Envelopes and GDPR


Privacy is a funny concept, isn't it? Very few people want the whole world to know what medical complaints they have. But most hospitals are open-access buildings, where the waiting rooms have large monitors to tell patients that their doctor is running late.

A few years ago I was sat in the proctology waiting room. Anyone who knew me would have seen I was waiting for an bum doctor. They may not have known my specific complaint, but the laser-display board announced that my appointment was with Doctor X. Anyone can look up Doctor X online and see that they specialise in removing foreign objects which have mysteriously found their way inside a person. Whither privacy?

But that's the kind of trade-off we make. It would be expensive to have individual waiting cubicles. And most people aren't famous enough to be recognised in public. And the chances of your neighbour also being in hospital are slim. Any you might just be waiting for a friend. So we sort of hand-wave it away because it is a small but difficult problem to solve.

Anyway, a few months later, I received a letter from the hospital. It was delivered in a plain envelope with no hospital markings. The return address was a suitably anonymous bulk mailing service. There were no warning markings to say this was a medical letter. There is no way that my postman, my housemate, or my cleaner would have known what the letter was about.

But see if you can spot the incredibly subtle mistake that was made:

A letter addressed to me. Just inside the plastic window you can see the word "colonoscopies".

Printing a physical letter on paper and then folding it in such a way that both the address is displayed and the paper cannot slip is a surprisingly hard problem. I get letters from lots of organisations where this has happened.

But, before lighting up the pitchforks, what's the real harm that has occurred here and how could it be prevented?

My postie now knows some of my medical info. That's assuming they bothered reading past the address, and that they remember anything specific from the 500 letters they had that day. My postie seems nice enough - but I don't doubt that a postal worker somewhere could use this to blackmail or intimidate a vulnerable person.

Anyone with access to my letterbox, and who gets there before me, also has sight of my information. Again, I tend to trust the people I let in. But not everyone is so lucky. A sufficiently abusive person would have opened the letter regardless of what they saw.

A fully paper envelope with no plastic window reduces one specific class of error - but may be too expensive to implement at scale. And, of course, if there's no window then there is the chance that the wrong letter might go into an envelope addressed to someone else.

Would going digital solve this? Email is mostly end-to-end encrypted between the big providers, so it would be unlikely that anyone saw it as it was being delivered.

Most email clients show the first few lines of a message - and some of them will show that preview as a pop-up on a locked phone. So anyone with access to your device could see something untoward. A sender name and subject have to be useful to the receiver - but is "FROM: Proctology. RE: The object we pulled out of you" too revealing?

An email could be fairly anonymous and link to a download portal of the real message. But that's quite a lot of work for a user to do. And an abuser could still have access to your device.

An email encrypted with your public key and send with a cryptic subject line is the sort of theoretical magic that geeks love, while forgetting that most people reuse their passwords and leave their laptops unlocked in the coffee shop.

What I'm getting at is that there's no perfect solution. Only incremental changes which may introduce a new class of problem.


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

6 thoughts on “Envelopes and GDPR”

  1. Ian says:

    Working at a firm many moons ago where something similar happened and led to a justified complaint - we introduced a simple design change -- at least four line feeds between the address and the content.

    Reply
    1. says:

      I was just thinking exactly the same thing.

      The MVP solution here is "don't put the word colonoscopy where it can find its way to the window"

      Reply
  2. says:

    You're probably right that your postman isn't interested. But what if your postman is a drinking buddy, or a relative?

    Or if the letter refers instead to contraception or abortion, and is sent to a young woman who lives with her religiously-repressive parents?

    In response to Ian's comment: Four line feeds might result in a small percentage of letters going on to an extra page. For an organisation as vast as the NHS, a small percentage can still mean a big cost, both financial and environmental.

    Reply
  3. says:

    @blog about the window in the envelope, there are low tech/low effort solutions to this problem, such as adding sufficient padding around the address, or even leaving the top third of the page blank, allowing for nothing but the address to be on it. It's also a matter of sensibility to privacy (and equivalently other similar issues) by people who design and implement such systems.

    | Reply to original comment on libretooth.gr
  4. says:

    i have managed to get most letters as email/SMS links to the (annoying/unreliable needs some UI work) Dr Doctor system for most correspondence. This is a huge access win for me. However I do still get some postal letters (I think it's secretaries vs central appointments) which means the e-system isn't complete... Need to chase GP about full historical content access in NHS App.

    An option for a snailmail letter is not to use nasty plastic windowed envelopes (harder to recycle) and have a fully paper envelope with address on it separately. This is how hospitals around here do it.

    My ortho hospital asks at clinic checkin on the stupid screens (they have other issues and bad touchscreens and terrible UI) if you are OK having your name up on the screen or not alongside the racist immigration and 'we don't actually comply with the AIS' sensory impairment questions.

    The name calling screen doesn't say which doctor Named-Person is seeing just "go to rooms xx-to-yy" down a large corridor which is the clinic-area. The rooms are not consistent appt to appt, although I can guarantee as a mobility impaired person that when I have the most pain it's the furthest one (sodding Murphy)!

    There is a separate screen with clinic names/doctors and approx waiting times.

    So there's clearly hospitals who have thought of many of the issues you raise. None which would arise at this hospital!

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">