An Post - GDPR

antodeco · 11-04-2019 9:01am #1

Hi all,
Quick one. I assume An Post still fall under GDPR guidelines?

The reason I ask is that recently my wife renewed her passport and got a passport card aswell. Her passport was delivered, however her passport card went to some random House in the area (the correct address was on it!). We only found out because luckily that person actually knew my wife.

As this is a very sensitive document, it's concerning how An Post can deliver to the wrong address so badly. Additionally, we still haven't received her old passport and wedding cert, over a month later. I've concerns that they may have gone to a random address.

Dytalus · 11-04-2019 9:05am

All organisations fall under GDPR guidelines if they do business in the EU, including An Post.

This could easily qualify as a data breach, but the requirement for reporting it to the Commission isn't simply "it might have been". There has to be a risk to the data subject (your wife, in this case). They'd probably have to take into account how far away it got sent and whether it was opened or not, but I'd imagine some kind of preliminary comment's been sent to the DPC since unlike say leaving a laptop behind on a bus, you can hardly encrypt envelopes.

Definitely worth sending them an email or giving them a call to follow up on it, especially about the missing old passport and wedding cert.

antodeco · 11-04-2019 9:51am

Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

JDxtra · 11-04-2019 9:53am

GDPR breach for an item posted to the wrong address? I've heard it all now.

dudara · 11-04-2019 9:57am

Actually, we discussed a similar scenario when helping a client prepare for GDPR.

Imagine payslips that get sent in the post. The sender has responsibility for getting them safely to the recipient. If they go missing, then there is potential for misuse of the data. Therefore, the sender should look at other means of securely sharing the payslips with the employee.

In this case, I would expect the Passport office to send documents via Registered Post to ensure that they arrive safely. Were they sent by registered post?

Technically, a passport lost in such a way would be a data breach. But there also has to be an element of practicality here, and an assessment of the risk to the individual before a complete determination could be made.

davetherave · 11-04-2019 9:58am

You might consider starting with whoever open mail not addressed to them

Communications Regulation (Postal Services) Act 2011

53.— (1) A person commits an offence if he or she, without the agreement of the addressee and, in the case of a person who is a postal service provider or an employee or agent of a postal service provider, contrary to his or her duty, intentionally—

(a) delays, detains, interferes with or opens, a postal packet addressed to another person or does anything to prevent its delivery or authorises, suffers or permits another person (who is not the addressee) to do so,

(3) A person who commits an offence under this section is liable—

(a) on summary conviction, to a class C fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €75,000 or imprisonment for a term not exceeding 5 years or both.

banie01 · 11-04-2019 10:00am

antodeco wrote: »

Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

Was your wife's name not actually on the envelope?
It being opened would not preclude the fact that it was addressed correctly but misdelivered.

That someone then opened an item that was misdelivered rather than returning it to An Post for re-delivery is to my mind a separate issue.

I suppose 1st instance here to assess what went wrong and where, is to confirm what addresses the items were actually sent to.

Misaddressed, then it's a GDPR issue that lays with the passport office.

Misdelivered, the issue lies with An post but was the data breach contingent upon the 3rd party opening mail not directly addressed to them? Which IIRC is a statutory offence.
Rather than returning to sender?

Dytalus · 11-04-2019 10:02am

JDxtra wrote: »

GDPR breach for an item posted to the wrong address? I've heard it all now.

Absolutely, if that item contains personal data. Strictly speaking, if the package remains unopened it doesn't qualify as a breach - the personal data inside hasn't been revealed. But if it has been, then An Post (or the passport office, if they put the wrong address on the package) have failed in their duty of care to an individual's personal data.

Either way, the ICO/DPO of An Post (or the passport office) is going to want to know what's happened so they can weigh up whether a report needs to be sent to the Commission. This isn't to say they'll be fined or punished - data breaches happen, and they happen a lot. There's no way to stop them completely. If whomever is responsible takes the requisite steps to stop it happening again, the DPC tends to be happy enough. Only repeated, or egregious, breaches tend to earn fines from the Commission.

Mundo7976 · 11-04-2019 10:03am

antodeco wrote: »

Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

Id also be concerned with why that person opened mail that didnt have their name or address on it!

Sleeper12 · 11-04-2019 10:05am

Shock horror, something gets delivered to the wrong address.

flexcon · 11-04-2019 10:06am

I have to be careful of GDPR in my work place and if we were to find out a delivery went to the wrong place the problem would be the name and details of the payer are in that box with the billing document. That there is your grey area.

We switched to email invoicing only to prevent that.

In OP scenario i am not sure if this is the same and GDPR would cover it.

Duffryman · 11-04-2019 10:08am

I'm just confused by how OP says in the first post that 'the correct address was on it' and that the person who actually received happened to know his wife (so no need then to actually open the envelope to see what it contained, or who it was intended for).

Yet a few posts later, he says it was only by opening the envelope that the person who actually received it found out whose it was.

So, was the wife's correct name and address on the envelope or not?

daheff · 11-04-2019 10:12am

flexcon wrote: »

We switched to email invoicing only to prevent that.

I'd imagine cost, timeliness & traceability was more likely the reason for this.

Oh- and living in the 21st century!

antodeco · 11-04-2019 12:27pm

Duffryman wrote: »

I'm just confused by how OP says in the first post that 'the correct address was on it' and that the person who actually received happened to know his wife (so no need then to actually open the envelope to see what it contained, or who it was intended for).

Yet a few posts later, he says it was only by opening the envelope that the person who actually received it found out whose it was.

So, was the wife's correct name and address on the envelope or not?

All the correct details on the envelope. However, my wife's (married) surname would be different to what this person would know. When they opened it, they saw the picture, saw the first name and put 2 and 2 together.

They delivered the passport and passport card the same day. Both had the same name and address on them. However, one went to the correct address, and the other to a very different address in the locality. (Different number and different road).

I accept that mistakes can happen, however, a severely valuable document such as a passport, I would assume should have better accountability.

Duffryman · 11-04-2019 1:04pm

Thanks for the answer. But if the envelope that was wrongly delivered had the correct house number and street name (or estate name) on it, still wondering why the person who got it apparently had to open it before realising who it was intended for?

If he/she wanted to do the right thing, he/she would only have had to bring the envelope to that house and drop it into the letterbox there. Or else just drop it back to any Post Office or postbox with a note, ‘wrongly delivered’.

Seems to me that An Post are ‘guilty’ of wrongly delivering post all right, but I honestly don’t see a GDPR breach, since the only data they ‘shared’ with a third party was your wife’s name and address – and since that third party knows your wife, they already had that data anyway.

As somebody else pointed out here, the contents of that envelope are protected by law, and by opening it, that third party actually committed a criminal offence. There’s your real issue, if you want to make one of it.

Anteayer · 11-04-2019 1:09pm

I've had mail delivered to me for the wrong county!
The top line had a house name which is almost the same as ours, so I can only assume it was misdirected by an IT system but I was amazed that this wasn't spotted by the postman.

It's happened twice so far.

My address is in Cork City. The other one is in Roscommon!!

There was absolutely nothing wrong with the address btw. They were both bills from major utility companies with properly addressed, printed envelopes.

I put them back into the post but I'm just baffled as to how it could even happen.

the_pen_turner · 11-04-2019 1:25pm

A few years ago I sent a birthday card to a friend with the address
The old couple
At the end of the long boreen
Name of their local village
Tipperary

Not sure how it got there but it did
The postman must have really scratched his head

antodeco · 11-04-2019 2:07pm

Duffryman wrote: »

Thanks for the answer. But if the envelope that was wrongly delivered had the correct house number and street name (or estate name) on it, still wondering why the person who got it apparently had to open it before realising who it was intended for?

If he/she wanted to do the right thing, he/she would only have had to bring the envelope to that house and drop it into the letterbox there. Or else just drop it back to any Post Office or postbox with a note, ‘wrongly delivered’.

Seems to me that An Post are ‘guilty’ of wrongly delivering post all right, but I honestly don’t see a GDPR breach, since the only data they ‘shared’ with a third party was your wife’s name and address – and since that third party knows your wife, they already had that data anyway.

As somebody else pointed out here, the contents of that envelope are protected by law, and by opening it, that third party actually committed a criminal offence. There’s your real issue, if you want to make one of it.

So a GDPR breach only kicks in if someone else views content? IE, I email your details to 1000 people, but unless any of them open it, it's not a GDPR breach? (Accepted that there is a seperate law for opening post)

Duffryman · 11-04-2019 2:26pm

I don't claim to be a GDPR expert. I do happen to know one, but I'm not allowed to share his details with you

All I was saying is that in this very much layman & amateur observer's point of view, I don't see a GDPR breach by An Post here.

Still wondering about why the third party 'had to' open the envelope, if the correct house number and street name/estate name was on it.

Anteayer · 11-04-2019 2:48pm

Until we’ve had some cases it’s hard to know tbh.

Garibaldi? · 11-04-2019 2:56pm

Was the letter registered. I recently sent a sensitive communication in the post.Very clearly and precisely addressed. I did not get the confirmation email. So I checked Track and Trace and found it was "still being processed". Rang up the Centre and was told this was most unusual because it's invariably a two-day procedure. Advised to make an official report about it to An Post, which I did. I have registered post hundreds of times, sometimes containing money for presents etc and this has never happened before.Really worried that this has been accessed by someone other than the intended recipient! Very strange. Thankfully I made a copy of the content, but the matter of the wrong person seeing it is still a concern.

Garibaldi? · 16-04-2019 9:56am

Registered post is usually so reliable. I sent away an item at 2pm yesterday and received the delivery confirmation email at 9.13 am this morning. That's what makes the customer so concerned if a registered item did not reach its destination. In fairness , An Post will go to some lengths to solve the mystery. If you need to send sensitive documents it's advisable to register an envelope. It's a source of concern if the item cannot be found!

Mrcaramelchoc · 16-04-2019 10:04am

dudara wrote: »

Actually, we discussed a similar scenario when helping a client prepare for GDPR.

Imagine payslips that get sent in the post. The sender has responsibility for getting them safely to the recipient. If they go missing, then there is potential for misuse of the data. Therefore, the sender should look at other means of securely sharing the payslips with the employee.

In this case, I would expect the Passport office to send documents via Registered Post to ensure that they arrive safely. Were they sent by registered post?

Technically, a passport lost in such a way would be a data breach. But there also has to be an element of practicality here, and an assessment of the risk to the individual before a complete determination could be made.

I agree with everything you say, but are there any allowances for a mistake?
This postman never delivered one wrong letter in his career until this day and he made a mistake,took his eye off the ball etc does gdpr allow for this at all?
Passports are sent by swiftpost they don't need to be signed for.

16-04-2019 10:38am

antodeco wrote: »

Thanks for that. It was opened as that was how it was found who's it was. I might start off with the passport office and work back!

Who's name was on the envelope?

Garibaldi? · 16-04-2019 10:46am

Mrcaramelchoc wrote: »

I agree with everything you say, but are there any allowances for a mistake?
This postman never delivered one wrong letter in his career until this day and he made a mistake,took his eye off the ball etc does gdpr allow for this at all?
Passports are sent by swiftpost they don't need to be signed for.

I don't think it's about blaming anyone if a registered item does not reach it's address. More about establishing what happened to it. In some cases it would be better if it had been accidentally destroyed than lost. If it remains "lost" the sender does not know where it has gone/will go or who may access it.

An Post - GDPR

Comments