Data Protection breach - what do I do?

[Watchkeys]

I rent out a vehicle via an agency. I turned down a booking, and the agent found another vehicle for the customer. I got a notification of a message having arrived re my booking, and discovered that I am party to the full conversation between the vehicle owner and the customer. This includes the customer's passport and driving licence details, proof of address, dates they'll be hiring the vehicle (so I know their house will be likely vacant), along with details from the vehicle owner about location of the vehicle, how to deactivate its immobiliser, and their address and other contact details.

There is a clause in the contract between vehicle owner and agency referring to the Data Protection Act, and a further clause regarding confidentiality, and the fact that personal information will not be shared for any other reason than to process the booking.

I feel that some authority needs to know about this, and I feel that other owners of vehicles, and potential customers, should know that their personal information isn't being kept personal. I don't want to use the agency any more, and think that others might make the same decision, but only if someone tells them it's happened. My information hasn't been shared, as far as I know, but how would I know?

What do I do, legally?

Thank you

Contact Information Commissioner's Office. It's fairly straightforward . I'll get you a link

M ico.org.uk/for-organisations/report-a-breach/personal-data-breach/

Just because it doesn't affect you directly (and understandably you don't know that for sure) doesn't mean it's ok

Don't report it to the ICO, they will tell you to deal with the controller first. In the first instance complain to the company, they will determine whether it is reportable to the ICO, if you have exhausted the complaints process and still not satisfied with their approach or assessment of the breach, then you report to the ICO. And it'll take them months to respond to you.

I’d just let the agency know so that they can tighten up their system in future.

This. Don't use the link provided above. That is for reporting a data breach in your own organisation, ie one for which you are responsible. If the company is legit, they will have their own policies and procedures for reporting breaches for which they are responsible. If you feel that they aren't being concientious about this, run a mile. If you are concerned about your own personal data, ask them to delete it all.

Tell the company responsible for the breach. Ask their data controller for assurances (not reassurances) that this has been dealt with properly, proceedure followed, the breach logged and investigated etc.

Just let the company know. They need to tighten their procedures, it was clearly an error.

@Watchkeys as others say, check for the data controller details on the companies website, should be on their privacy statement and let them know. You should obviously delete the data and inform the sender as well.

GDPR was developed in response to the changing online world and to define responsibilities and safeguards around personal data. It is there to ensure our personal data isn't being abused however the ICO know mistakes happen, mostly through human error and they don't seek to fine/crimiliase companies when an employee makes a mistake.

Thanks for your suggestions so far. What about other vehicle owners, though? Telling the company they've made a mistake, and making sure they've corrected it, is essentially a favour to the company. I don't want to do them a favour. I want people to realise that if they share their data with the company, it might be shared with strangers.

It clearly is a mistake, but I don't think that them telling me they're sorry and they promise not to do it again will really mean anything. They've broken a contract, so I don't trust them. I don't want to use a company that has form for being careless with people's data. I'm sure others would feel the same, but they're currently oblivious.

What people are saying is in the first instance you have to go through the company who are supposed to have procedures in place which for this sort of thing will include reporting to the ICO. If you aren't satisfied with their response then you escalate, but ICO won't do anything until you've done the above. Keep logs of all phone calls, emails, letters etc so if you do need to escalate you can provide these.

I complained to a solicitor who shared all my personal information (passport, payslips, bank statements) with three people I'd never met. They said "oh, sorry, but you can probably trust them because we have their details too". So I complained to the ICO who investigated, confirmed it was a data breach and said "we will write to the solicitor and recommend they review their policies". I was furious - given the solicitor had refused to acknowledge they had made a mistake to me I couldn't see how a gentle letter from the ICO would make any difference. So do complain (to the firm first then the ICO) but be prepared for a big pile of not very much to happen.

Thank you @PeanutAndBanana It's good to hear from someone with a similar experience and who understands the frustration.

I'll contact the company and the two parties involved, in the first instance.

Thanks for your advice, everyone.

Mistakes happen, no process can guarantee zero mistakes, especially emails. I assume the company had your email details saved in address book, hence the error. In the past this happened when post misdelivered or when letters put in the wrong envelopes. Since GDPR people assume errors will stop happening but thar will never happen. The law is about stopping irresponsible companies (and individuals) and providing a framework to benchmark companies.

There is a responsibility on you to let the sender know and confirm to the sender you have deleted the email from inbox and trash.

Telling the company they've made a mistake, and making sure they've corrected it, is essentially a favour to the company.

It's not a favour to the company, it is exactly how the legislation is set up. The best thing you can do for the other data subjects (and any other potentially impacted by poor processes) is to ensure the company is aware of the issue so they can remedy the situation for all involved, if it is ICO reportable they will be dealt with, they are legally obligated to report themselves if it meets the threshold, if you think it is and they haven't, that's when you can report it externally. But you really don't need to go vigilante here.

@Watchkeys you don't need to contact the others, it really isn't your role, all you need to do is contact the company, it is their responsibility to inform the impacted data subjects (if it meets a threshold). I wouldn't want some random person contacting me to say they have my data, your responsibility (and it's a legal one, you can be held personally accountable under GDPR if you do not) will be to destroy the data. Let the company deal with it.

There is a responsibility on you to let the sender know and confirm to the sender you have deleted the email from inbox and trash

v

you don't need to contact the others, it really isn't your role

Does anybody know the law pertaining to this? I've been given a stranger's passport, driving licence, and full contact details, and I feel like I need to tell them because I don't trust the person who gave them to me to pass the message on, not least because it's to their own detriment. Is there any law to say I shouldn't contact the person whose data I've been given? The fact that it's not 'my responsibility' isn't the same as whether I should do it or not. That would be a bit like walking by when someone falls over in the street, because it's not my responsibility to help them out, wouldn't it?

I assume the message contained a link which you then opened and then read, despite knowing it was not your booking?
Yes, it’s wrong of them to have sent the info to you but in reality it’s an error, probably made by some minimum wage admin person who will be in big trouble once their mistake is discovered.

@qpalbfy - agree.

op, you don't have a legal right to hold data (email addresses if they contain their name) of the 3rd parties. Delete the data and confirm to the company you have destroyed the data. The risk to the 3rd parties is now low since you didn't do anything with their personal data and you have deleted it.

@Watchkeys if you're wanting to go full vigilante and solve this yourself UK GDPR and the Data Protection Act 2018 are published online and you can read it for yourself, there is also a lot of information on the ICO website. If not, just contact the company you got the information from, but you're honestly blowing this out of proportion, it happens all the time, all you need to do is report it and delete your access to the data. If you're worried (and have valid reasons to suspect) the company won't fulfil their obligations under the DP legislation you can report externally to the ICO after speaking to the company, but that is the extent of your involvement.

(The first part was sarcasm, you really should just report it to the company no matter what you know about the legislation, but if you did know the legislation, you'd know that's all you should be doing!)

Sounds like it was a mistake - they originally had you down as the renter ( but you declined) and they forgot to take you off the contact when they contacted and then agreed with another van renter.

This may have never happened before or it could have been someone new at their end so I wouldn't go overboard. No harm was done, unless you are planning on sharing or selling on the data you were copied in to!

Let them know you were included in correspondence and ask for assurances how they are going to make sure it doesn't happen again.

Don't overinvest. It wasn't your personal data that was shared you just saw something in error which you can delete.

No don't contact them, I've had my data shared this way before and I'd have hated it even more if someone had used that data they were mistakenly sent to contact me.

This.

Don’t contact the other party FFS!

but you're honestly blowing this out of proportion

I haven't done anything :)