Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

An Post - GDPR

  • 11-04-2019 8:01am
    #1
    Registered Users, Subscribers, Registered Users 2 Posts: 13,631 ✭✭✭✭


    Hi all,
    Quick one. I assume An Post still fall under GDPR guidelines?

    The reason I ask is that recently my wife renewed her passport and got a passport card aswell. Her passport was delivered, however her passport card went to some random House in the area (the correct address was on it!). We only found out because luckily that person actually knew my wife.

    As this is a very sensitive document, it's concerning how An Post can deliver to the wrong address so badly. Additionally, we still haven't received her old passport and wedding cert, over a month later. I've concerns that they may have gone to a random address.


Comments

  • Registered Users, Registered Users 2 Posts: 459 ✭✭Dytalus


    All organisations fall under GDPR guidelines if they do business in the EU, including An Post.

    This could easily qualify as a data breach, but the requirement for reporting it to the Commission isn't simply "it might have been". There has to be a risk to the data subject (your wife, in this case). They'd probably have to take into account how far away it got sent and whether it was opened or not, but I'd imagine some kind of preliminary comment's been sent to the DPC since unlike say leaving a laptop behind on a bus, you can hardly encrypt envelopes.

    Definitely worth sending them an email or giving them a call to follow up on it, especially about the missing old passport and wedding cert.


  • Registered Users, Subscribers, Registered Users 2 Posts: 13,631 ✭✭✭✭antodeco


    Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!


  • Registered Users, Registered Users 2 Posts: 5,966 ✭✭✭JDxtra


    GDPR breach for an item posted to the wrong address? I've heard it all now.


  • Registered Users, Registered Users 2 Posts: 33,518 ✭✭✭✭dudara


    Actually, we discussed a similar scenario when helping a client prepare for GDPR.

    Imagine payslips that get sent in the post. The sender has responsibility for getting them safely to the recipient. If they go missing, then there is potential for misuse of the data. Therefore, the sender should look at other means of securely sharing the payslips with the employee.

    In this case, I would expect the Passport office to send documents via Registered Post to ensure that they arrive safely. Were they sent by registered post?

    Technically, a passport lost in such a way would be a data breach. But there also has to be an element of practicality here, and an assessment of the risk to the individual before a complete determination could be made.


  • Registered Users, Registered Users 2 Posts: 3,455 ✭✭✭davetherave


    You might consider starting with whoever open mail not addressed to them

    Communications Regulation (Postal Services) Act 2011

    53.— (1) A person commits an offence if he or she, without the agreement of the addressee and, in the case of a person who is a postal service provider or an employee or agent of a postal service provider, contrary to his or her duty, intentionally—

    (a) delays, detains, interferes with or opens, a postal packet addressed to another person or does anything to prevent its delivery or authorises, suffers or permits another person (who is not the addressee) to do so,


    (3) A person who commits an offence under this section is liable—

    (a) on summary conviction, to a class C fine or imprisonment for a term not exceeding 12 months or both, or

    (b) on conviction on indictment, to a fine not exceeding €75,000 or imprisonment for a term not exceeding 5 years or both.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 17,282 ✭✭✭✭banie01


    antodeco wrote: »
    Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

    Was your wife's name not actually on the envelope?
    It being opened would not preclude the fact that it was addressed correctly but misdelivered.

    That someone then opened an item that was misdelivered rather than returning it to An Post for re-delivery is to my mind a separate issue.

    I suppose 1st instance here to assess what went wrong and where, is to confirm what addresses the items were actually sent to.

    Misaddressed, then it's a GDPR issue that lays with the passport office.

    Misdelivered, the issue lies with An post but was the data breach contingent upon the 3rd party opening mail not directly addressed to them? Which IIRC is a statutory offence.
    Rather than returning to sender?


  • Registered Users, Registered Users 2 Posts: 459 ✭✭Dytalus


    JDxtra wrote: »
    GDPR breach for an item posted to the wrong address? I've heard it all now.

    Absolutely, if that item contains personal data. Strictly speaking, if the package remains unopened it doesn't qualify as a breach - the personal data inside hasn't been revealed. But if it has been, then An Post (or the passport office, if they put the wrong address on the package) have failed in their duty of care to an individual's personal data.

    Either way, the ICO/DPO of An Post (or the passport office) is going to want to know what's happened so they can weigh up whether a report needs to be sent to the Commission. This isn't to say they'll be fined or punished - data breaches happen, and they happen a lot. There's no way to stop them completely. If whomever is responsible takes the requisite steps to stop it happening again, the DPC tends to be happy enough. Only repeated, or egregious, breaches tend to earn fines from the Commission.


  • Registered Users, Registered Users 2 Posts: 1,135 ✭✭✭Mundo7976


    antodeco wrote: »
    Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

    Id also be concerned with why that person opened mail that didnt have their name or address on it!


  • Registered Users, Registered Users 2 Posts: 17,189 ✭✭✭✭Sleeper12


    Shock horror, something gets delivered to the wrong address.


  • Registered Users, Registered Users 2 Posts: 1,633 ✭✭✭flexcon


    I have to be careful of GDPR in my work place and if we were to find out a delivery went to the wrong place the problem would be the name and details of the payer are in that box with the billing document. That there is your grey area.

    We switched to email invoicing only to prevent that.

    In OP scenario i am not sure if this is the same and GDPR would cover it.


  • Advertisement
  • Banned (with Prison Access) Posts: 547 ✭✭✭Duffryman


    I'm just confused by how OP says in the first post that 'the correct address was on it' and that the person who actually received happened to know his wife (so no need then to actually open the envelope to see what it contained, or who it was intended for).

    Yet a few posts later, he says it was only by opening the envelope that the person who actually received it found out whose it was.

    So, was the wife's correct name and address on the envelope or not?


  • Registered Users, Registered Users 2 Posts: 5,933 ✭✭✭daheff


    flexcon wrote: »

    We switched to email invoicing only to prevent that.

    I'd imagine cost, timeliness & traceability was more likely the reason for this.

    Oh- and living in the 21st century!


  • Registered Users, Subscribers, Registered Users 2 Posts: 13,631 ✭✭✭✭antodeco


    Duffryman wrote: »
    I'm just confused by how OP says in the first post that 'the correct address was on it' and that the person who actually received happened to know his wife (so no need then to actually open the envelope to see what it contained, or who it was intended for).

    Yet a few posts later, he says it was only by opening the envelope that the person who actually received it found out whose it was.

    So, was the wife's correct name and address on the envelope or not?

    All the correct details on the envelope. However, my wife's (married) surname would be different to what this person would know. When they opened it, they saw the picture, saw the first name and put 2 and 2 together.

    They delivered the passport and passport card the same day. Both had the same name and address on them. However, one went to the correct address, and the other to a very different address in the locality. (Different number and different road).

    I accept that mistakes can happen, however, a severely valuable document such as a passport, I would assume should have better accountability.


  • Banned (with Prison Access) Posts: 547 ✭✭✭Duffryman


    Thanks for the answer. But if the envelope that was wrongly delivered had the correct house number and street name (or estate name) on it, still wondering why the person who got it apparently had to open it before realising who it was intended for?

    If he/she wanted to do the right thing, he/she would only have had to bring the envelope to that house and drop it into the letterbox there. Or else just drop it back to any Post Office or postbox with a note, ‘wrongly delivered’.

    Seems to me that An Post are ‘guilty’ of wrongly delivering post all right, but I honestly don’t see a GDPR breach, since the only data they ‘shared’ with a third party was your wife’s name and address – and since that third party knows your wife, they already had that data anyway.

    As somebody else pointed out here, the contents of that envelope are protected by law, and by opening it, that third party actually committed a criminal offence. There’s your real issue, if you want to make one of it.


  • Closed Accounts Posts: 886 ✭✭✭Anteayer


    I've had mail delivered to me for the wrong county!
    The top line had a house name which is almost the same as ours, so I can only assume it was misdirected by an IT system but I was amazed that this wasn't spotted by the postman.

    It's happened twice so far.

    My address is in Cork City. The other one is in Roscommon!!

    There was absolutely nothing wrong with the address btw. They were both bills from major utility companies with properly addressed, printed envelopes.

    I put them back into the post but I'm just baffled as to how it could even happen.


  • Registered Users, Registered Users 2 Posts: 7,596 ✭✭✭the_pen_turner


    A few years ago I sent a birthday card to a friend with the address
    The old couple
    At the end of the long boreen
    Name of their local village
    Tipperary

    Not sure how it got there but it did
    The postman must have really scratched his head


  • Registered Users, Subscribers, Registered Users 2 Posts: 13,631 ✭✭✭✭antodeco


    Duffryman wrote: »
    Thanks for the answer. But if the envelope that was wrongly delivered had the correct house number and street name (or estate name) on it, still wondering why the person who got it apparently had to open it before realising who it was intended for?

    If he/she wanted to do the right thing, he/she would only have had to bring the envelope to that house and drop it into the letterbox there. Or else just drop it back to any Post Office or postbox with a note, ‘wrongly delivered’.

    Seems to me that An Post are ‘guilty’ of wrongly delivering post all right, but I honestly don’t see a GDPR breach, since the only data they ‘shared’ with a third party was your wife’s name and address – and since that third party knows your wife, they already had that data anyway.

    As somebody else pointed out here, the contents of that envelope are protected by law, and by opening it, that third party actually committed a criminal offence. There’s your real issue, if you want to make one of it.

    So a GDPR breach only kicks in if someone else views content? IE, I email your details to 1000 people, but unless any of them open it, it's not a GDPR breach? (Accepted that there is a seperate law for opening post)


  • Banned (with Prison Access) Posts: 547 ✭✭✭Duffryman


    I don't claim to be a GDPR expert. I do happen to know one, but I'm not allowed to share his details with you :)

    All I was saying is that in this very much layman & amateur observer's point of view, I don't see a GDPR breach by An Post here.

    Still wondering about why the third party 'had to' open the envelope, if the correct house number and street name/estate name was on it.


  • Closed Accounts Posts: 886 ✭✭✭Anteayer


    Until we’ve had some cases it’s hard to know tbh.


  • Registered Users, Registered Users 2 Posts: 446 ✭✭Garibaldi?


    Was the letter registered. I recently sent a sensitive communication in the post.Very clearly and precisely addressed. I did not get the confirmation email. So I checked Track and Trace and found it was "still being processed". Rang up the Centre and was told this was most unusual because it's invariably a two-day procedure. Advised to make an official report about it to An Post, which I did. I have registered post hundreds of times, sometimes containing money for presents etc and this has never happened before.Really worried that this has been accessed by someone other than the intended recipient! Very strange. Thankfully I made a copy of the content, but the matter of the wrong person seeing it is still a concern.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 446 ✭✭Garibaldi?


    Registered post is usually so reliable. I sent away an item at 2pm yesterday and received the delivery confirmation email at 9.13 am this morning. That's what makes the customer so concerned if a registered item did not reach its destination. In fairness , An Post will go to some lengths to solve the mystery. If you need to send sensitive documents it's advisable to register an envelope. It's a source of concern if the item cannot be found!


  • Registered Users, Registered Users 2 Posts: 1,795 ✭✭✭Mrcaramelchoc


    dudara wrote: »
    Actually, we discussed a similar scenario when helping a client prepare for GDPR.

    Imagine payslips that get sent in the post. The sender has responsibility for getting them safely to the recipient. If they go missing, then there is potential for misuse of the data. Therefore, the sender should look at other means of securely sharing the payslips with the employee.

    In this case, I would expect the Passport office to send documents via Registered Post to ensure that they arrive safely. Were they sent by registered post?

    Technically, a passport lost in such a way would be a data breach. But there also has to be an element of practicality here, and an assessment of the risk to the individual before a complete determination could be made.

    I agree with everything you say, but are there any allowances for a mistake?
    This postman never delivered one wrong letter in his career until this day and he made a mistake,took his eye off the ball etc does gdpr allow for this at all?
    Passports are sent by swiftpost they don't need to be signed for.


  • Posts: 5,869 ✭✭✭ [Deleted User]


    antodeco wrote: »
    Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

    Who's name was on the envelope?


  • Registered Users, Registered Users 2 Posts: 446 ✭✭Garibaldi?


    I agree with everything you say, but are there any allowances for a mistake?
    This postman never delivered one wrong letter in his career until this day and he made a mistake,took his eye off the ball etc does gdpr allow for this at all?
    Passports are sent by swiftpost they don't need to be signed for.
    I don't think it's about blaming anyone if a registered item does not reach it's address. More about establishing what happened to it. In some cases it would be better if it had been accidentally destroyed than lost. If it remains "lost" the sender does not know where it has gone/will go or who may access it.


Advertisement