Received someone else’s DSAR, would you tell them?

sonypc100

Hi

I made a DSAR to my bank and it arrived as a hard copy within the permitted time frame, however it also included another customers DSAR, this was quite a few pages long including their personal contact into, full details of the 2 accounts they hold with the bank, details of their complaint, internal emails between various bank employees, transaction info and other details. 

If I was a fraudster I would probably have enough info to commit fraud on their account, luckily I’m not. 

I told the bank and let them know, they didn’t seem too bothered about what I consider a serious data breach. 

As I have the contact details of the other person should I let them know? I’d like to know if someone else had my data. I did ask the bank if they would let the customer know but they were evasive in their response but I get the impression they won’t be contacting the customer. 

Thanks 

born_again

While they may not contact the customer ( they should) It will have to be reported internally to the data controller. Who in turn will have to report to the ICO.

Personally I would not contact 3rd party. Although you could forward the post to them & they could then raise it with the banks.

Quite surprised you did not get a few £££ for raising the issue. Might be worth going back with a complaint 👍Given the previous reply you got.

eskbanker

sonypc100 said:

I told the bank and let them know, they didn’t seem too bothered about what I consider a serious data breach. 

As I have the contact details of the other person should I let them know? I’d like to know if someone else had my data. I did ask the bank if they would let the customer know but they were evasive in their response but I get the impression they won’t be contacting the customer. 

What the bank does in response to being informed of their error is nothing to do with you, but you could report the matter to the ICO yourself if you don't feel you were taken seriously.

sonypc100

born_again said:

While they may not contact the customer ( they should) It will have to be reported internally to the data controller. Who in turn will have to report to the ICO.

Personally I would not contact 3rd party. Although you could forward the post to them & they could then raise it with the banks.

Quite surprised you did not get a few £££ for raising the issue. Might be worth going back with a complaint 👍Given the previous reply you got.

I did receive £100 but this was due to the fact that they hadn’t responded within 8 weeks

sonypc100

eskbanker said:

sonypc100 said:

I told the bank and let them know, they didn’t seem too bothered about what I consider a serious data breach. 

As I have the contact details of the other person should I let them know? I’d like to know if someone else had my data. I did ask the bank if they would let the customer know but they were evasive in their response but I get the impression they won’t be contacting the customer. 

What the bank does in response to being informed of their error is nothing to do with you, but you could report the matter to the ICO yourself if you don't feel you were taken seriously.

ICO report done earlier today so I’ll see what that brings 

Emmia

I think if I got contacted by someone random (i.e. the OP) about this sort of thing, I'd probably assume that they are a scammer, and would delete the email,  bin the letter or be rather rude on the phone.

The OP has reported the error to the bank, so I'd either send back the erroneous paperwork, or I'd shred it.

boingy

Emmia said:

I think if I got contacted by someone random (i.e. the OP) about this sort of thing, I'd probably assume that they are a scammer, and would delete the email,  bin the letter por be rather rude on the phone.

Exactly this. 
"Hi, you don't know me but I've got all your personal details"....  

friolento

boingy said:

Emmia said:

I think if I got contacted by someone random (i.e. the OP) about this sort of thing, I'd probably assume that they are a scammer, and would delete the email,  bin the letter por be rather rude on the phone.

Exactly this. 
"Hi, you don't know me but I've got all your personal details"....  

No, it’s “Hi, I don’t know you but enclosed is all the information about you that xyz bank sent to me in error. I have already told them but I thought you might want to know in case they won’t inform you of this serious data breach. Feel free to quote me as a witness if required”.

eskbanker

sonypc100 said:

I told the bank and let them know, they didn’t seem too bothered about what I consider a serious data breach.

friolento said:
No, it’s “Hi, I don’t know you but enclosed is all the information about you that xyz bank sent to me in error. I have already told them but I thought you might want to know in case they won’t inform you of this serious data breach. Feel free to quote me as a witness if required”.

On the face of it, it's undoubtedly a data breach, but I'd question its categorisation as 'serious', in objective terms.

If you look at the types of cases that are deemed serious enough to warrant ICO enforcement action (out of the thousands referred to them every month), then it's clear that inadvertent disclosure of one person's bank details to another is nowhere near that end of the scale, which is typically for deliberate or egregious breaches, although if the bank concerned has routinely done this many times and failed to take any corrective action then that might be evaluated differently:

https://ico.org.uk/action-weve-taken/enforcement/

born_again

sonypc100 said:

born_again said:

While they may not contact the customer ( they should) It will have to be reported internally to the data controller. Who in turn will have to report to the ICO.

Personally I would not contact 3rd party. Although you could forward the post to them & they could then raise it with the banks.

Quite surprised you did not get a few £££ for raising the issue. Might be worth going back with a complaint 👍Given the previous reply you got.

I did receive £100 but this was due to the fact that they hadn’t responded within 8 weeks

So the complaint went to the Ombudsman?

friolento

eskbanker said:

sonypc100 said:

I told the bank and let them know, they didn’t seem too bothered about what I consider a serious data breach.

friolento said:
No, it’s “Hi, I don’t know you but enclosed is all the information about you that xyz bank sent to me in error. I have already told them but I thought you might want to know in case they won’t inform you of this serious data breach. Feel free to quote me as a witness if required”.

On the face of it, it's undoubtedly a data breach, but I'd question its categorisation as 'serious', in objective terms.

If you look at the types of cases that are deemed serious enough to warrant ICO enforcement action (out of the thousands referred to them every month), then it's clear that inadvertent disclosure of one person's bank details to another is nowhere near that end of the scale, which is typically for deliberate or egregious breaches, although if the bank concerned has routinely done this many times and failed to take any corrective action then that might be evaluated differently:

https://ico.org.uk/action-weve-taken/enforcement/

You might be less concerned than me if your details and information about your banking transactions get shared with a stranger without my permission or my knowledge - to me that is a serious encroachment and I would like to see it treated as such. In the first instance, I would not run to the ICO but expect the bank to sort it to my satisfaction.