Chris's point is a good one in circumstances where you do not actually know what has been lost - steps should be taken in such cases to retrieve the material so that you can properly assess what remedial action to take. In other cases it is surely for the data controller to keep proper records of the breach. Failure to do so would in my view be a further breach of P7 and could be a serious aggravating factor when sanctions were considered. Asking the recipient to keep the 'evidence' should be unnecessary in such cases.

Subject: Re: [data-protection] Data breach and responsibilities of the recipient

 
I wonder if by asking the unintended recipient of the data to destroy it that you may be asking them to destroy evidence of your misdemenour(perhaps in the hope that it will go away), which may be a good thing for you but not for justice. Perhaps you should be telling them to inform ICO and see what ICO want them to do with it. 

Imagine the senario, "I've just been sent sent loads of really sensitive data from an NHS trust by mistake" "What was it". "Can't tell you cause I've destroyed it". "Who else was it sent to". "Don't know cause Ive destroyed it". "Who sent it to you". "I don't know who but it came from the hospital". 

Chris 

Chris Tinsley | Information Management Officer, GreenSquare Group 
tel: 01249 466112 | [log in to unmask] | Methuen Park, Chippenham SN14 0GU 

GreenSquare incorporates Oakus, OCHA, Sparrow, Tidestone, and Westlea Housing 
housing people, building communities 
www.greensquaregroup.com