Hmmm passwords should be encrypted so no one at the original company , and certainly no one at any third party collection agency should have it. It doesn't sound like it was a given password ( like date of birth plus initials that you get for document access sometimes) but one you made up personal to you..... I'd say it was certainly worth a complaint to the ICO but wonder if its worth etc doing SARs to both companies first - particularly asking for telephone recordings - without specifying why.

Did you get the bill paid in the end ? Without the "hike" - presumably debt collection charges etc.

Hi Amethyst, Thank you for reading and replying

Yes, i received the call between myself and dca the very next day by email, i have it in full on audio ( first thing i requested )
and yes i have SAR's from both creditors and dca on their way ( or so they say )
Yes i paid the original debt after the dca kindly gave me my password
The *hike was put on by the creditor* but i guess that's how they pay the dca's a percentage.

Superb - does the call have them telling you your password ?

Formal written complaint to the company and cc it to the ICO

https://ico.org.uk/for-organisations...line-services/

A quick call to the ICO advice line, and the lady there has suggested that it all depends on the contract the dca have with a creditor
if this is the case then dca's having live systems at their fingertips (legally) into hundreds maybe even thousands of creditor's systems/ databases
leaves the GDPR not worth the ink it's written in surely?

Yes it clearly has the guy telling me my password

Cool that link has some good points and references in to form your complaint - general data sharing, yes, that would depend on contract and relationship between companies, but passwords should not be readily visible - the most a 'live system' access bod should have been able to do would be to send you a rest password link - or set you a temp password up ... him being able to tell you it means their system isn't secure - just by way of example - I could not tell you what your password is to access legalbeagles - and I have access to everything - server / databases etc etc. - passwords are all encrypted.

Can you tell us the names of the companies involved ?
Or have you done some digging into their relationship.

That link is priceless to me, thank you and i am going to make a formal complaint and cc ICO in as you suggested
I am still digging and am pretty sure they are independendant of each other but the dca is rather interesting, so not sure iwant to make my findings public at the moment

Typo what typo?

Like banananana, or Brititish Rail?

I'm going to be controversial and say that I read this as something entirely different to you Amethyst. It doesn't sound like a password in the ordinary sense like a username and password to login to your online account, rather it sounds like a security password for verification purposes and to ensure the person on the phone is who they are. Plenty of companies have this sort of password verification process including the likes of Sky and EE and having worked for Sky back in my university days, the password wasn't encrypted or blanked out, otherwise you wouldn't be able to verify if the password was correct (that said you couldn't access the rest of the account without confirming that the security questions had been verified). A verification password to my mind is something different to a password stored in an encrypted database which is what I think you are alluding to in your earlier post.

Anyway, I think for the benefit of Tea anyone? let's clear up a few misconceptions. The GDPR does not prohibit the transferring or processing of personal data other than the data controller, instead it regulates the way personal data is processed and that includes access to or disclosure of personal data. Many companies use third parties to provide services on their behalf (also known as outsourcing) and you will find that the likes of Sky, EE, financial services and even the government will outsource services to a third party meaning that those third parties may have access to the same systems as the data controller so that a seamless service can be provided.

I think your case is no different. There likely to be genuine and legitimate reasons why the creditor has allowed the debt collection agency access to its systems whilst being instructed to collect the debt on its behalf, those reasons might be speed, cost, resource etc.

Has there been a data breach? The disclosure of the password without first verifying the identity would technically amount to a data breach.

Was there any loss? Based on the contents of this thread, no.

Does that affect the debt being owed? No.

Whilst I understand you wanting to report this as a data breach to the ICO, I wouldn't expect anything big to come from it and it may be that the ICO considers it appropriate to educate the DCA. Of course if it turns out the DCA has no policies or procedures or that there's a lack of data protection awareness amongst employees due to inadequate training, then that might be a different story.

Either way, I don't think it changes they outcome of you owing the debt or if you might somehow think the debt should be reduced. I suppose if you are looking to recover any part of the debt, you could make a complaint to the DCA and seek compensation that way, with the threat of reporting them to both the DCA and the creditor.

This is why it's useful to know who the companies are. Some you have to give a full password but normally I'm asked for specific letters from my password and the operator only sees the letters I'm asked for to confirm.

Sure, I get what you are saying, but I don't think the fact that company has specifically masked or unmasked a password amounts to a data breach. That's more to do with business policy and processes and unless that policy has been breached, I wouldn't get too hung up on it, and instead focus on the disclosure aspect.

Take for example, that the ICO suggests in their guidance that businesses should encrypt all emails but the fact that they don't doesn't mean its a breach.

Hi Rob, Thank you for the reply, No i wasn't concerned about reducing the debt, apart from paying a hiked up price ( which i did not)
Recovering part of the debt is not what i was after ( hadn't even crossed my mind)
Owing the debt was not the issue, i was actually trying to pay it!
"Has there been a data breach? The disclosure of the password without first verifying the identity would technically amount to a data breach"
Now That's the stuff i am after ^^^^^^^
and also to call to question why a DCA needs to have that amount of information

Yes Amethyst, the creditor wanted specific letters from my password, the DCA just gave me the whole thing and like Rob said it probably does not matter
it did sound odd though