As a hard-and-fast rule, companies have a responsibility under the Data Protection Act (DPA) to use and store sensitive information correctly. Although the law is there, not all organisations successfully uphold the regulations they’re supposed to.
So, in this example, what can you do if a debt recover company has leaked your private information? Do you have a valid claim for Data Leak Compensation?
The DPA contains eight primary principles that companies should adhere to:
- Personal data should be processed fairly and lawfully;
- Personal data should be obtained only for one or more specified and lawful purposes;
- Personal data shall be adequate, relevant and not excessive;
- Personal data should be accurate and where necessary kept up to date;
- Personal data should not be kept for longer than necessary;
- Personal data should be processed in accordance with the individual rights under the Act;
- Personal data should be kept secure;
- Personal data should not be transferred outside the European Economic Areas unless the country offers adequate data protection.
Debt recovery companies’ responsibilities
When it comes to debt recovery companies, the responsibilities don’t vary too much. As data controllers, a debt recovery company still owes the same responsibilities to individuals listed above. If they fail to do so, they can be subject to severe scrutiny from the Information Commissioner’s Office (ICO) – the U.K.’s data privacy watchdog.
What constitutes as a data breach?
As defined by the ICO, a personal data breach is:
“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
As the ICO explains, this may be intentional or unintentional. Either way it still amounts to a data breach.
Is debt sensitive information?
A data leak by a debt recovery company will almost certainly be considered as a leak of sensitive information, as many people who are in debt wouldn’t usually want people to know.
If the ICO sufficiently finds there to be an infringement of your privacy rights and that the company has breached their DPA responsibilities, they can impose a monetary penalty on the company. These penalty notices are designed for serious contraventions of the DPA, and mustn’t exceed £500,000. Recently, TalkTalk was fined £400,000 for their massive data breach.
Debt is something that I’m sure many individuals would like to keep quiet. If the debt recovery company has leaked personal data of the said individuals, this could have many consequences for them. As a result, a person may have good grounds to make a claim.
Data breaches by debt recovery companies
Following a Freedom of Information request by Gladys Evening, the ICO confirmed that, from 2011-12, there were 13 and 88 occasions where the ICO observed breaches of the DPA by debt collection agencies.
The Financial Ombudsman are also equipped to deal with complaints of a financial nature. This also ties in with data protection privacy. One case study details where a consumer complained after a debt collector left debt details on his front door. As Mr M arrived home from work, he was told by a neighbour that a debt collector had been asking after him. There was a note on his front door, explaining they’d visited about arrears on his loan.
This is most certainly a data privacy breach, as Mr M’s personal details and financial circumstances were on full display, and anyone could’ve seen it. The Financial Ombudsman told the debt collector to offer Mr M £400 for the worry and embarrassment for their actions. There are many of these occasions that would constitute as a data protection breach and warrant action under the DPA.
Your financial circumstance is highly sensitive data. If you believe it’s been wrongfully used or leaked, please don’t hesitate to contact us. Our dedicated and experienced team of lawyers may be able to proceed with your claim.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.