As more than a few staff found out recently, you can lose control of email messages very quickly, especially through the use of large distribution lists. Two weeks ago, a VCH staff member accidentally sent a short message regarding the fact that another VCH staff was no longer in the employee Attendance and Wellness Program (AWP) to the “VCHA Management & Excluded Staff” distribution list. While this was fortunately a good news story about the staff person who is no longer on AWP because her attendance had improved, the message obviously should not have been sent to roughly 1000 people across the organization.
As regrettable as the original message was, it was equally, if not more troubling to see the responses from a number of staff members. From those who simply wanted everyone to know that they believed the email had been misdirected to them, to those who recognized that there had likely been a privacy/confidentiality breach and wished to point it out to others, it illustrated the need to pause before Replying To All. See Clay Adams’ blog post this week.
The first step in responding to any suspected breach is CONTAINMENT and reporting it to the Information Privacy Office, not further distribution. Obviously no one intended to exacerbate the problem by perpetuating the further circulation of the original message, but that was in fact what was happening.
Perhaps some may have been responding on their mobile phones and were not completely aware of who was on the original recipient list. This highlights the need to be vigilant with our communications, regardless of the device we may be using. In the circumstances here, it would have been much preferable for those recognizing the error to inform the sender, advise the Information Privacy Office and delete the message.
Issues have also been raised about the failure of MS Outlook to properly recall the message. I understand from IT that the feature is essentially “useless” (not in any technical sense of the word, just plain useless), which means do not rely on it. Understand that once it is sent; it is gone.
The Information Privacy Office recognizes the importance of email to our daily work and is, despite this incident, currently working with various stakeholders in the organization to develop a practical email policy that will enable staff to use email as a legitimate means to communicate business/health information, including confidential and personal information, in order to support the programs and activities of VCH. The policy will contain guidelines to minimize human error and secure transmissions depending on the level of risk posed by the type and volume of information being sent.
Your input is welcome! Please send your comments and suggestions to privacy@vch.ca.