Data protection breach?

[Rosie2000]

Without going into too much detail an account I have was used inadvertently by a member of staff to place an order for another customer. I’m waiting for a call back tomorrow and I’m presuming this needs referring to the ICO or does it depend on the information the third party was given from my account t?

it depends how you came to let the other person have access to your account. If you left it logged in, then yes, you could be in very serious troubel

sorry

You don't have to report every breach to the ICO, have a look at their website, they have some very good guidance for businesses. Very unlikely to be in serious trouble. The ICO isn't generally interested in breaches that only affect 1 person.

It depends on what data was breached and why?

You don't have to report every breach to the ICO,

yes you do

any update OP?

My understanding of the OP was that it was her data that was breached, so why would she potentially be in trouble?

Either way, I agree that the ICO tends to focus on major, large-scale breaches, not those that concern one person's data breached in error.

What kind of details are we talking about, OP?

Think I've read this different to everyone else. OP is a customer and her account has been used to make another customers order, caused by an error(?) by an employee of the company. Not that the OP is employed by them.

Or have I misunderstood?

That's how I read it too, violet.

You really don’t, claire. Only what used to be called a Level 2 breach. Anything lower than that you manage in house.

My understanding of the OP was that it was her data that was breached, so why would she potentially be in trouble?

I read it that she has allowed someone else access to her account, in which case, she will be the person in the wrong.

Maybe I misread that?

You absolutely do not have to report every breach. From ICO website-

“If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO.”

Yes, it’s my data that has been breached, due to an employee error. I am waiting for the company to call me back and I jut wanted to know how much of a fuss to make. Thanks

It all depends on what information was given to the other customer, if any. I'd guess it's more of an internal process issue that depending on the circumstances and impact may or may not need reporting to the ico. If no personal data has been shared or if what was shared isn't thought to have a detrimental impact on you id say it's not reportable but should result in their processes being reviewed.

It is absolutely not necessary to report every breach to the ICO.

I am a Data Protection Officer, we have had 9 breaches reported to me since GDPR came in and none have required reporting.

I would ask what information has been passed to the other custOmer. If it is just name and address there is little risk to you. If other information has been disclosed, ask the company what risk this puts you at.

I would also ask them how they plan to retrain staff or change procedures to reduce the ink of it happening again.

Ask the company to pay for you to have something like this OP.
www.experian.co.uk/consumer/how-to-report-id-fraud.html

You'll get alerts if anything happens on your credit report which could indicate someone attempting to apply for credit in your name.