Data Protection breach - what do I do?

[Watchkeys]

I rent out a vehicle via an agency. I turned down a booking, and the agent found another vehicle for the customer. I got a notification of a message having arrived re my booking, and discovered that I am party to the full conversation between the vehicle owner and the customer. This includes the customer's passport and driving licence details, proof of address, dates they'll be hiring the vehicle (so I know their house will be likely vacant), along with details from the vehicle owner about location of the vehicle, how to deactivate its immobiliser, and their address and other contact details.

There is a clause in the contract between vehicle owner and agency referring to the Data Protection Act, and a further clause regarding confidentiality, and the fact that personal information will not be shared for any other reason than to process the booking.

I feel that some authority needs to know about this, and I feel that other owners of vehicles, and potential customers, should know that their personal information isn't being kept personal. I don't want to use the agency any more, and think that others might make the same decision, but only if someone tells them it's happened. My information hasn't been shared, as far as I know, but how would I know?

What do I do, legally?

Thank you

Can't I get a reassuringly expensive one? ;)

@CeciledeVolangesdeNouveau what on earth would she be getting a solicitor for?

As has already been pointed out on this thread, OP should NOT refer this to the ICO. No idea why you think OP should get a solicitor. She doesn't have a claim against anyone.

Yes, that's right. Nobody has my data, apart from a business that doesn't store data according to legal contract.

If her personal data has been shared without a valid reason, there has been an illegal act and she has a claim. The ICO should be the first port of call but they tend to focus on big serious data breaches. A solicitor would be able to advise based on more info than the OP had been able to give. Feel free to keep trashing me though, it’s only literally my job.

It's a third party's data that's been shared with op

Still a data breach.

I really hope it isn't your job.

Could you please explain what standing the OP would have to sue the company? What loss has she suffered?

@CeciledeVolangesdeNouveau

Is it not your job to read the background correctly?

If her personal data has been shared without a valid reason

This hasn't happened. Nobody is trashing you. You made a mistake.

@CeciledeVolangesdeNouveau lol stop lying there is not a chance in hell this is your job, you've given the entirely incorrect advice.

Every single human being is capable of making a mistake, I work in cybersecurity and data protection and it is widely acknowledged that most security and information breaches are honest human error, that's why you have to do yearly training, and get refresher and awareness emails and activities at work.

1 small data disclosure which is what this is, it would barely hit the radar for ICO and would likely just trigger a template response about being careful with data, does not mean that the company as a whole is careless and everyone's data is at risk.

Report it to the company's Data Protection Officer, there should be contact details in their privacy policy, and give them the opportunity to address it.

Even if it was the OP's data, it would still be the wrong advice.

That's just nonsense. The OP has accidentally been sent some data through no fault of her own and she is a private individual. She is not a data controller and she commits no offence by processing the data in any way which is otherwise lawful.

So it's perfectly lawful to contact the other party. It's obviously not lawful to use the data to - say- clone the other party's identity.

Something similar happened to me a couple of years ago when I received an email from a GP surgery hundreds of miles away from me. Attached was a copy of a referral letter for someone with the same name as me, with all her medical history, etc,. I emailed the practice to report it as a data breach to them and the practice manager phoned me back to advise what they were going to do to ensure it didn’t happen again. Sadly, I think data isn’t secure in lots of organisations despite all the guides and protocols.

Do you make this big a deal out of everything in your life?

Everything is based on individual decisions to do what's right, that's how the world works, people make the decision not to hit the person annoying them, thus adhering to the laws about not hitting people.

In this case no one has made a direct decision to disobey Data Protection Laws, someone has made a mistake, they would not have been aware at the time that they were making that mistake, they didn't think 'hey what fun I'll send this persons info to the wrong person'.

Report it to the company and continue about your life,

A data breach is a data breach. OP doesn’t need standing to sue, she doesn’t have to sue, it doesn’t mean nothing has been done wrong. Thanks everyone who has trashed me and hope you end up getting some sort of resolution OP.

@CeciledeVolangesdeNouveau no one is denying it's a data breach, but that's not how a data breach is handled, imagine if the ICO had to deal with every data breach that has occurred, there is a threshold that has to be reached which likely hasn't happened here but that is by the by as it is up to the data controller to handle and assess. You only bring in the ICO as an external party if it is not being handled properly.

I think I made that point obliquely but I’m not helping on this thread clearly so I’d like to check out if that’s OK.

@MissLucyEyelesbarrow it isn't nonsense at all, if what you said was true it would mean private individuals could do what they want with personal data and that is not true, there is a threshold by which you can start operating as a data controller (just look at ring cameras and the debate around those) rogue employees etc, if you come into possession of data you should not have you have a legal obligation still, if someone accidentally sent me a database of people and I then posted that online, despite the fact the data was accidentally sent to me through no fault of my own, and I am a private individual, I can still act unlawfully against GDPR. How else do you compel people to delete data when you have accidentally breached?

Your reading comprehension is shockingly bad.

Instead of doubling-down on your error, why don’t you read back on what the OP actually posted and you’ll see that her personal data was not shared.

Do you make this big a deal out of everything in your life

Thanks for the unnecessary judgement, @CyberCritical . I haven't made a big deal out of anything. Just getting some details clear, via a chat on a forum.

Thank you for admitting that the OP has no basis to sue. Can you explain why you advised her to consult a solicitor, then? Nice way to waste her money for no benefit.

Nobody that you know of.

OP what is it that you really want? Because I get a feeling that it’s more along the lines of either detriment to the company for some reason or some form of compensation.

OP was clearly bothered about it enough to post on here. A quick visit to a solicitor if the ICO and some googling don’t do the trick would clear it up further. The law is basically constructed so you have to waste your money clarifying it. Sorry but that’s the way it is. Please can you lay off me now.