Data protection, violation?

[SexyGreyFox]

perhaps it's normal for you to just randomly send emails with no actual content? the rest of us like to include messages that sometimes contain names, addresses or personal correspondence that is private.

Hmm, I don't think you've read the OP correctly.
Company sends an email to recipient with no other personal data in the content of the email.
The same email has also been sent to loads of other people with none of their personal details in the content of the email.
They can all see each others email adresses - so what?
At least 50 other people a day see me get a letter about Viagra or the latest dodgy cable box.

We also prefer to keep our email addresses private so that we can't be spammed or be sent viruses.

I would say that was pretty impossible.

 

[Icm76]

Hmm, I don't think you've read the OP correctly.

OP has said his name was disclosed

Read this, it's only editorial comment so not a definitive interpretation: http://www.guardian.co.uk/commentisfree/libertycentral/2010/apr/26/email-data-protection-breach

it does not entitle the data controller to disclose an individual's email address to third parties without their consent. It seems unlikely that Lourdes1 would have consented to her email address being disclosed to the 519 other recipients of the email. Quite apart from the disclosure of the email address itself, if an individual is identifiable from their email address (eg [email protected]) then displaying it to other recipients reveals that the individual has had some dealing with the organisation in the past. For some organisations (eg political parties, or organisations that deal specifically with sensitive personal issues) this may be a serious breach of privacy.

and this one: http://www.cre8asiteforums.com/forums/index.php?showtopic=16361

A couple of examples of illegal activities:
1. If an email is sent to a whole list of folks by placing their emails in the "To:" or the "CC:" field, or otherwise where they can be seen by the recipients, you have broken the law because you have failed to protect the data.

Annoyingly the links to the ICO guidance that were used to derive the above quoted conclusion are now broken, but if you can find where this guidance is now it might still confirm this interpretation of the laws.

 

[SexyGreyFox]

eg [email protected]

This doesn't mean [email protected] but [email protected]

Finding the recipient from the first email address would be very hard to do but finding the recipient from the second address would be very easy.
If in Ash Scotlands case they used his works address with his full name then he has a point.

If you have definite proof that sending a multi email to recipients with 'normal' email addresses is illegal then I'd like the link please.
In Dowie's example the emails led to other data being given out.
I am not saying you're wrong or being patronizing - I want to be educated.

I've sat through many many Data Protection classes and if things have changed I want to know.

 

[Icm76]

Finding the recipient from the first email address would be very hard to do but finding the recipient from the second address would be very easy.

Given just the name and the association to an organisation or business the search can be narrowed to a region, town or perhaps a even few specific buildings! In the OP we have disclosure of a name, and a business relating to the individuals tenancy.

If you have definite proof that sending a multi email to recipients with 'normal' email addresses is illegal then I'd like the link please

The only definitive source is the legislation and any ruling by a Supreme Court judge. http://www.legislation.gov.uk/ukpga/1998/29/contents Everything else is just a non binding interpretation.

I suspect that the legislation does not specify, and there is a grey area open to interpretation on what is 'reasonable.' If we use the example above (generic webmail + real name + association) I cannot believe it would be possible to universally exclude generic webmail from protection. Even with generic webmail, no name, but some association + some other detail, it would be possible to identify an individual. I would expect the typical legal usage of "reasonable" would mean that the accidental disclosure of generic webmail with no name or easily identifiable association to be worthy of only (very) trivial compensation.

i.e. I think that leaking any email address is a breach of privacy law, but in the case of generic, not relatable to a person the compensation available will be virtually zero.

I am not saying you're wrong or being patronizing - I want to be educated.

It's a good discussion point, but I don't know if we will find an absolute answer. I don't feel like reading through the whole text of the DPA.

 

[GaryH-21]

I'll read the other replies tomorrow... but if there is information that can specifically identify you as a person along with information regarding money, debts etc then they are breaking the data protection act as this could have implications to you.

What can you do about it? Well... you'll be entitled to something, but It's never a good idea to get legal advice over a forum


P.S, if it's just an email address, I don't believe that can be pinpointed to a specific person... could be wrong, but I could go make an email address with anyone's name right now

 

[sniffy]

Well there's no doubt that disclosing personal information to third parties without your consent breaches the DPA. I guess the point is if an email address constitutes personal information. Personal data means:

data which relate to a living individual who can be identified—(a)from those data, or(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller - Source

I'm not sure to be honest. Surely that varies? If you disclose the email address of a blogger then it could easily be linked back to a blog containing personal information.

 

[SexyGreyFox]

I'll read the other replies tomorrow... but if there is information that can specifically identify you as a person along with information regarding money, debts etc then they are breaking the data protection act as this could have implications to you.

Which is what happened in Dowie's example with HFC Bank.