We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Breach of Data Protection Act
complyordye
Posts: 3 Newbie
Hi
I gave my debit card details,in good faith, to a debt recovery agency to collect GBP5.00 per month. Without my knowledge or consent the company used freelance agents working from home to process the payments. When the company wanted to change from debit card to direct debit, one of their agents brought over a hand written ledger account of mine with all the transactions together with all my debit card details including 16 digits, start date, end date and 3 number security code.Some part time agent had all my debit card details on her person,at home and while driving around on her daily duties. This is a clear breach of one of the 8 principles of the Data Protection Act 1998. The company when shown the evidence has now admitted to the violation. If anyone out there has given their debit card details to a debt recovery company, please check to see how they are processing the transaction.
I gave my debit card details,in good faith, to a debt recovery agency to collect GBP5.00 per month. Without my knowledge or consent the company used freelance agents working from home to process the payments. When the company wanted to change from debit card to direct debit, one of their agents brought over a hand written ledger account of mine with all the transactions together with all my debit card details including 16 digits, start date, end date and 3 number security code.Some part time agent had all my debit card details on her person,at home and while driving around on her daily duties. This is a clear breach of one of the 8 principles of the Data Protection Act 1998. The company when shown the evidence has now admitted to the violation. If anyone out there has given their debit card details to a debt recovery company, please check to see how they are processing the transaction.
0
Comments
-
This thread is in the wrong place.
Should be on the Praise, Vents and Warnings board.0 -
complyordye wrote: »Hi
I gave my debit card details,in good faith, to a debt recovery agency to collect GBP5.00 per month. Without my knowledge or consent the company used freelance agents working from home to process the payments. When the company wanted to change from debit card to direct debit, one of their agents brought over a hand written ledger account of mine with all the transactions together with all my debit card details including 16 digits, start date, end date and 3 number security code.Some part time agent had all my debit card details on her person,at home and while driving around on her daily duties. This is a clear breach of one of the 8 principles of the Data Protection Act 1998. The company when shown the evidence has now admitted to the violation. If anyone out there has given their debit card details to a debt recovery company, please check to see how they are processing the transaction.
No its not.
heres the 8 principles, which one do you think this breaches- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. - Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
0 - Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
-
I would say that there has been breeches of some of those principles.
The following are taken directly from the ICO guidlines.
Principle 1
handle people’s personal data only in ways they would reasonably expect.
(and I wouldn't expect my full debit card details to be left in an unsecure place)
Principle 7
In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
(having full debit card details in a car and with someone walking about and in their home doesn't sound too secure to me).
0 -
I think we have to disagree there. The data was given to an authorised agent who brought it to the clients house. Happens all the time, doctors and midwifes do it on home visits etc etc
Half you medical records are probably on a laptop or memory stick kicking about in a car as we speak. Leaving the laptop in a cafe as you drive off is where the problem occurs, not that the data is on the laptop.0 -
But the data was no less secure than it is on the card in OP's purse/wallet. If someone snatched a bag or pick pocketed they would get the same information.
The only difference is that it was a third party carrying the details around with them.
I'm not saying it's right, I would hate for other people to have access to my details and use it in that way but security wise I can't see the issue.0 -
The only difference is that it was a third party carrying the details around with them.
It might be the only difference, but as far as the DPA goes, it is a big difference.
I can do as I please with my personal information, but once that same information has been given to a third party, they are expected to use, store and handle it in a secure manner.
If what the OP states in their post is true" The company when shown the evidence has now admitted to the violation"
Then I don't see any reason why a complaint shouldn't be sent to the ICO.0 -
Half you medical records are probably on a laptop or memory stick kicking about in a car as we speak
Quite possibly, but if they ended up in the wrong hands, all I would have to worry about is some scammer finding out about my ingrown toenail and last years kidney stone.
However, if my debit card details were compromised, I may well find my bank account emptied, and although I would probably get the money back eventually, it would be a right pain having to wait and having to find alternative ways to pay bills etc until the mess was sorted out.
Credit and debit card fraud is a major problem nowadays and I would expect any company dealing with these to have some resonably secure procedures in place for handling and transporting these.0 -
I wouldn't give my card details to a collection agency not because of this but because I wouldn't trust them to only take the agreed amount. My advice would be to get their bank details and setup a standing order.
Although their practices clearly compromise the security of sensitive data. At least with the laptop example there would most likely be a password set.
Under no circumstances would I expect all my card details with the security code to be stored in a paper file out and about. I would expect it to be stored with encryption and PCI compliant. Although I would actually expect the card to be charged initially and a cross reference ID generated so there is no need to actually store this information.0 -
scottishperson2 wrote: »I think we have to disagree there. The data was given to an authorised agent who brought it to the clients house. Happens all the time, doctors and midwifes do it on home visits etc etc
Half you medical records are probably on a laptop or memory stick kicking about in a car as we speak. Leaving the laptop in a cafe as you drive off is where the problem occurs, not that the data is on the laptop.
The reason a health visitor would have all those details on a laptop is so that they can provide the correct service. hence, the use of the data is proportionate to the rightful purpose.
Why did the debt collection agent record and carry around the full details of the card including the 3 digit security code?
They could have evidence the transactions by using the card number alone, reducing the risk and potential severity of data loss.
hence, their actions were not proportionate and reasonable.
nice attempt to defend it, but it goes against so many principles of data security.
one of the simplest is to simply ask "do I really need that bit of data for what I am doing" :cool:0 -
The case is currently being investigated by the ICO, the Financial Services Ombudsman on my behalf and hopefully by the OFT. If you give your debit card information to a company, the least you can expect is that it is securely stored, which is 1 of the 8 principles of the Data Protection Act. The company have admitted to a violation, so whether it is a violation or not is not an issue.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards