to wonder whether what I can do about a statutory service provider having sensitive and confidential information about my DD to a wrong address? Anyone with legal experience?

[AbsolutelyFumingness]

I live at Number N Grove Drive, postcode XXN XNN.

An official, statutory service provider were going to send me a letter in relation to DD. Really personal, sensitive confidential detail, with her date of birth attached.

The letter they were trying to send me (Mrs Absolutely Fumingness) went missing.

I asked them to email it to me on [email protected].

They emailed it to [email protected].

I rang them to tell them I still hadn't received it. They accused me of lying.

They then emailed it to me at my actual email address... at which point I discovered that they had addressed and posted the letter to Mrs Absolutely Fabulous at Number N Grove Avenue, postcode XXNN XMM

The trouble, Number N Grove Avenue, postcode XXNN XMM is an actual real address, and only a few miles from here.

So now, other members of the public have a terrifying amount of very specific knowledge of some really sensitive and personal things about our daughter.

I have made a formal complaint against the statutory service responsible, but will probably be fobbed off or blamed.

Does anyone with any legal knowledge know what else I can do?

Really, I fear for DD's safety :(

(I've namechanged becaiuse I'm terrified. Please, if you recognise me, please don't identify me)

different you A £500,000 fine? That will be nice to threaten!

montmarte I'm just a very ordinarily anonymous person, but DH is relatively well known in the town where Grange Avenue is (ie where the letter got sent) and DD and I share his very distinctive surname. I sometimes wish I was called Smith!

Hi, sorry for delay in replying - I work for a legal services department in the civil service, don't really want to get more specific than that. Anything sensitive and personal we have to send by special delivery or encrypted email. That protects the information to a certain extent but you can't eliminate all human error and I know of cases where things have gone astray because someone mistyped a street name or some such mistake - then all special delivery does is make it arrive at the wrong address quickly and securely! When we find out we're very apologetic and explain to the person involved what happened, reassuring them that the letter was returned unopened if that was the case or making sure the person who received it is aware the information was sent to them incorrectly and is confidential. It's something we very much try to avoid.

Another vote for reporting them to the Information Commissioner. Ask the statutory service provider for the name of their Data Protection Officer (they must have one) send a formal complaint to them with a copy to the Information Commissioner. Tell them that you require them to take reasonable steps to check what has happened to the letter and if necessary take reasonable steps to recover it.

As others have said, go straight to the information commissioner. There's no point in complaining about statutory bodies to their own complaints process, because the public sector is congenitally incapable of either apologising or rectifying its own problems. The ICO has declared war on bad information governance and has been descending on departments like the wrath of God, with backing from senior figures in government (as ever, the people in the front line have their hearts in the right places and the seniors are fairly sensible: it's the middle management who are self-protecting oligarchs).

"Anything sensitive and personal we have to send by special delivery or encrypted email. l"

How would you go about sending encrypted email to a member of the public?

Different departments seem to have different systems; some like the police have a secure email system, others have a strange thing where you create a log in and password to access documents sent to you. We're a bit more basic and essentially create a password protected zip file and send that first, asking the person to confirm they are the correct intended recipient. Then we send the actual file separately afterwards. It's a faff because many email systems block password protected files as potential viruses and it's not that secure because anyone who had access to the recipient's email address could come back and say "Yes I'm Mrs X, please send the file". But that's what our guidance says to do...

In reality if it's anything that we think is "properly sensitive" and there would be howls of anguish if it went astray, we insist on proof of postal address and send it hardcopy.

I send email attachments that are password protected to our clients.

It's very straightforward to do and most recipients manage to open them.

Sorry that wasn't too clear - we send the password itself first in one email and send a second email with the file once we've had confirmaton that it's going to the right place.

I have had similar problems too. My children's passports were delivered by special courier to no X Y Road whereas we live at no x Y Crescent. The road is a 10 minute walk up the road and luckily the occupant noticed, she had recently applied for a passport herself, recognised the distinctive envelope and brought them round straight away.

This is all really helpful.

My only concern is that the ICO website says that they "usually" need you to complain to the organisation involved first. However, given that the organisation lost my initial complaint, then refused to put my telephone call through to the complaints manager and then appointed an investigator who accused me of lying about my address - I think I could make a good case for exceptional circumstancs.

Thank you all.

I think this may have gone extraordinarily out of hand.

MOST people receiving a letter addressed to someone else wouldnt be interested in it.

You are getting worked up beyond any reason.

It is annoying.
It is frustrating.

But its happened,Let it go.

Complain to the relevant body and then forget it.

I can see what you're saying. But as you can probably imagine, there is a bit more to this situation that I have felt safe disclosing on MN. If it were an isolated incident, though, I would agree with you.

I know there must be more to it,but I dont think you will realistically get anywhere with your grievance/complaint.

I have a very unusual surname too and it does worry me that if a letter went astray people could easily find out very personal stuff about me too.

If the information was of an extremely sensitive nature (i.e) about medical, racial, financial, sexual or legal matters than it is a breach of the Sensitive Information Confidentiality Code (part of the Data Protection Act (DPA). If that is the case, you should definately pursue the matter via the Information Commissioners office.

However, if it is just that you feel it is sensitive because it has your childs name and address on it, then, although it is a minor breach of the DPA, it is probably not worth pursuing as it is just a clerical error.

So you need to decide which of the two it is.

Of course you should complain to the ICO, it is what it is there for.

However, as regards MrsAbFab, I would just let it lie. Chances are she saw the letter, realised it was nothing to do with her and has either returned it to sender or binned it. There is no reason to think she is going to actually do anything with the info, and she may in fact have forgotten whatever she read. If you contact her/remind her of it it may suddenly be of more interest iyswim.

Angree (love the name!) Thanks for highlighting the distinction. I'll look up the SICC. The correspondance did highlight racial issues in the way they misspelled the surname but our ethnicity is already fully in the public domain. But medical and legal, yes, potentially.

Halibo I think I agree. My only concern is that the surname, albeit misspelt, is distinctive, and easily linked with DH who is well known in the area. But I have written to the organisation responsible asking what they propose to do about it.

"I send email attachments that are password protected to our clients."

Unfortunately, most of the software used to do that is total crap, and provides about as much security as putting a piece of selotape over the flap of an envelope. The best solution would probably be to organise a username and password with the punter (over the phone, by letter) and use that to log on to a secure web site, because most people do have a piece of software that offers high-quality crypto, ie a web browser. Things like encrypted zip are pretty rubbishy, to put it mildly.