A social service organisation mistakenly delivered letters to someone other than the addressee
Background
The complainant resided in a residential care home operated by a social service organisation (“the Organisation”). When distributing letters to the residents, a staff member of the Organisation mistakenly handed two letters addressed to the complainant (“the Letters”) to another resident, who subsequently opened the Letters. As a result, the complainant lodged a complaint with the PCPD.
Outcome
The Organisation confirmed the incident to the PCPD and admitted that its staff did not handle the Letters with due diligence. In response to the present case, the Organisation has revised its letter distribution process, requiring staff members to personally verify the recipient’s identity card before handing over any letters. Additionally, the Organisation has committed to providing ongoing training to staff members and strengthening supervision to enhance their awareness of personal data protection sensitivity. The Organisation also confirmed with the PCPD that it would ensure strict compliance with the updated letter distribution procedures through regular supervision.
Lesson learnt
Numerous incidents relating to personal data security stem from human mistakes. As in the present case, the incident could have been avoided if the staff member in question had carefully verified the name of the recipient on the Letters and the identity of the resident. Data users should learn from this case by providing adequate training or supervision to staff members to enhance their awareness of personal data privacy protection, as well as to ensure that they handle personal data with due diligence. In addition, data users should establish clear policies and specific guidelines for staff to follow, to ensure that the personal data in their possession is properly protected.
(Uploaded in April 2025)