The breach concerned an organisation who has a function in conducting independent reviews. The organisation was returning documents following the completion of their review process. The organisation normally encourages the use of a file transfer system for the transfer of subject records but also facilitates the sending of hard copies. In this instance, the sending organisation requested that the copies of records it had sent in hard copy be returned to it. The organisation returned these documents by post and the envelope was reinforced and secure when it left the organisation. However, it was stated that it was not sent by registered post, which was the normal policy for the organisation when requesting hard copies from organisations to support the appeal / assessment process. When the envelope arrived back to the sending organisation the envelope had all of the seams split and badly torn and three pages were missing from the package. 

The documents contained details related to vulnerable individuals, the nature and category of data related to Article 4(1) GDPR and while it did not contain any medical data, certain medical information could be inferred from the fact that the service user had engaged with the sending organisation. 

The organisation had engaged with the postal service used when returning the details to the requesting organisation and as part of its investigation into the missing three pages, it was established that the envelope was received undamaged by the postal service, however it was not sent as registered post and so postal tracking was not available. 

The organisation has committed to enforcing the use of registered post and updating its policy to direct staff that when returning hard copies to the data controller, that steps are taken in line with Article 5(1)f GDPR and Article 32 GPDR to implement appropriate technical and organisational measures such as ensuring the correspondence is registered with the postal service and that appropriate reinforced envelopes are used to ensure a level of security and protection appropriate to any risk. 

It was noted that the organisation had engaged with the postal service as part of its investigation into the missing three pages and had established that the envelope was received undamaged by the postal service. However as it was not sent as registered post the tracking of the envelope was not available. 

It also identified that while the policy in use by the organisation did call out the use of registered post as the preferred method of postage it was only mentioned in relation to the receipt of hard copies from the sending organisations. The organisation recognised this as an oversight within its own policies. 

The DPC engaged and advised the organisation to update its policy on the returning of hard copies to organisations and that it should include this in staff training and awareness campaigns.