Data Protection breach - what do I do?

[Watchkeys]

I rent out a vehicle via an agency. I turned down a booking, and the agent found another vehicle for the customer. I got a notification of a message having arrived re my booking, and discovered that I am party to the full conversation between the vehicle owner and the customer. This includes the customer's passport and driving licence details, proof of address, dates they'll be hiring the vehicle (so I know their house will be likely vacant), along with details from the vehicle owner about location of the vehicle, how to deactivate its immobiliser, and their address and other contact details.

There is a clause in the contract between vehicle owner and agency referring to the Data Protection Act, and a further clause regarding confidentiality, and the fact that personal information will not be shared for any other reason than to process the booking.

I feel that some authority needs to know about this, and I feel that other owners of vehicles, and potential customers, should know that their personal information isn't being kept personal. I don't want to use the agency any more, and think that others might make the same decision, but only if someone tells them it's happened. My information hasn't been shared, as far as I know, but how would I know?

What do I do, legally?

Thank you

Okey dokey - please link to the sections of the DPA 2018 or GDPR that back up what you claim is the law.

Ring doorbells? Let's see what the ICO has to say on those:
The use of recording equipment, such as CCTV or smart door bells, to capture video or sound recordings outside the user’s property boundary is not a breach of data protection law.

Personal and household activities are exempt from GDPR. Again, you do not have to take my word for it. Let's see what the ICO says:

The UK GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

A private individual (acting in a personal capacity) cannot magically become a data controller by accidentally receiving someone else's data. Your assertion that the OP has become a data controller is totally untrue.

You cannot compel a private individual, acting in a personal capacity, to delete data received in error.

What is the purpose of the quick visit to a solicitor?

To get legal advice and clarification if she cares enough about it to pay for it. If she doesn’t, she doesn’t have to.

About what?

Also, yes, my reading comprehension was probably bad, I’ve almost certainly made mistakes, Mea culpa. I’ve just come out of hospital and am extremely ill hence hanging around on mumsnet. I apologise if I’ve made a mistake. For data protection issues, still read GDPR and the DPA 2018 if you have the stamina, consult a solicitor if you want more detailed answers. That is literally their job. And for the PP who said they really hoped it wasn’t my job, actually I’m good enough at it that my firm created a post for me. I’ve been off for a while due to aforementioned life-threatening illness. Honestly as I also live in a home with people who destroy my self-esteem on a daily basis that was one of the last straws and maybe I’ll meet you as a deliveroo driver instead or something equally praiseworthy but less skilled than I used to do. Now please carry on sharing your wisdom with OP and lay off me. Thank you. I’m sorry, I have obviously made a mistake somewhere.

What on earth does she need legal advice for??

To understand the law. That is what legal advice is.

qpalbfy
@MissLucyEyelesbarrow it isn't nonsense at all, if what you said was true it would mean private individuals could do what they want with personal data and that is not true, there is a threshold by which you can start operating as a data controller (just look at ring cameras and the debate around those) rogue employees etc, if you come into possession of data you should not have you have a legal obligation still, if someone accidentally sent me a database of people and I then posted that online, despite the fact the data was accidentally sent to me through no fault of my own, and I am a private individual, I can still act unlawfully against GDPR. How else do you compel people to delete data when you have accidentally breached?

You're mixing and matching guidelines and laws here, as well as just throwing in random bits of rubbish.

Rogue employees wouldn't be acting as the data controller, the data controller is the organisation, rogue employees would likely be in breach of confidentiality clauses in their contracts if they were to steal and use client/customer data but they wouldn't be acting as or in breach of Data Controller responsibilities because an employee of a company is not the DC.

Home CCTV/ring doorbells, ICO puts out guidance but has no real regulatory control ico.org.uk/for-the-public/domestic-cctv-systems/

With regard how you compel people to delete data, you can't. If an individual is sent a database of personal details they shouldn't have, you can ask nicely that they delete it but would have no profit they actually have and haven't backed it up, you can offer them money and ask them to sign a legal acknowledgement that they have deleted it and will make no attempt to restore or use it for personal benefit, but again that relies on good will and honesty. Generally what you would do is those things then also identify who is online the data, contact them, apologise, offer them a 3 month Experian account so they can check no one has used their data to create an identity, provide guidance to the list on changing email/password/implementing MFA. They pay the people who complain a gesture of goodwill and hope it will all settle down.

She’s received something in error. She tells the company and moves on. Nothing else is required.

She should really be deleting the data and raising the alarm about the company but OK.

No, she really shouldn't be raising the alarm. She should notify the company of their mistake. She should only raise it to the ICO if she is unhappy with their response. It is on page 1 of the ICO's "Data protection and personal information complaints tool". If this really is your job as you claim, you should know this. This is basic stuff.

I think that my concern is that if this is happening all the time, and everyone it happens to simply reports it to the company and then leaves, how will the company ever be compelled to sort out the problem? Nobody would know it was happening unless somebody says something. Whether it's my legal duty and my moral duty aren't the same thing. I'm not legally required to provide First Aid if someone keels over in the street, but out of kindness and decency, I would if I could because I wouldn't want to just sit by whilst something detrimental was going on, even if I'm not directly harmed myself (although I may unwittingly have been, here) As far as I can see, this is a fault with the database being used (i.e. someone has accidentally checked the 'reply all' box, or something) so it could have happened lots of times, and it's actually dangerous. I've been given access to security details, I know when their house will be empty etc. If my data had been shared in this way, I'd want to know.

Is the agent legally obliged to tell the people whose data has been shared?

It is not your data. You shouldn't have it so therefore you shouldn't use it.

You should notify the original company and delete everything you received.

I think the tone of OP’s messages - correct me if I’m wrong please @Watchkeys - indicate that she is concerned. She should of course notify the company and a notification to the ICO wouldn’t go amiss. If she’s the only one it will come to nothing. Or it might be routine sharing of personal data that shouldn’t be shared, and she’ll have uncovered something. I’m not going to say the ICO are the least busy or most efficient. They aren’t. But it will take five minutes of her day to notify them of something that has worried her and she is worried might have affected others. Again, please correct me if I’ve misrepresented you OP.

Which laws/guidelines are you basing this on? There's a lot of opinions on the thread, so, as a professional, can you post a link so that we can see what this advice is based on?

Thanks again to everyone for their comments. It's actually quite an interesting topic in terms of responsibility and legality. Seems that potentially, the laws against me using the info fly in the face of my instinct to let someone know if they're unwittingly being wronged.

@CeciledeVolangesdeNouveau

indicate that she is concerned

You're right. Rather than 'a stalky nob', as referenced entertainingly, upthread :)

There’s no need for this level of histrionics.

If you’re so unwell that you can’t post accurate information, maybe hold-off on giving people incorrect information that would end up being a costly waste of their time.

GDPR or UKGDPR as it now is, and DPA 2018. The ICO has a simplified version of most of these rules on its website.

And to everyone who keeps saying I’m just claiming to be a DP and privacy expert, yep, I’m employed at the sharp end where things get serious so I’m not the world’s best expert on minor data breaches, but I know what one is and what should happen (even if it doesn’t).

she is a private individual

Op says she rents outs a vehicle so assume she operates as sole trader or limited business and I guess she has ICO registration.

Sorry to hear about your run of bad luck but, if you post things that are untrue and then repeatedly double-down, other posters are entitled to challenge what you say, especially when you claim to be a professional. Trying to guilt us about disagreeing with you, because of your personal circumstances (which we didn't know about) is silly - and emotional blackmail.

If you are too vulnerable to cope with people disagreeing with you when you make untrue statements, you should step away from social media until you feel better. I hope you are on the mend soon.

Thanks @Watchkeys. I really am honestly trying to be helpful.

She leases a car. Millions of private individuals do so.

Ah right, you are too important to know the law. Silly of us.

As I have pointed out, if you go to the ICO website you will find that your first step is to raise it with the company. See, for example, What to expect from the ICO when making a data protection complaint | ICO - "In most cases, before you complain to us you need to have complained directly to the organisation..."

So I pointed the way to some free and easily accessible resources after having been accused of trying to make people spend money by speaking to a solicitor for reassurance and that’s wrong too? The first resource I pointed to - the ICO - advises speaking to the company itself. OP is justified in worrying that she’s not the only person involved in this lax information security. I was trying to give a plan a and plan b. But please continue insulting me and questioning my intelligence.