GDPR status: failed

I recently received a letter in my mailbox. It was sent to our address, but to someone who lived there before us, and we moved in five years ago. To make matters worse, it was sent by a private hospital and seemed to have some weight. How does this happen a year after GDPR?

I see this as a GDPR failure in multiple steps. The first one is of course that you need to keep control of your data quality. By using an address that have been wrong for five years you obviously does not do that. I see several ways this can be fixed:

  • You can always check when you have a patient that the registered information is correct. My physician asked me this the last time I visited him, both for address and phone number
  • You can use public registries. In Norway we have Folkeregisteret where you can collect information on individuals addresses. As a hospital they will have social security numbers so the identity of patients can be ensured
  • You can use other forms of distribution. If you want to use mail, you can use types that requires letters to be collected at the post office after ID check. Another option is to use digital services like DigiPost where ID is checked
  • A small blame can be put on the postal service. The name of all occupants in our household is clearly marked on the mailbox, so when you have a letter from a hospital you might reconsider if this is correct before placing it there.

The next problem for me was when I thought to notify the hospital. They state that:

Due to stricter privacy regulations (GDPR) we no longer present our email addresses here.

This is one of several actions to protect your security in your dialogue with us in the best possible way. Medical information is sensitive information and can therefore not be sent by email or anonymous web forms. We are sorry for the inconvenience, but hope you in stead call us or use the contact form below to be called by us.

Translation of privacy notice for not having other contact forms than phone.

So they have made it hard for me also to give them notice. So what have I done? I have sent a letter with some of this information together with the original letter (unopened, off course) to the correct address, and a copy, by letter to the hospital.

I think this case shows why GDPR is important as data quality can have consequences when distributing information without sufficient data quality or process quality. I can’t say that everything we have in our own organization is fully perfect, but as this hospital have acknowledged that they have sensitive personal information and don’t let you email them, they should also take more caution before sending this in letters.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.