T 3.13 Passing on false or internal information

Information other than the desired information is disclosed time and time again when information is passed on to other people. Confidential information or information not intended for the public constantly falls into the wrong hands in this manner. This can happen when mailing or otherwise handing over data media as well as when exchanging information in person, over the telephone, and when using any other form of data transmission. Another way in which data is unintentionally given to other people is when handing over, selling or disposing of data media that were supposedly erased.

It is possible for a data medium to be sent or otherwise passed on to contain data from earlier transactions that is not intended to be disclosed to the recipient. This data can be read by the recipient if it is not specifically and physically deleted beforehand by the sender.

If the data to be transferred is located in a directory together with additional data that also requires protection, then there is a risk that this data will be transferred accidentally on the data media together with the rest of the data (e.g. because the entire directory was copied for the sake of simplicity) and disclosed to the recipient unnecessarily (in an unauthorised manner).

Data records are often transferred directly over a data network, for example via email on the Internet, a modem connection, internal company networks or a X.400 service instead of using a physical data media. Many communication programs offer the ability to use short abbreviations or codes for complex address structures and distribution lists for sending multiple copies at the same time. If such distribution lists are not administered at a central location or updated at regular intervals, data records may be sent to addresses belonging to people who are no longer authorised to receive such data.

Time and time again, data media are passed on, sold or disposed of without completely erasing the information stored on them. The simple delete commands available on most operating systems can be undone or the data deleted can be reconstructed using freely available software tools. Data that has supposedly been destroyed can be read and used without authorisation in this case.

Confidential documents are accidentally sent to the wrong recipients, and letters are printed out with internal comments and placed in the envelope without noticing the comments all the time, even when sending documents via traditional mail. Documents in which only a few pieces of confidential information need to be removed, such as people's names, are also often transferred. In such cases, it may be that the information was not removed or only removed in part, for example because some passages were overlooked or the wrong removal method was chosen.

Examples: