Data Protection Officer - requirement to disclose?

[TolstoyAteMyHamster]

Long back story, but essentially does a firm have to disclose the name of their DPO to someone who has been the victim of a data breach?

I think my elderly dad is being fobbed off - he's been told by a large firm of solicitors that they don't have to tell him that information because he isn't a client. Which he isn't but they have his data and have shared it with - as far as I can tell - absolutely no reason for doing so. He says the paralegal apologised on the phone but wouldn't/couldn't give the name, and all his follow up emails have been ignored.

I know we can go direct to the ICO but for various reasons I'd like to help him help them do the things they should do before we go down that route. Not least because I am neither a lawyer nor a data protection expert so want to check they have done something they shouldn't before taking it further.

I don't think they have to have a name but they have to be contactable via generic details e.g. [email protected]. You can search the ICO register for the company name and it should bring up the DPO details ico.org.uk/ESDWebPages/Search

Hi Op do is there a partner you can contact on his behalf or aData Protection Officer. I would go that route first and if they won't reply state you will report them to the ICo. Do u know the firm ?

Thanks. That is helpful. I don't know which partner is overseeing the case and can't see the paralegal telling my dad. I think he has made the error and is trying to cover it up.

They are registered with the ICO so that's a start although the "data controller" name is different to the firm name. I just checked the company I work for and it's our name as data controller so I will have to investigate further.

It's a big firm in the Midlands. I don't know them - I live in the South West - but they have several offices and do a range of things (family law, conveyancing, immigration etc)

I think perhaps I will help him write an email to the solicitor on the case (not the partner) whose name Dad does know and explain the situation and ask for them to refer it to the DPO as a matter of urgency, or we will contact the ICO.

Dad is really upset by this but doesn't want to make a fuss. He's worried that they have sent a lot of information to people he doesn't know who are also involved in the case - details of assets, proofs of address etc, but doesn't want to prejudice his friend's case. And he doesn't want to tell my step mum because she has just been diagnosed with breast cancer and he doesn't want to worry her. While being worried himself about people having access to his financial information. I have told him we will speak to the bank and keep an eye on his credit report, but not sure that's going to stop him fretting.

They might not have a DPO. It isn't a requirement for every organisation to have a DPO although I would imagine a law firm would voluntarily appoint one. I would just ask to speak to the managing partner.

Will do. And that at least I can find online. Will help Dad draft something and see where we get to.