Energy Firm passed my data on

Manxman_in_exile

waamo wrote: »

I might be in the minority here but I think passing someone's phone number to a debt collector is a fairly important deal. I mean who wants debt collectors ringing them demanding monies you don't owe?

I agree with Waamo, but I also think £50 is a reasonable offer.


OP - you keep on saying the energy co. didn't follow the correct procedures, but is that the case?


Either it was a typo at some point (and even the best intended procedures won't eliminate the possibility of a typo) or the holder of the account wrongly gave them your number, perhaps intentionally or in error - how would the energy company know?


The only thing that surprises me is that the energy company didn't try ringing you before passing it on to a DCA, but that probably reinforces the likelihood of a typo in passing the info to the DCA.


Try for more than £50 but you might not get any more.

bandana22

powerful_Rogue wrote: »

Then why bother posting about what could have happened. It didn't.


You talk about your actions meaning this might not happen to anyone else - Exactly. It's been reported and they have adjusted their processes. No need to jump on the compo train.

You are correct that it has now been reported and the company has to amend its procedures and retrain its staff. This makes it less likely that it will happen to someone else.

It DID happen to me. Why therefore would you be opposed to the idea of my being paid a compensatory gesture by the company because of the issues I have experienced.

I fully accept you may not wish to pursue any form of compensation in the same circumstances. That is absolutely your choice.

Would you not therefore accept that I have the choice to pursue a reasonable compensatory gesture from the company, given that they were found to be negligent?

I would be interested to know why you are of the opinion my approach is wrong?

bandana22

Manxman_in_exile wrote: »

I agree with Waamo, but I also think £50 is a reasonable offer.


OP - you keep on saying the energy co. didn't follow the correct procedures, but is that the case?


Either it was a typo at some point (and even the best intended procedures won't eliminate the possibility of a typo) or the holder of the account wrongly gave them your number, perhaps intentionally or in error - how would the energy company know?


The only thing that surprises me is that the energy company didn't try ringing you before passing it on to a DCA, but that probably reinforces the likelihood of a typo in passing the info to the DCA.


Try for more than £50 but you might not get any more.

It is down to each individuals interpretation as to what is 'reasonable'. For breaching GDPR regulations you would probably find it to be more than £50.

In reference to the typo etc., it is not a case of the issue being a simple type error.

It is a case of the company not taking full security of its data to ensure that the data being passed to the debt collection agency was correct. Even if it had been a typo, if the correct procedures had been in place this would have been corrected before they passed my phone details to the debt collection agency. That is the whole point.

As a result, the company now has to take steps to ensure that any data passed to a third party is correct for that customer and not belonging to any other customer. That is not rocket science.

It does not matter how or why the original error occurred, it matters that their procedures were not sufficient to identify incorrect data being passed to any third party.

boo_star

bandana22 wrote: »

Wrong.

If my credit rating etc had been impacted then that would have been anything but 'a minor inconvenience'

But it wasn't.

In this case it did not get that far. However, it COULD have done. Just think, my actions might be eliminating the same thing happening to you if you were a customer of this company.

Anything COULD have happened, but that's not relevant.

I have not wasted the time of any agency. The ICO found my complaint to be valid. Thus that cannot be a waste of time. If the company had agreed with me and accepted their procedures were inadequate then I would not have had to go first to the Ombudsman and then to the ICO.

You have wasted their time, the likelihood of anything happening over a minor mistake is remote at best. You want money and an apology. You were offered a generous amount of money for a minor inconvenience and turned it down because you got, in my opinion, greedy. And I think the apology request is a red herring, who really wants a meaningless platitude from a faceless corporation?

It's the failure of the company that resulted in these organisations having to deal with a complaint which the company now finds itself having to be corrected officially.

It did correct it, or at least tried. You refused to let them resolve it and wasted everyone's time in the process. Had you just taken the money that would have been the end of it, and very likely the company would have taken steps to avoid this happening in future. Most companies prefer not making mistakes over making them and throwing £50's worth of hush money at people every time something goes wrong.

bandana22

boo_star wrote: »

But it wasn't.

My credit rating etc was not impacted. IF it had been, I would be making a seriously bigger claim. I am claiming for what HAS happened. That's the point.

boo_star wrote: »

You have wasted their time, the likelihood of anything happening over a minor mistake is remote at best. You want money and an apology. You were offered a generous amount of money for a minor inconvenience and turned it down because you got, in my opinion, greedy. And I think the apology request is a red herring, who really wants a meaningless platitude from a faceless corporation?

The likelyhood is that it DID happen. You really do need to pay attention now.
I was offered an explanation that it was a clerical error and a gesture of £50. If it had been a clerical error, the ICO would not have found the company in breach of GDPR. That should be clear by now. I did not accept that company's explanation hence the ICO complaint. If the company genuinely felt that the issue was a 'clerical error' they have now being corrected by the ICO.

boo_star wrote: »

It did correct it, or at least tried. You refused to let them resolve it and wasted everyone's time in the process. Had you just taken the money that would have been the end of it, and very likely the company would have taken steps to avoid this happening in future. Most companies prefer not making mistakes over making them and throwing £50's worth of hush money at people every time something goes wrong.

Wrong.
They did not correct it because the failed to accept the real reason for the issue. If they assumed it was clerical error then they would not have been in a position to see that it was a failure of procedures.
Sure, most companies prefer not to make mistakes. They do sometimes. They need to be corrected and pay for their mistakes if that is appropriate.

Nothing complicated there!

Manxman_in_exile

No procedure can guarantee that wrong information can't be passed on. That's unreasonable.


What exactly didn't the energy company do? What exactly will they do in future?


They may well have had an adequate procedure in place but a mistake (eg misreading of the 'phone number) happened while following that procedure. It could even be that one person made an original mistake and the person responsible for checking the first person's work makes the same mistake. I've seen it happen.


You can't eliminate all mistakes and it's perfectly possible for wrong information to be passed on despite apparently watertight procedures. I don't see that the passing of wrong information necessarily proves by itself that correct procedures weren't followed.

boo_star

bandana22 wrote: »

My credit rating etc was not impacted. IF it had been, I would be making a seriously bigger claim. I am claiming for what HAS happened. That's the point.

So what's the point of mentioning what could have happened then? They could have handed over your details to a hitman and you could be dead right now, but they didn't so who cares?

The likelyhood is that it DID happen. You really do need to pay attention now.
I was offered an explanation that it was a clerical error and a gesture of £50. If it had been a clerical error, the ICO would not have found the company in breach of GDPR. That should be clear by now. I did not accept that company's explanation hence the ICO complaint. If the company genuinely felt that the issue was a 'clerical error' they have now being corrected by the ICO.

You misunderstand. I'm saying the likelihood of anybody doing anything to the energy company, for example the ICO fining them, is extremely low over a simple mistake.

Wrong.
They did not correct it because the failed to accept the real reason for the issue. If they assumed it was clerical error then they would not have been in a position to see that it was a failure of procedures.
Sure, most companies prefer not to make mistakes. They do sometimes. They need to be corrected and pay for their mistakes if that is appropriate.

Nothing complicated there!

They were going to pay for their mistake, £50 in fact. Bringing the issue to their attention is, in most instances, all a company needs in order to be "corrected."

bandana22

Manxman_in_exile wrote: »

No procedure can guarantee that wrong information can't be passed on. That's unreasonable.

Correct. Except, in this case there was no procedure in place.

Manxman_in_exile wrote: »

They may well have had an adequate procedure in place but a mistake (eg misreading of the 'phone number) happened while following that procedure. It could even be that one person made an original mistake and the person responsible for checking the first person's work makes the same mistake. I've seen it happen.

Again correct. So that would be human error as opposed to procedural error. In this case, retraining would be appropriate.
However, if a customer has been impacted by this failure then they are entitled to recompense. That's how it works.

Manxman_in_exile wrote: »

You can't eliminate all mistakes and it's perfectly possible for wrong information to be passed on despite apparently watertight procedures. I don't see that the passing of wrong information necessarily proves by itself that correct procedures weren't followed.

If the procedures were in place this would be true. In this case there were no procedures in place.

Would you not agree passing on information to a debt collection agency is a serious and important transaction?

If you do agree that, would you then not agree that this data being passed should be thoroughly checked and, as far as possible, ensure that everything is correct?

If you agree that, would you then not agree that a failure in this case where a completely innocent individual is subjected to erroneous demands from a debt collection is not acceptable? Where it does happen, said innocent individual is then entitled to recompense? No?

bandana22

boo_star wrote: »

So what's the point of mentioning what could have happened then? They could have handed over your details to a hitman and you could be dead right now, but they didn't so who cares?

Oh I don't know. I'm sure there are many who might care and had hoped my details had been passed to a hit man and, glory, I would indeed be dead by now. Not suggesting you might have been one of those hoping for such eventualities of course .....

boo_star wrote: »

You misunderstand. I'm saying the likelihood of anybody doing anything to the energy company, for example the ICO fining them, is extremely low over a simple mistake.

If you look at one of my earlier posts, you will see that I have stated the ICO does have the authority to fine a company. They did not do so in this case because the breach was not a severe level. They did though identify failure in procedures and staff training. Serious enough therefore.

boo_star wrote: »

They were going to pay for their mistake, £50 in fact. Bringing the issue to their attention is, in most instances, all a company needs in order to be "corrected."

I'm going to try this again. Are you with me now? Ok, focus. 1, 2 3. ....

The company DID NOT accept the reason for the error as being a failure in their procedures. I pointed out to them that their procedures were inadequate. They refused to accept that. I could have accepted their £50 at that point and closed the case. I choose not to do so.

As a result, the ICO has officially confirmed what I had pointed out to the company initially. They dismissed my advice/observations that their procedures were inadequate. The ICO has now told them exactly what I had told them previously. The only difference ....... they can't dismiss the ICO so easily.

We clear now?

boo_star

bandana22 wrote: »

Where it does happen, said innocent individual is then entitled to recompense? No?

About £50 should do it.

I'll point out that the largest post-GDPR fine to date was the BA one which amounted to roughly £366 per person affected. These are people who had their personal details and card details harvested by criminals and whose data is likely to be used in future for identity theft and card fraud. You want £500 for a company erroneously handing over your personal details to a regulated UK-based company who, at worst sent you a few nasty letters and annoyed you with a few phone calls before it got sorted.

You're being completely unrealistic.