Data Protection breach - what do I do?

[Watchkeys]

I rent out a vehicle via an agency. I turned down a booking, and the agent found another vehicle for the customer. I got a notification of a message having arrived re my booking, and discovered that I am party to the full conversation between the vehicle owner and the customer. This includes the customer's passport and driving licence details, proof of address, dates they'll be hiring the vehicle (so I know their house will be likely vacant), along with details from the vehicle owner about location of the vehicle, how to deactivate its immobiliser, and their address and other contact details.

There is a clause in the contract between vehicle owner and agency referring to the Data Protection Act, and a further clause regarding confidentiality, and the fact that personal information will not be shared for any other reason than to process the booking.

I feel that some authority needs to know about this, and I feel that other owners of vehicles, and potential customers, should know that their personal information isn't being kept personal. I don't want to use the agency any more, and think that others might make the same decision, but only if someone tells them it's happened. My information hasn't been shared, as far as I know, but how would I know?

What do I do, legally?

Thank you

She rents it out to third parties. Millions of private individuals drive cars that they have personally leased from someone else. People renting out a car they own to third parties is much less common. If she processes personal data as part of that, it goes beyond personal and household use. She may be exempt from registration depending on the use she makes of the data, e.g. if it is only for her accounts and records, and it doesn't include information from credit reference agencies.

let someone know if they're unwittingly being wronged

Given you deleted the personal data and informed the company that the email was sent in error there should he no detrimental impact to the end person and as such they are not "wronged".

The company should review the procedures, consider secure send for higher volumes if personal data being send or perhaps password protect documents - these are some of "appropraite technical and organisational measures" required by law.

I'm not sure many companies know how to stop email addresses being incorrectly sent. I know one company that won't allow any email addresses to be cached/stored in address book so that all email addresses have to be typed out each time but I think that can also lead to errors. You could also hold all email with sensitive content and only released after 2nd reviewer but they does seem overkill.

Nobody is questioning your intelligence, they’re simply pointing out that you made a mistake and so your advice is poor. Instead of accepting your error, you’ve continued giving bad advice that could cost the OP money.

You seem to be under the impression that OP’s data was sent to a third party. This is incorrect.

If her personal data has been shared without a valid reason, there has been an illegal act and she has a claim

You advise her that she could consult a cheap solicitor. While anyone can consult a solicitor for pretty much any reason, this would be pointless for the OP as it was not her data.

When this was pointed out, most people would have apologised to the OP, and clarified. You did not. You continued to give poor advice and then solicit pity for a health issue that nobody could have possibly known about.

You’ve behaved very badly here and people have rightly called you out on it.

We’re all human and we all make mistakes. You’ve made a mistake, as has the company dealing with the issue the OP is describing. It’s human nature.

@Watchkeys what is it that you actually want to do/what outcome are you hoping for?

in which case I apologise.

As I said upthread, this breach doesn't bother me particularly, because I know I'm trustworthy and will do the right thing with the mis-shared data. My concern is that this might be willy nilly happening across lots of bookings, and everybody is reporting it to the company as I'm being advised to do, and nothing changes. How would I know? I had their signed contract already to say they wouldn't do this, so their word doesn't mean much now.

And btw I wasn’t trying to get pity. I was explaining why my reading comprehension may not be 100%, my legal knowledge might not be completely up to date and hence why I was directing to first free and then hopefully reasonably priced sources of information.

@Watchkeys not sure how much my words are worth on this thread by now but your concern is correct. Do what you need to do with the data you’ve received - delete it - make the company and then the ICO aware. If it doesn’t make any difference that’s when you get a solicitor involved. Your instincts are in the right place.

Thanks @CeciledeVolangesdeNouveau Sorry you've been poorly. I appreciate your advice.

Ultimately, you flag it to the company and it becomes.their DPOs responsibility to worry about. If they don't give it a satisfactory response you flag it to the ICO. It's likely the ICO won't do much (if anything ) here as you have flagged the breach and will delete the data. But they would expect the company to review their processes to minimise the risk of it happening again.

Ultimately you haven't suffered any.actual harm and nor has the other person (provided you delete the data and don't do anything nefarious with it). So the right thing to do is simply to flag it.

So if you are concerned what is the issue with following the ICOs advice? Report it to the company - that’s the first step. Assuming they are reputable they will then follow OCO reporting procedure (if necessary).
Or do you have a reason to believe that they won’t follow that procedure?

It’s like complaining to an Ombudsman- you have to contact the company first. If you feel the outcome isn’t correct - then you take it further.

What would you get a solicitor involved for?

Agreed. It's for the DPO to investigate whether or not this is a one off.

If it is an isolated incident then I can't see anything on the facts that would mean the company would have to report it to the ICO. OP can complain to ICO but I can't see they would do anything in this instance beyond email the company with a reminder of recommended good practice

If it is an isolated incident

How would anybody know if it is? It might have happened to 100 people this morning. Or just me.

What is a satisfactory response? They can't un-happen it. They can tell me it won't happen again, but they were already legally bound to prevent it happening in the first place, and that didn't prevent it.

OP there's a lot of back and forth on this thread as you seem a bit reluctant to report to company.
So just to clarify, you should report to the Company. But not to customer service but find their data protection officer ( usually found on website under the "about us/company officers section" or will be in the t&Cs under the data protection clauses. This person is usually in a different reporting line tp the rest of the org and is tasked with dealing with these things. Most DPOs I've dealt with will be extremely good at properly resolving the problem and will be very aware of ICO implications if they don't.
As it's not your data there's not much further you can do but if you are very concerned then you also let the ICO know about the breach.
If you really feel strongly then get onto Twitter or socials and out the company. But you have to be very sure on what you are saying I'd caution this road. But I've seen it done !

@Sodndashitall

OP there's a lot of back and forth on this thread as you seem a bit reluctant to report to company

No, I've already done that, hours ago.

That's for the the company to worry about,.not you. Your job is done once you have reported and deleted. Up to you whether you report to ICO but really that's the job of the company to assess and report if appropriate (I very much doubt this is reportable)

Data breaches happen. There's no expectation that companies should be 100% breach free. Life just isn't that perfect. My experience of the ICO is that it is a pretty high bar for them to be interested,.and it doesn't sound at all likely that this is sufficiently serious.

What do YOU think it a satisfactory response?

If it had happened 100 times this morning as in your example- I imagine quite a few people would have reported it. Then it would become more likely that the IPO would have to be notified.

They can’t turn back time and un-cc you. So what is it you want? The DPO will look at their process and see if it can be improved and possibly the ICO might write to them if it’s reporter. If, as per your example, hundreds of peoples info was being cc’d to the wrong people - yep they may get a fine.

Unfortunately human error cannot be eradicated completely in any organisation (for example drs and nurses make mistakes that cost people’s lives, lawyers make mistakes that cost people’s freedoms). No system is infallable and in the grand scheme of things - this is minor.

someone has suggested you share this on SM - you’ve pretty much just done that - and look at the response… it wouldn’t be dissimilar on Twitter would it.

Agreed.

You've reported the breach op. Beyond them thanking you and saying they are investigating it is really their concern now, not yours. And if it is a one off human error I just can't see that this is remotely of interest to the ICO (or social media)

@forcedfun

Can you see that it might be of interest to other vehicle owners and potential customers, who are giving their personal data to the agent, with a contract promising they won't share it?

@BarkHorse

If it had happened 100 times this morning as in your example- I imagine quite a few people would have reported it

To whom?

Then it would become more likely that the IPO would have to be notified

By whom?

Who decides when the ICO needs to be notified? The company that doesn't stick to contracts? They're the only ones who can know how many times it's happened, if people only report breaches to them. That's my point really. It goes beyond my own situation. Are we really just supposed to ask companies to vet themselves, when the problem is that we've realised they can't be trusted?

Not really. No company is infallible. Even the ICO accepts companies will have breaches (multiple).

You just sound like you have a personal vendetta against the company now to be honest. You’ve reported it to the company, anything else on your part is unnecessary and vindictive. It’s human error, and a minor one at that.

To whom? To the company - as everyone has told you to do

By Whom? By the company’s data protection officer or another appropriate person.

And yes - we expect companies to “vet” themselves constantly. We trust them to follow the law on employment, tax, etc.

You very obviously have some other issue with this company and I’m not sure what recompense you are looking for. Mistakes like this happen. If you’re that bothered as I said - get on Twitter - but as you’ve seen here - no one will particularly care about this single breach (in fact I still use plently of companies that have serious fines for data breaches - in fact - this site itself had a MASSIVE data breach and I’m still here)

I don't have any vendetta. I've sent the company a friendly email to explain what happened.

It's not vindictive to wonder about and discuss whether there's anything else I could/should be doing, or the moral/legal aspects of doing something.

Your post is quite unpleasant in tone.

It's just not very... nice.