Vision Direct - SMS texts not meant for me with links to personal customer information

dinglebert

KatrinaWaves said:

dinglebert said:

KatrinaWaves said:

Your mobile number without any other corresponding details is just an 11 digit number. It is not personal information, any more than your date of birth, or your address. It is random data with nothing tied to it. 

if you blocked the number nothing would happen, at all. 

That is incorrect.  It is considered personally identifiable information and is a breach of DPA 2018.  With a date of birth and address you can identify the person concerned.  Just the same as an email is personally identifiable as is a car number plate.

okay: 07896345765

How is that personally identifiable? It’s not.

Let’s try 12/04/1983. Is that personally identifiable? No.

How about 6 Long Street, York. Is that personally identifiable? No.

Add a name into a few of those and sure, but the info by itself is NOT personally identifiable. I just made up all those details. You can do nothing with them. You could write a random letter to that fake address or text that random number, but not gonna get anyone anywhere. 

You are wrong.   I work in Information Governance and it is considered identifable.  you can disagre all you like but your will be disagreeing with the officall ICO position on it.

Have a read here

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/can-we-identify-an-individual-indirectly/

There are many others.

The following is a non-exhaustive list of information that could constitute personal data on the basis that it allows for an individual to be singled out from others:

• car registration number and/or VIN;
• national insurance number;
• passport number; or
• a combination of significant criteria (eg age, occupation, place of residence).

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

• Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
• Looks, appearance and behaviour, including eye colour, weight and character traits.
• Workplace data and information about education, including salary, tax information and student numbers.
• Private and subjective data, including religion, political opinions and geo-tracking data.
• Health, sickness and genetics, including medical history, genetic data and information about sick leave.

Blackbeard_of_Perranporth

I'll get the popcorn!

dinglebert

Blackbeard_of_Perranporth said:

I'll get the popcorn!

No point. I am describing the legal viewpoint from the ICO who are in charge of ensuring that the GDPR rules are enforced. Katrinawaves is giving their opinion and thinking that just publishing certain pieces of information about people doesn't make it identifiable.  The law says different.

lincroft1710

KatrinaWaves said:

dinglebert said:

KatrinaWaves said:

Your mobile number without any other corresponding details is just an 11 digit number. It is not personal information, any more than your date of birth, or your address. It is random data with nothing tied to it. 

if you blocked the number nothing would happen, at all. 

That is incorrect.  It is considered personally identifiable information and is a breach of DPA 2018.  With a date of birth and address you can identify the person concerned.  Just the same as an email is personally identifiable as is a car number plate.

Let’s try 12/04/1983. 

I always thought you were younger!

stragglebod

I've recently got somebody's text reminders for their appointments at Boot's opticians in Glasgow. I didn't realise I was supposed to be horrified about it. Does anyone have a list of stuff that I should be getting upset about so I can check what changes I need to make in my life?

KatrinaWaves

dinglebert said:

Blackbeard_of_Perranporth said:

I'll get the popcorn!

No point. I am describing the legal viewpoint from the ICO who are in charge of ensuring that the GDPR rules are enforced. Katrinawaves is giving their opinion and thinking that just publishing certain pieces of information about people doesn't make it identifiable.  The law says different.

I’m genuinely concerned for information governance if you honestly  think a phone number in isolation make someone identifiable. By your link apparently I can’t even say ‘blonde hair’ without that being identifiable information 😂😂

anyway as you’re now talking about publication, where was it published? 

The OP received a text message. Who ‘published’ their information? 

dinglebert

stragglebod said:

I've recently got somebody's text reminders for their appointments at Boot's opticians in Glasgow. I didn't realise I was supposed to be horrified about it. Does anyone have a list of stuff that I should be getting upset about so I can check what changes I need to make in my life?

Depends on your viewpoint on information security.  Someone making an error in putting in a telephone number is no big deal.  Someone missing out on an appointment because a company will not rectify an error is potentially a real problem. Equally someone getting access to someone else medical information is a big problem.and it happens frequently

born_again

dinglebert said:

s

Depends on your viewpoint on information security.  Someone making an error in putting in a telephone number is no big deal.  Someone missing out on an appointment because a company will not rectify an error is potentially a real problem. Equally someone getting access to someone else medical information is a big problem.and it happens frequently

So that answers the OP'S question.

We have no idea where the issue started, if it has been deleted by the co & then input wrong by customer.

dinglebert

KatrinaWaves said:

dinglebert said:

Blackbeard_of_Perranporth said:

I'll get the popcorn!

No point. I am describing the legal viewpoint from the ICO who are in charge of ensuring that the GDPR rules are enforced. Katrinawaves is giving their opinion and thinking that just publishing certain pieces of information about people doesn't make it identifiable.  The law says different.

I’m genuinely concerned for information governance if you honestly  think a phone number in isolation make someone identifiable. By your link apparently I can’t even say ‘blonde hair’ without that being identifiable information 😂😂

anyway as you’re now talking about publication, where was it published? 

The OP received a text message. Who ‘published’ their information? 

You keep mixing up that I am offering an opinion.  Its not an opinion its the law as stated by the ICO and they state a telephone number makes it identifable.  You can disagree all you like but it won't make you right.

The blond hair bit needs to be taken in context.  Lets say you are conducting a survey of a classroom of people and their political opinions.  You have promised that all answers will remain anonymous but that you will be using other characteristics to view trends. eg the over 40's tended to vote one way the under 40's in a different way.  The example would be 60% of people in the class with brown hair would vote labour but 100% of the people with blond hair would vote Tory.  There is only one person with blond hair so you have identified them.  Therefore using hair colour in that context would not be allowed.

The publication is when it was sent to the OP in a text message.  It was written down and sent to someone who read it.  I won't be responding again you clearly just want to argue and I can't be bothered.

KatrinaWaves

You need to honestly have a good think about what identifiable means as a phone number on its own, which is what we’re talking about, is not