GDPR Breach of my personal details - how bad is this?

[GDPRissue]

Last week I received a letter from my housing association thanking me for paying by direct debit. The top of the letter was addressed to me - full name and full addresses but the content of the letter had another tenant (who lives fairly local but I do not know) full name, full address, amount of rent they pay, their bank sort code and bank account number (with the first few numbers starred out but the last numbers visible.

Yesterday I received a letter to basically say that someone else received the same letter but with all my details. They have said sorry and to dispose of the letter with the other details.

I have been away for a few days so I received both letters today.

I have had some GDPR training so I know this is a pretty bad breach, but in real terms is there anything I should I do about it? Notify my bank? Ask them to be aware of any unusual activity? Or just be vigilant and assume other tenant has binned the letter like I did?

My understanding is that you should be entitled to a full explanation of what has happened and how they have gone about rectifying it, and you can take it further if you aren't satisfied. Though I am not an expert.

I think I would contact them and ask for more details. Perhaps they knew what had happened because the other party contacted them? I would find that reassuring.

I also thought best practice would be to ensure the letters were returned to them, but again I'm not an expert.

I would ask them to investigate how it happened. I would hope they would do it anyway - was it a headed letter with the address in a window or was the address printed on the envelope itself.

It's not a big breach. People's name and address can be on the electoral register and the account number was not all there. You might ask them to get you alerts on something like Equifax.

I don't think it's reportable to the ICO. Not all breaches are reportable. If the whole account number was present, then that would be reportable.

Thanks both, that's reassuring.

I will get in touch tomorrow for some further information I think. Agree that I would be quite happy if it was just a mix up between me and one other tenant and they reported it. However, I'm thinking that it may have been a mail merge or something gone wrong, so technically hundreds of incorrect letters could have gone out.

The letter has my details on the top address section (so when folded would show in envelope window), it was address to me (as in Dear Ms XXXX) but the body of the letter had the other person's details.

I hope you have a reassuring outcome from the contact.

Thank you

Ask them to pay for Cifas protective registration for a year. If you, or anyone using your details, applies for a financial facility with a Cifas member (most of the big banks, insurers etc) you will be contacted to ensure that it is a genuine application

Phone the Information Commissioner’s Office or start a live chat on their website. They are experts and can help.

I had something similar with my bank, they paid me £100 (it wasn't my details, I got someone else's letter). They investigated, informed the other person, I destroyed the letter. You complain to them in the first instance, if you are unhappy with their resolution then you go to the ICO. The HA will (should) record the incident and have to report it if it is serious enough.

This has also happened to me! What housing association are you with?

It’s human error, in my old job previous things similar happened minus bank account details but was sheer lack of not double checking what was being shoved in the envelope

@Tiredtessy it doesn't matter if it was human error or a deliberate corporation wide conspiracy, it has to be investigated with measures taken to ensure it doesn't happen again.

It's very strange for a mail merge to have the correct address on the top of the letter and correct name - and then for the full name, address and details of another individual to be in the rest of the same letter. It should all be pulling from the same data source with a common link to the OP.

I hope their investigation sheds some light on what happened.

I’m not saying it isn’t important but you couldn’t have investigated what I told you as there was nothing to investigate but it wasn’t mail merge. Doctors and nurses make mistakes and people die so I just can’t get overly excited about this, sorry!

’m not saying it isn’t important but you couldn’t have investigated what I told you as there was nothing to investigate but it wasn’t mail merge

Mistakes do happen. Not using BCC in emails, making errors when putting things in envelopes.

But it is personal details. In some cases, personal, sensitive information. I would hope that in 99% of the time, nothing harmful would happen if a stranger got hold of your sensitive data in this way but people can do misuse sensitve personal data. Systems can always be improved to help minimise such mistakes.

@Tiredtessy of course an investigation would still need to happy, even if it did just find human error, it would need to then be raised with the employee and then recorded. Just because there isn't an "exciting" result doesn't mean it doesn't need looking into 🤨

*happen