Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2023C01

Unencrypted documents containing personal data were sent to an incorrect email address

The Complaint

The complainant and her husband appointed a law firm to handle property conveyancing procedures. As part of the transaction, the complainant’s husband received an email from the law firm (the Email), with some conveyance documents attached. The complainant’s husband noted that a copy of the Email was also sent to an email address that was highly similar to the complainant’s (the Wrong Email Address). The complainant was dissatisfied that the law firm exposed her and her husband’s personal data to others. As a result, she lodged a complaint against the law firm with the PCPD.


According to the law firm’s explanation, the person who sent the Email had not asked the complainant to verify the handwritten email address and had therefore erroneously typed it when sending the Email. The law firm also admitted that the sender had not encrypted the attached documents before sending them via the Email.

After the PCPD intervened, the law firm instructed its staff members to carefully verify the correct recipient addresses and the correct attachments before sending any email, and to encrypt and/or password protect all documents containing clients’ personal data sent via email. Furthermore, the law firm provided training to its staff members in relation to their standard practices of email correspondence.

The PCPD also issued a warning to the law firm, requiring it to urge its staff members to strictly comply with the relevant requirements under the PDPO on handling and protecting clients’ personal data, and strictly adhere to their data protection policies. The firm was also instructed to regularly remind its staff members about the importance of carefully handling clients’ personal data, and to periodically circulate the relevant policy to its staff members.

Lesson learnt

The primary cause of the complaint was clearly a human error: misreading a handwritten email address. This is not an uncommon occurrence in workplaces where staff members regularly communicate with various parties via email. They may unwittingly overlook the importance of verifying the accuracy of email addresses. To prevent human errors similar to the one made in this case, organisations are advised to cultivate a culture of respect for personal data privacy. This can be achieved by establishing data protection policies and providing staff members with regular training.

(Uploaded in March 2023)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :