GDPR breach.

robj20 · 7 Sep 2022 at 12:47

Not looking for legal advice but any pointers from anyone on how to proceed when someone has for instance sent very personal and sensitive information to a third party by email when enclosed within said information is the correct email so no excuse of having the wrong one on file.
Information wiser it's easier to say there isn't anything they didn't share.

Efour · 7 Sep 2022 at 12:50

Letterbox?

kindai · 7 Sep 2022 at 12:57

robj20 said:
Not looking for legal advice but any pointers from anyone on how to proceed when someone has for instance sent very personal and sensitive information to a third party by email when enclosed within said information is the correct email so no excuse of having the wrong one on file.
Information wiser it's easier to say there isn't anything they didn't share.

First you will need to contact the organizations data protection officer and raise your concerns.

Then contact the ICO and inform them if they dont handle it in a way you are satisfied.

Dont expect any compo or even anything to come from the ICO, our data protection laws while in theory have bite, are rarely enforced.

robj20 · 7 Sep 2022 at 12:59

kindai said:
First you will need to contact the organizations data protection officer and raise your concerns.

Then contact the ICO and inform them if they dont handle it in a way you are satisfied.

Dont expect any compo or even anything to come from the ICO, our data protection laws while in theory have bite, are rarely enforced.

Thanks, that's helpful. How do you find out who the data protection officer is the highest I've been able to find is the manager of the department the beach came from.

Dup · 7 Sep 2022 at 13:04

What Kindai said basically. Ask to be put in touch with their data protection officer and if they don't have one or give you the run around , forward your complaint to the ICO. In an ideal world if they know of their mistake the person should have reported it internally already.

What damage to you could this cause? Is the mistaken email address a valid one and have/will they act upon that information maliciously?

Azza · 7 Sep 2022 at 13:08

robj20 said:
Thanks, that's helpful. How do you find out who the data protection officer is the highest I've been able to find is the manager of the department the beach came from.

Assuming the business has a website they should list who it is in their data privacy statement.

robj20 · 7 Sep 2022 at 13:11

Azza said:
Assuming the business has a website they should list who it is in their data privacy statement.

They don't they just give a general email.

The email went to a live person as they even replied saying the sender had the wrong address.
The contents of the email is more than enough for someone to basically steal the identity of everyone in my house. Full names, address, phone numbers, national insurance numbers, email addresses, dates of birth. I think only or passport numbers aren't in there.

Azza · 7 Sep 2022 at 13:17

robj20 said:
They don't they just give a general email.

The email went to a live person as they even replied saying the sender had the wrong address.
The contents of the email is more than enough for someone to basically steal the identity of everyone in my house. Full names, address, phone numbers, national insurance numbers, email addresses, dates of birth. I think only or passport numbers aren't in there.

Sorry by who I meant like just the contact entitiy, rather than a specific person.

e.g. OcUK is [email protected] which my GCSE German tells me is not a person's name.

Have a look at this guide for a process / template to follow - https://ico.org.uk/your-data-matters/how-to-make-a-data-protection-complaint/

robj20 · 7 Sep 2022 at 13:18

Thanks for the pointers guys.

kindai · 7 Sep 2022 at 13:19

robj20 said:
They don't they just give a general email.

The email went to a live person as they even replied saying the sender had the wrong address.
The contents of the email is more than enough for someone to basically steal the identity of everyone in my house. Full names, address, phone numbers, national insurance numbers, email addresses, dates of birth. I think only or passport numbers aren't in there.

The data protection officer might be the company owner or similar if they dont have a dedicated person.

Personal data breaches: a guide

ico.org.uk

Taking your case to court and claiming compensation

ico.org.uk

Based on your comments, they likely should have self-reported this to the ICO.

Again, dont expect anything, if the person they sent it to was reasonable and deleted the information the impact on you, though arguably distressing, is negligible.

robj20 · 7 Sep 2022 at 13:24

kindai said:
The data protection officer might be the company owner or similar if they dont have a dedicated person.

Personal data breaches: a guide

ico.org.uk

Taking your case to court and claiming compensation

ico.org.uk

Based on your comments, they likely should have self-reported this to the ICO.

Again, dont expect anything, if the person they sent it to was reasonable and deleted the information the impact on you, though arguably distressing, is negligible.

Yes so unless the beach resulted in something like my identity being stolen you can't really go to court for stress caused.

MrRockliffe · 7 Sep 2022 at 13:29

DPO (data protection officer) should be found within the privacy policy of a website.

First port of call would be to contact them.

Been a while since I worked in the industry but I believe 14 or 28 days to respond, but they can extend if they have a valid reason to do so.

If unsatisfied/no response, you can get in touch with the ICO.

MrRockliffe · 7 Sep 2022 at 13:33

Just read the thread.

If you cannot find who the DPO is, I would request the contact of their legal team. If they don't have one, I would request HR. That used to be the hierarchy when I worked with companies to implement policies/strategies/processes.

Feel free to PM and I can investigate and perhaps get you some info.

potatolord · 7 Sep 2022 at 14:08

robj20 said:
They don't they just give a general email.

The email went to a live person as they even replied saying the sender had the wrong address.
The contents of the email is more than enough for someone to basically steal the identity of everyone in my house. Full names, address, phone numbers, national insurance numbers, email addresses, dates of birth. I think only or passport numbers aren't in there.

That sounds like a data breach.

The culprit is supposed to take immediate action to investigate as soon as they are aware.

They should have a policy that sets out when, and how, they will respond to you.

Kindai's right in what he's said.

robj20 · 7 Sep 2022 at 14:17

potatolord said:
That sounds like a data breach.

The culprit is supposed to take immediate action to investigate as soon as they are aware.

They should have a policy that sets out when, and how, they will respond to you.

Kindai's right in what he's said.

They should have been aware the same time I was as the person replied to all saying they had the wrong address. They got my wife's address wrong so it went to this other person and me.

SexyGreyFox · 7 Sep 2022 at 16:15

I can only help if it's done in a hospital.
Basically we inform the Data Protection Manager and put it on a DATIX Incident where that automatically triggers all the relevant staff who then decide what action to take.

GDPR breach.

More options

robj20

robj20

Efour

Efour

kindai

kindai

Sgarrista

robj20

robj20

Dup

Dup

Azza

Azza

robj20

robj20

Azza

Azza

robj20

robj20

kindai

kindai

Sgarrista

Personal data breaches: a guide

Taking your case to court and claiming compensation

robj20

robj20

Personal data breaches: a guide

Taking your case to court and claiming compensation

MrRockliffe

MrRockliffe

MrRockliffe

MrRockliffe

potatolord

potatolord

robj20

robj20

SexyGreyFox

SexyGreyFox