• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

GDPR and what constitutes a breach?

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GDPR and what constitutes a breach?

    I was contacted by a collections company for a debt that had been *hiked up*, ( this is a whole new can of worms) the collections company had not brought the debt, just acting on behalf of
    so as this was the case I had tried to pay this bill with the creditor but had put the password in wrong twice, I was offered no help to reset password or pay the bill, infact i was refused to be allowed to pay the creditor on account i failed the security.

    this left me no option but to call the collections company and pay the *hiked up* price.
    During this call and before i paid, i was told i was being passed on to an agent who had a live system to my creditors
    I asked if the collections company was part of my creditors company
    No they are not was the answer
    I mentioned I could not pay creditors as I failed the password security
    i mentioned that if I cannot pay creditors directly on the grounds the password is either forgotton or input incorrectly, without being offered help to reset password and try again, I personally had no choice but to contact a collections company who charged more. and that's unfair!
    without prompting, the agent told me my password and he was correct!

    He then dropped me like a hot coal, and said after speaking to his manager
    They would not take my money either as they could agreed i had a valid complaint,
    they closed my account with them
    sending it back to the creditor

    Is there a breach in GDPR here? Does the collection agency really need a live system to my creditors? Are they in possesion of too much information? How do approach this?

    Oh and i contacted my creditors and asked if my password, you know the one i personally had to make up solely to keep my account secure was passed on to debt collection company's i was guaranteed 100% by a manager that it was not.

    Thanks in advance
    Tags: None

  • #2
    Hmmm passwords should be encrypted so no one at the original company , and certainly no one at any third party collection agency should have it. It doesn't sound like it was a given password ( like date of birth plus initials that you get for document access sometimes) but one you made up personal to you..... I'd say it was certainly worth a complaint to the ICO but wonder if its worth etc doing SARs to both companies first - particularly asking for telephone recordings - without specifying why.

    Did you get the bill paid in the end ? Without the "hike" - presumably debt collection charges etc.
    #staysafestayhome

    Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

    Received a Court Claim? Read >>>>> First Steps

    Comment


    • #3
      Hi Amethyst, Thank you for reading and replying

      Yes, i received the call between myself and dca the very next day by email, i have it in full on audio ( first thing i requested )
      and yes i have SAR's from both creditors and dca on their way ( or so they say )
      Yes i paid the original debt after the dca kindly gave me my password
      The *hike was put on by the creditor* but i guess that's how they pay the dca's a percentage.

      Comment


      • #4
        Superb - does the call have them telling you your password ?

        Formal written complaint to the company and cc it to the ICO

        https://ico.org.uk/for-organisations...line-services/
        #staysafestayhome

        Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

        Received a Court Claim? Read >>>>> First Steps

        Comment


        • #5
          A quick call to the ICO advice line, and the lady there has suggested that it all depends on the contract the dca have with a creditor
          if this is the case then dca's having live systems at their fingertips (legally) into hundreds maybe even thousands of creditor's systems/ databases
          leaves the GDPR not worth the ink it's written in surely?

          Comment


          • #6
            Originally posted by Amethyst View Post
            Superb - does the call have them telling you your password ?

            Formal written complaint to the company and cc it to the ICO

            https://ico.org.uk/for-organisations...line-services/
            Yes it clearly has the guy telling me my password

            Comment


            • #7
              Cool that link has some good points and references in to form your complaint - general data sharing, yes, that would depend on contract and relationship between companies, but passwords should not be readily visible - the most a 'live system' access bod should have been able to do would be to send you a rest password link - or set you a temp password up ... him being able to tell you it means their system isn't secure - just by way of example - I could not tell you what your password is to access legalbeagles - and I have access to everything - server / databases etc etc. - passwords are all encrypted.

              Can you tell us the names of the companies involved ?
              Or have you done some digging into their relationship.
              #staysafestayhome

              Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

              Received a Court Claim? Read >>>>> First Steps

              Comment


              • #8
                That link is priceless to me, thank you and i am going to make a formal complaint and cc ICO in as you suggested
                I am still digging and am pretty sure they are independendant of each other but the dca is rather interesting, so not sure iwant to make my findings public at the moment

                Comment


                • #9
                  Typo what typo?

                  Comment


                  • #10
                    independendant
                    Like banananana, or Brititish Rail?

                    CAVEAT LECTOR

                    This is only my opinion - "Opinions are made to be changed --or how is truth to be got at?" (Byron)

                    You and I do not see things as they are. We see things as we are.
                    Cohen, Herb


                    There is danger when a man throws his tongue into high gear before he
                    gets his brain a-going.
                    Phelps, C. C.


                    "They couldn't hit an elephant at this distance!"
                    The last words of John Sedgwick

                    Comment


                    • #11
                      I'm going to be controversial and say that I read this as something entirely different to you Amethyst. It doesn't sound like a password in the ordinary sense like a username and password to login to your online account, rather it sounds like a security password for verification purposes and to ensure the person on the phone is who they are. Plenty of companies have this sort of password verification process including the likes of Sky and EE and having worked for Sky back in my university days, the password wasn't encrypted or blanked out, otherwise you wouldn't be able to verify if the password was correct (that said you couldn't access the rest of the account without confirming that the security questions had been verified). A verification password to my mind is something different to a password stored in an encrypted database which is what I think you are alluding to in your earlier post.

                      Anyway, I think for the benefit of Tea anyone? let's clear up a few misconceptions. The GDPR does not prohibit the transferring or processing of personal data other than the data controller, instead it regulates the way personal data is processed and that includes access to or disclosure of personal data. Many companies use third parties to provide services on their behalf (also known as outsourcing) and you will find that the likes of Sky, EE, financial services and even the government will outsource services to a third party meaning that those third parties may have access to the same systems as the data controller so that a seamless service can be provided.

                      I think your case is no different. There likely to be genuine and legitimate reasons why the creditor has allowed the debt collection agency access to its systems whilst being instructed to collect the debt on its behalf, those reasons might be speed, cost, resource etc.

                      Has there been a data breach? The disclosure of the password without first verifying the identity would technically amount to a data breach.

                      Was there any loss? Based on the contents of this thread, no.

                      Does that affect the debt being owed? No.

                      Whilst I understand you wanting to report this as a data breach to the ICO, I wouldn't expect anything big to come from it and it may be that the ICO considers it appropriate to educate the DCA. Of course if it turns out the DCA has no policies or procedures or that there's a lack of data protection awareness amongst employees due to inadequate training, then that might be a different story.

                      Either way, I don't think it changes they outcome of you owing the debt or if you might somehow think the debt should be reduced. I suppose if you are looking to recover any part of the debt, you could make a complaint to the DCA and seek compensation that way, with the threat of reporting them to both the DCA and the creditor.

                      If you have a question about the voluntary termination process, please read this guide first, as it should have all the answers you need. Please do not hijack another person's thread as I will not respond to you
                      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                      LEGAL DISCLAIMER
                      Please be aware that this is a public forum and is therefore accessible to anyone. The content I post on this forum is not intended to be legal advice nor does it establish any client-lawyer type relationship between you and me. Therefore any use of my content is at your own risk and I cannot be held responsible in any way. It is always recommended that you seek independent legal advice.

                      Comment


                      • #12
                        This is why it's useful to know who the companies are. Some you have to give a full password but normally I'm asked for specific letters from my password and the operator only sees the letters I'm asked for to confirm.
                        #staysafestayhome

                        Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

                        Received a Court Claim? Read >>>>> First Steps

                        Comment


                        • #13
                          Sure, I get what you are saying, but I don't think the fact that company has specifically masked or unmasked a password amounts to a data breach. That's more to do with business policy and processes and unless that policy has been breached, I wouldn't get too hung up on it, and instead focus on the disclosure aspect.

                          Take for example, that the ICO suggests in their guidance that businesses should encrypt all emails but the fact that they don't doesn't mean its a breach.
                          If you have a question about the voluntary termination process, please read this guide first, as it should have all the answers you need. Please do not hijack another person's thread as I will not respond to you
                          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                          LEGAL DISCLAIMER
                          Please be aware that this is a public forum and is therefore accessible to anyone. The content I post on this forum is not intended to be legal advice nor does it establish any client-lawyer type relationship between you and me. Therefore any use of my content is at your own risk and I cannot be held responsible in any way. It is always recommended that you seek independent legal advice.

                          Comment


                          • #14
                            Hi Rob, Thank you for the reply, No i wasn't concerned about reducing the debt, apart from paying a hiked up price ( which i did not)
                            Recovering part of the debt is not what i was after ( hadn't even crossed my mind)
                            Owing the debt was not the issue, i was actually trying to pay it!
                            "Has there been a data breach? The disclosure of the password without first verifying the identity would technically amount to a data breach"
                            Now That's the stuff i am after ^^^^^^^
                            and also to call to question why a DCA needs to have that amount of information



                            Comment


                            • #15
                              Originally posted by Amethyst View Post
                              This is why it's useful to know who the companies are. Some you have to give a full password but normally I'm asked for specific letters from my password and the operator only sees the letters I'm asked for to confirm.
                              Yes Amethyst, the creditor wanted specific letters from my password, the DCA just gave me the whole thing and like Rob said it probably does not matter
                              it did sound odd though

                              Comment

                              View our Terms and Conditions

                              LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

                              If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


                              If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
                              Working...
                              X