OVERVIEW:
Applies to: PDF-EXPLODE users sending invoices, payroll, tax, or medical documents by email.
PDF-EXPLODE enables automated email delivery of PDF documents.
While many business documents (such as invoices) can be sent openly, documents containing personal, financial, or medical information must be secured .
In most jurisdictions, emailing unprotected sensitive documents is considered a data breach , even if sent to the correct recipient.
This article explains:
Which document types require passwords
Why password protection is legally required
The applicable U.S. and European (GDPR) regulations
Best-practice password methods
DETAILS :
What Is Considered “Sensitive Data”?
Sensitive data includes any information that can identify a person or expose private details, such as:
Date of birth
Government ID numbers (SSN, National ID)
Tax information
Payroll and income data
Medical or health information
Patient or employee identifiers
When such data is present, password protection is mandatory .
Document Types and Password Requirements
| Document Type | Password Required | U.S. Legislation | European (GDPR) Basis |
|---|---|---|---|
| Invoices (B2B / B2C) | ❌ No | Not regulated | Generally not personal data |
| Account Statements (non-personal) | ❌ No | Not regulated | Not personal data |
| Payslips / Pay Stubs | ✅ Yes | IRS, FTC Safeguards Rule | GDPR Art. 32 (Security of Processing) |
| W-2 / 1099 Tax Forms | ✅ Yes | IRS Publication 1075 | GDPR Art. 32 |
| Payroll Reports | ✅ Yes | FTC Safeguards Rule | GDPR Art. 5 & 32 |
| Medical Reports | ✅ Yes | HIPAA | GDPR Art. 9 (Special Category Data) |
| Patient Results / Referrals | ✅ Yes | HIPAA | GDPR Art. 9 |
| HR Records | ✅ Yes | State Privacy Laws | GDPR Art. 32 |
| Any document with DOB or ID numbers | ✅ Yes | FTC / State Laws | GDPR Art. 32 |
U.S. Legal Requirements (Summary)
In the United States, unprotected transmission of sensitive documents may violate:
HIPAA – Medical and patient data
IRS Safeguards (Pub 1075) – Tax documents
FTC Safeguards Rule – Payroll and employee data
State privacy breach laws
Sending sensitive PDFs without encryption or password protection can trigger:
Mandatory breach notifications
Financial penalties
Civil liability
European GDPR Requirements (Summary)
Under GDPR , organizations must:
Protect personal data against unauthorized access
Apply “appropriate technical measures” (Article 32)
Apply higher protection to medical and health data (Article 9)
Emailing a PDF containing personal data without protection may be considered:
A failure of security controls
A reportable data breach
Grounds for regulatory fines
GDPR does not require passwords to be sent separately — it requires that data is protected in transit .
Recommended Password Method (Best Practice)
The safest and most widely accepted approach is:
Passwords are generated from information already known to the recipient
Examples:
Date of Birth (DDMMYYYY or MMDDYYYY)
Family name + DOB
First name + last 4 digits of ID number
Patient ID (partial) + DOB
No password is transmitted
No password storage required
No pre-advice necessary
Fully compliant with U.S. and GDPR requirements and in most western countries including Australia, UK, Canada and New Zealand
Important Do’s and Don’ts
Automatically apply passwords based on document type
Use recipient-known information
Use consistent rules across all documents
Email passwords
Reuse a single password for multiple recipients
Leave password protection to user discretion
Send medical or payroll documents unprotected
How PDF-eXPLODE Supports Compliance
PDF-EXPLODE allows password protection to be:
Automatically applied by document type with the use of data variables inserted into the PDF-eXPLODE Tag
Generated per recipient
applied by the PDF-eXPLODE process and without operator decision/intervention
This ensures:
Consistent compliance
Reduced human error
Audit-ready delivery processes
Article ID: 138
Created On: Wed, Dec 17, 2025 at 9:44 AM
Last Updated On: Thu, Dec 18, 2025 at 9:06 AM
Online URL: https://kb.pdf-explode.com/article/when-and-why-pdf-documents-must-be-password-protected-138.html