How safe is YOUR sensitive information.
Nikkeboentje writes:
I recently discovered that Irish Life started sending letters to my old address (I have not lived there since September 2010). I believe this started around April 2014.
The letters included half yearly statements and other financial information of investments that I have with Irish Life. It is information that I don’t really want anyone to know about, especially not the tenants who are now living in my house.
Anyway, I asked Irish Life to make a formal investigation of why this happened (they were not aware of the issue until I notified them) and if it was necessary to inform the Data Protection Commissioner. They said that their compliance team would be looking into it.
After several weeks, I was told that it was a system error when they updated software. They did not tell me how many other clients were affected but they said that I was not the only one. They also said that they would notify the Data Protection Commissioner.
I contacted the Data Protection Commissioner’s office directly to ensure that the breach had been reported…it had NOT been. So, the Data Protection Commissioner’s office contacted Irish Life.
I had an update from the Data Protection Commissioner’s office to day and what REALLY surprised me is that they have no power to prosecute or penalise financial institutions over a breach of data protection (I am not referring to my personal issue but generally).
If a financial institution sent the wrong letters (containing sensitive information) to hundreds or thousands of clients, they cannot be punished under the current legislation. However, if I received an unsolicited text message from a financial institution, then they could be fined €5,000.
It shocked me a bit to think that there is currently no penalty for companies who have a serious breach of data protection (again I am not referring to my little incident but more generally).
Anyone?
(IrishLife/Independent.ie)
Surely a misplaced letter is potentially more damaging than a text/email?
My thoughts exactly. There is currently better legislation (penalties) for unsolicited calls/texts than there is for a mass breach of data such as sending letters to the wrong address.
Yes, it shocked me a few years ago to discovered that Bord Gais had been sending my bills (which listed my new address) to my ex boyfriends apartment (note, I didn’t want him to know where I was now living). Not only that, but they accessed my bank account (without my knowledge) and took a few hundred quid for the deposit for services at my new address.
Firstly, I had a previous account with them with excellent credit rating and direct debit etc, so there was no need for a security deposit, secondly, I hadn’t furnished them with any of my details of my new address. My landlord had phoned them when I moved in (he’s a sound guy, and sure he didn’t know my bank details either) and said Miss ‘me’ is moving in on the first of the month etc. ESB sent me a pack for new service, and that was grand. Whereas I was waiting for a similar pack from Bord Gais but nothing arrived. Then later that month I spotted money swiped from my bank account by BG. I had ructions with them, and this went on for several months. Turns out they made a ‘litany of errors’ with the administration of my account, which they had set it up in my new address but with the billing being sent to my previous address (ie my ex’s) and so I presume he opened that post and knew where I had moved to. I was livid. Data Protection investigated and confirmed that BG had broken the Data Protection laws several times with regard to my personal information.
Guess what was done about? Sweet Fanny Adams!!! No solicitor would take the case for me because there was no benchmark to work from even though everyone agreed it was appalling and illegal.
So there ya go.
When i moved in to my apartment we kept getting stuff sent from banks addressed to other people, which I returned. Then Maybe a year or so passed and MBNA sent me a gold card which wasn’t mine, Which I binned out of frustration at so maybe bloody letters being sent. A few days later they sent me a letter with the pin code. I do regret binning that card.
I get bank statements and life assurance/insurance information regularly sent to my house for different previous owners as well, not just the one. I have no interest in this information, but it’s from more than one institution. I always assumed it was down to the person not updating their address with the various institutions.
I should also mention that Irish Life tried to fob me off with a €50 one-for-all voucher. But when the letter arrived in the post, they forgot to include the voucher and had to telephone me to apologise!
ha!
+50 quid
New data protection legislation is on the way (“Expected” to be put in place in 2015). It’ll have more teeth, but only slightly.
But yes, OP’s point is fundamentally correct. The current DPA is more or less toothless.
The DPC has civil enforcement powers including the power to issue directions to ensure compliance with the DP Acts and to order a data controller (like Irish Life here) to desist from a practice that puts them in breach.
There are criminal offences under the Acts but the situation outlined in the OP (basically, negligent maintenance and disclosure of personal data) doesn’t seem to be one that is going to provoke a dawn raid. The failure to report a breach of good practice and an inadvertent disclosure is more likely to result in a Very Stern Talking To.
For the Honours students, a list of offences under the Acts is here:
http://www.dataprotection.ie/docs/Offences_and_Penalties_under_the_Data_Protection_Act/97.htm
aye indeed, but what good is a stern talking to? Nobody is held accountable, a generic “we’re sorry” from a non personal letter doesn’t undo the damage done, for example in my case where they had posted and therefore disclosed my new address to my ex (causing months of stress, anxiety, etc) as well as them illegally accessing my bank account without authorisation (ok they eventually refunded it but I was out of pocket to the tune of several hundred quid for a few weeks when I was seriously strapped for cash).
A stern few words with some office nobody with thick skin who hears complaints everyday is not a deterrent to make these companies more accountable or more careful. End of the day – they don’t give a poo and nobody in authority gives a poo either because cases like the original poster, or my own, we’re just nobodies and our privacy means nothing to the big guys, they don’t give a toss about the personal consequences their sloppiness causes.
Believe me, I wasn’t taking it lying down and got solicitors involved, but at the end of the day, nothing could be done. Frustrating, costly (to me) and was just a slight ruffle of paper-work for a few mins to these blank faces in these companies :(
Not fair
D’accord
This happened my landlord too (she used to live in my apartment).
What harm have you actually suffered? Case over.
I HATE ALL PEOPLE.
Signed
Joe The Lion.
Been there Joe, stick it out
Don’t worry – I shall.
@Joe The Lion
Someone could steal your identity/money with these documents.
But there is no evidence that they have. It’s a load of whingeing about nothing much.
So long as the people who get other people’s data aren’t criminals, why worry?
There are already laws in place to counter criminal activity.
The principle of law is that harm has to be demonstrably suffered in order to claim damages.
In this case Irish Life have been irresponsible and careless but no harm has been shown. They have just acted like anyone else e.g. a friend or former acquaintance who writes to your old address after you have moved on.
If the ex-boyfriend or whatever has opened someone’s mail illegally – that is a criminal matter. But no evidence has been presented to that effect. The criminal act is the act of the intercepter making unlawful use of information that was expressly not meant to be communicated to the intercepter as opposed to the erroneous transmission of the message.
And if the letters are opened illegally and the information used for a Crime, Irish Life or whomever shouldn’t be held responsible for posting the letter to the wrong address?
And remember folks, our Data Protection Commissioner is responsible for policing Facebook, Twitter, etc for the whole of Europe, since they’re based in Ireland.
Good times.