Twitter Logo Youtube Circle Icon LinkedIn Icon

Publishing firms

Legal Developments worldwide

Oops! - wrong address

September 2011 - Intellectual Property. Legal Developments by Norrbom Vinding Law Firm, member of ius laboris.

More articles by this firm.

Data protection
Letters containing sensitive personal data sent to the wrong address, emails sent without encryption, and disclosure of personal identification numbers without consent. These practices were strongly criticised by the Danish Data Protection Agency.
When local authorities process sensitive documents, security must be a top priority. Private data should not be compromised even though letters and emails end up at the wrong address ‚Äď as can be seen from this complaint from the Danish Data Protection Agency.
A local authority sent a letter containing personal data about a citizen to the wrong address by mistake. Also, emails containing confidential and sensitive data about the citizen were sent without encryption. To make matters worse, the local authority also gave a private psychologist the citizen’s personal identification number without the citizen’s consent.
‚ÄėThe local authority must get a grip on security.‚Äô This is what the citizen wrote in his complaint to the Agency. He was far from happy with the local authority's slipshod practices.
In its defence, the local authority explained that the case worker was a temp and therefore unaware that letters containing sensitive data must be sent by registered mail. It further explained that answering emails without encryption was normal practice although it was against the rules. In addition, it was customary for the local authority to disclose citizens’ personal identification numbers when contracting with external service providers.
Strong criticism
The Agency sided with the complainant, pointing out that the letter which had been sent by post had been written on a computer. The letter was therefore covered by the Danish Data Protection Act. Since it had been sent to the wrong address, the security requirements of the Act had been breached.
The Agency also held that the practice of sending unencrypted emails containing confidential and sensitive data was a breach of the local authority's own policy as well as the Danish Data Protection Act. This breach gave rise to strong criticism from the Agency.
Finally, the Agency stressed that consent must be obtained before a citizen’s personal identification number may be disclosed. The local authority had not obtained the complainant’s consent, which was very unfortunate.
Norrbom Vinding notes:
  • that the decision shows that letters on paper are also covered by the Danish Data Protection Act if written on a computer;

  • that strict requirements are imposed on public authorities and how they handle personal data, particularly when sending emails which contain confidential and/or sensitive information; and

  • that it has been made clear once again that the framework within which individuals or entities outside the public sector can obtain information about personal identification numbers is very strict.
The above does not constitute legal advice and should not be relied upon as such

For more information please visit