impact and non-material harm that might have resulted from the breach.