Data Protection Breech

piplip87

Hi Guys,

Hopefully I can get some help here.

I recently moved house and one of the addresses I forgot to change was my local credit union. They sent out their quarterly statement to my old address and it got sent back as "No longer at this address".



Today my partner got a phone call from his mother, who stated the letter was hand delivered to her house. I have never lived in this house. The letter is a statement so it has fairly personal information on it. The letter was not opened but I am fuming and I am not letting this go.
While my partners mother is fuming because a hand delivered letter from the CU(Delivered by an ex Guard) usually means arrears and neighbors talking
Surely there is a breech of DP here ?

lifeandtimes

piplip87 wrote: »

Hi Guys,

Hopefully I can get some help here.

I recently moved house and one of the addresses I forgot to change was my local credit union. They sent out their quarterly statement to my old address and it got sent back as "No longer at this address".



Today my partner got a phone call from his mother, who stated the letter was hand delivered to her house. I have never lived in this house. The letter is a statement so it has fairly personal information on it. The letter was not opened but I am fuming and I am not letting this go.

Have you contacted them to ask how they sent the letter to that address?

Strange that they sent it too your partners mothers address but we need more information?

Do you and your partner share an account and does his mother have an account with the same credit union?

piplip87

[QUOTE=lifeandtimes;105111161]Have you contacted them to ask how they sent the letter to that address?

No I have not contacted them yet as they only open half day Saturday and letter was delivered after 4 this evening.

Do you and your partner share an account and does his mother have an account with the same credit union?[/QUOTE]


No we do not share an account and yes the mother does have an account with them. The letter was also hand delivered. She did not open the letter but it still contain information regarding loans and savings. I might add I go to the credit union every week without fail so there was ample opportunity to give it to me in person.

I admit not changing my address with them was an error but to give my personal financial information deliberately to somebody else is wrong. For all they knew myself and my partner could have split.

Kristopherus

piplip87 wrote: »

[QUOTE=lifeandtimes;105111161]Have you contacted them to ask how they sent the letter to that address?

No I have not contacted them yet as they only open half day Saturday and letter was delivered after 4 this evening.

Do you and your partner share an account and does his mother have an account with the same credit union?

No we do not share an account and yes the mother does have an account with them. The letter was also hand delivered. She did not open the letter but it still contain information regarding loans and savings. I might add I go to the credit union every week without fail so there was ample opportunity to give it to me in person.

I admit not changing my address with them was an error but to give my personal financial information deliberately to somebody else is wrong. For all they knew myself and my partner could have split.[/QUOTE]

You're fussing over nothing. Your own error is the cause of the useless fuss. How do you prove that an unopened letter is a breach of DP?

Ghekko

When working in the bank if a letter was returned like that we'd have to ensure address details were changed to the bank branch while an attempt was made to get new details. It seems that someone in CU knows you're linked to your partners mother and probably thought they were doing you a favour. I wouldn't be happy and you should most definitely contact your CU to ask why this person had it in the first place - does he work or volunteer at the CU?

Fred Swanson

This post has been deleted.

Clareman

piplip87 wrote: »

Hi Guys,

Hopefully I can get some help here.

I recently moved house and one of the addresses I forgot to change was my local credit union. They sent out their quarterly statement to my old address and it got sent back as "No longer at this address".



Today my partner got a phone call from his mother, who stated the letter was hand delivered to her house. I have never lived in this house. The letter is a statement so it has fairly personal information on it. The letter was not opened but I am fuming and I am not letting this go.
While my partners mother is fuming because a hand delivered letter from the CU(Delivered by an ex Guard) usually means arrears and neighbors talking
Surely there is a breech of DP here ?

I can't see a breech of Data Protection here. The CU has identified that their data is inaccurate (address) and have sought to rectify this by trying to contact your partner at another address which he may have have a connection to, his mother for example may have opened the account with him or gone guarantor on something, the CU may have her address on file due to her own dealings with the bank, if anything the CU have gone above and beyond in trying to update their data.

If you are worried about it the first thing to do would be to do a Subject Access Request on the CU, ask them for all data they hold on your partner, there may be a €6.35 for this, when you review the data you might be able to see a link, if you don't see a link you can ask the CU why they contacted his mother. I remember reading a case study where An Post delivered a letter from a hospital to a neighbour and that wasn't regarded as a data protection breech because the letter was sealed.

You might, and I doubt it but you might, have a claim for a civil case that your standing in the community has been damaged by having a hand delivered letter but I wouldn't think you would have anything to go on.

Clareman

Fred Swanson wrote: »

This post has been deleted.

Why complain to the DPC? Why not complain to the CU first and if you aren't happy with the explanation bring it further, I would imagine the first thing the DPC would say would be to contact the CU.

gctest50

Clareman wrote: »

Why complain to the DPC? Why not complain to the CU first and if you aren't happy with the explanation bring it further, I would imagine the first thing the DPC would say would be to contact the CU.

No - go to the DPC first they might uncover more serious stuff


Don't go the CU first, it might pre-warn them

Ghekko

Clareman wrote: »

I can't see a breech of Data Protection here. The CU has identified that their data is inaccurate (address) and have sought to rectify this by trying to contact your partner at another address which he may have have a connection to, his mother for example may have opened the account with him or gone guarantor on something, the CU may have her address on file due to her own dealings with the bank, if anything the CU have gone above and beyond in trying to update their data.

If you are worried about it the first thing to do would be to do a Subject Access Request on the CU, ask them for all data they hold on your partner, there may be a €6.35 for this, when you review the data you might be able to see a link, if you don't see a link you can ask the CU why they contacted his mother. I remember reading a case study where An Post delivered a letter from a hospital to a neighbour and that wasn't regarded as a data protection breech because the letter was sealed.

You might, and I doubt it but you might, have a claim for a civil case that your standing in the community has been damaged by having a hand delivered letter but I wouldn't think you would have anything to go on.

But the letter was for op, not her partner, so sending it to her partners mother was totally unacceptable. How did the CU even know the relationship or that it was still ongoing? Their action was not professional and I'm sure while they may feel they were being helpful, there are surely more stringent procedures to follow.

Clareman

gctest50 wrote: »

No - go to the DPC first they might uncover more serious stuff

Don't go the CU first, it might pre-warn them

The CU would be a registered financial institution and may also be registered as a Data Controller with the DPC, they wouldn't be able to hide anything so you won't be "pre-warning" them, anyway, the DPC wouldn't be able to do anything, maybe ask a question or at worst perform an audit but the CU would be "pre-warned" about that anyway.

gctest50

Clareman wrote: »

The CU would be a registered financial institution and may also be registered as a Data Controller with the DPC, they wouldn't be able to hide anything so you won't be "pre-warning" them, anyway, the DPC wouldn't be able to do anything, maybe ask a question or at worst perform an audit but the CU would be "pre-warned" about that anyway.

What is behind recent spate of fraud in credit unions?



https://www.irishtimes.com/business/financial-services/what-is-behind-recent-spate-of-fraud-in-credit-unions-1.3086192

Clareman

Ghekko wrote: »

But the letter was for op, not her partner, so sending it to her partners mother was totally unacceptable. How did the CU even know the relationship or that it was still ongoing? Their action was not professional and I'm sure while they may feel they were being helpful, there are surely more stringent procedures to follow.

Oops, I missed that part, I thought it was the partner's letter. I would say that without knowing the information the CU have on the Op it's next to impossible to do anything, for example if the CU know the Op is in a partnership and living with their partner AND they know the partner's mother's address then it is reasonable for them to try to update their records. Delivering a letter to a wrong address isn't a data breech and financial information isn't sensitive information (madness I know) so I don't think the DPC would do anything here.

Neon_Lights

I'm shaking in my breeches

Clareman

gctest50 wrote: »

What is behind recent spate of fraud in credit unions?



https://www.irishtimes.com/business/financial-services/what-is-behind-recent-spate-of-fraud-in-credit-unions-1.3086192

Personally, I don't have an account with a credit union because I wouldn't trust some of the people that work in them with a fiver let alone lots of money but I can't see how there's a data breech in this instance, terrible (or great depending on your point of view) customer service but I can't see a data breech.

Fred Swanson

This post has been deleted.

gctest50

Fred Swanson wrote: »

This is what happens when local busybodies and gossips are running so called financial institutions. They think the laws don't apply to them.

Lots of things that happen would get swept under the carpet because the shady setup is run by the local busybodies and gossip


Some with very sticky fingers indeed :

http://www.newstalk.com/reader/47.301.343/99296/0/


A fourth Irish credit union has revealed that it has had to deal with an employee potentially stealing funds.

St Anthony’s and Claddagh Credit Union (SACU) in Galway refunded some €87,000 to 31 accounts, after the discovery of an incident "involving unauthorised transactions on member accounts by a staff member".

Dandelion6

I can't see how this could not be considered a data breach. The account information is OP's personal data and it was disclosed to a third party without OP's consent.

I don't know what case Clareman is talking about but there are plenty of case studies on the DPC's website where sending post to the wrong address has been found to constitute a breach. The fact that it was in a sealed envelope is irrelevant as they cannot guarantee it would stay sealed.

Clareman

Dandelion6 wrote: »

I can't see how this could not be considered a data breach. The account information is OP's personal data and it was disclosed to a third party without OP's consent.

I don't know what case Clareman is talking about but there are plenty of case studies on the DPC's website where sending post to the wrong address has been found to constitute a breach. The fact that it was in a sealed envelope is irrelevant as they cannot guarantee it would stay sealed.

I don't know how it could be said that personal data was disclosed, there was an attempt to deliver a letter to a different address, there was safeguards put in place to protect the data.

I think this Case Study outlines the Data Contollers responsibility to keep their data up to date whether the Data Subject wants it to be kept up to date or not

https://www.dataprotection.ie/docs/Case-Study-11-97-Direct-Mail-of-Previous-Householder/166.htm

section 2(1)(b) that data "shall be accurate and, where necessary, kept up to date". If a data controller knows that the information he keeps about someone is out of date, he has an obligation to change it whether or not the data subject has asked for this to be done

how the company goes about keeping it up to date is the topic for debate here I think. As an extreme example, a company may keep their membership up to date by tracking death notices from RIP.ie rather than having a data subject requesting their data be updated (then again a dead person doesn't have data protection rights)

lifeandtimes

There is certainly a link there from ops to the partners mother.

I know in my CU that if you apply for a loan or even set up an account they ask do your family have an account with the CU and if they do can you provide details like an account number.

It's possible that ops partners mother set up an account or took a loan or whatever it may be and put her acocunt details in the section that asks this information. Then upon return of the letter the person's who's job it is to find out why it was returned, put ops account number in and this was linked to ops partners mothers account and as such the letter was delivered. Why it was hand delivered im not sure but possible explanation there.

Dampsquid

There was no data breach - you received the letter unopened. It would have been illegal for you partners mother to open the letter. What is your problem? The only leaked information was that you received a letter from the credit union.

Should everyone complain when a delivery guys leaves a parcel with a neighbour?

lifeandtimes

Dampsquid wrote: »

There was no data breach - you received the letter unopened. It would have been illegal for you partners mother to open the letter. What is your problem? The only leaked information was that you received a letter from the credit union.

Should everyone complain when a delivery guys leaves a parcel with a neighbour?

No but unless her account is connected to her partners mother's then its a dp breach. Infact now I think about it, it's ops partners mother data that has been breached "allegaly". If ops letter was sent back to the CU and ops account has no valid connection to the mother this means they went into her account to get her address to deliver the letter.

But I believe it may be more of a case that someone on the local CU saw the returned letter, knew ops relationship and who ops partners mother is and delivered the letter to her

rgace

gctest50 wrote: »

Fred Swanson wrote: »

This is what happens when local busybodies and gossips are running so called financial institutions. They think the laws don't apply to them.

Lots of things that happen would get swept under the carpet because the shady setup is run by the local busybodies and gossip


Some with very sticky fingers indeed :

http://www.newstalk.com/reader/47.301.343/99296/0/


A fourth Irish credit union has revealed that it has had to deal with an employee potentially stealing funds.

St Anthony’s and Claddagh Credit Union (SACU) in Galway refunded some €87,000 to 31 accounts, after the discovery of an incident "involving unauthorised transactions on member accounts by a staff member".

Of course that wasn't swept under the carpet.
I would be very surprised if the same kind of fraud isn't happening in any workplace where staff have access to cash.

dilallio

Has your partner's mother acted as guarantor on a loan you've taken out?

jimd2

lifeandtimes wrote: »

No but unless her account is connected to her partners mother's then its a dp breach. Infact now I think about it, it's ops partners mother data that has been breached "allegaly". If ops letter was sent back to the CU and ops account has no valid connection to the mother this means they went into her account to get her address to deliver the letter.

But I believe it may be more of a case that someone on the local CU saw the returned letter, knew ops relationship and who ops partners mother is and delivered the letter to her

Just replace people with robots everywhere and none of these mistakes will happen.

Op, of course its a mistake and is most likely because you live in a relatively small locality or town where some people know more about others that would be the case in a city. Of course I could be wrong with this but you sometimes need to take the good with the bad in these situations. Living in a smaller town has many advantages but also has disadvantages if someone is particularly sensitive about someone using their initiative (wrongly in this case) but there are other benefits to being known in a local area.

Myself, I would prefer to live in a smaller town where you are known rather than a nondescript suburb where neighbours dont care a dot about you and are can be sometimes downright hostile.

If it was me, I would write a nice letter in to the CU and inform them of the new address and request that, in future, no correspondance be sent to any other than the stated address. I am not sure if expecting them to remember to say it to you when you are in would work but you could request that in the letter.

my3cents

lifeandtimes wrote: »

There is certainly a link there from ops to the partners mother.

I know in my CU that if you apply for a loan or even set up an account they ask do your family have an account with the CU and if they do can you provide details like an account number.

It's possible that ops partners mother set up an account or took a loan or whatever it may be and put her acocunt details in the section that asks this information. Then upon return of the letter the person's who's job it is to find out why it was returned, put ops account number in and this was linked to ops partners mothers account and as such the letter was delivered. Why it was hand delivered im not sure but possible explanation there.

But looking into another persons account to get information on another account is a breach of data protection.

mrslancaster

my3cents wrote: »

But looking into another persons account to get information on another account is a breach of data protection.

genuine question.. what happens when there is a DP breach? is the company fined or something

Clareman

my3cents wrote: »

But looking into another persons account to get information on another account is a breach of data protection.

Well now you are going down an interesting rabbit hole and would be linked to the principle of "4 Safe and Secure" ("The nature of security used may take into account what is available technologically, the cost of implementation and the sensitivity of the data in question.") and "5 Keep it accurate, complete and up-to-date"

Looking at the case here where a letter is needed to be delivered to an account holder, as the CU knows their data is inaccurate. The instructions from the DPC for keeping data accurate is:

To comply with this rule you should ensure that:

your clerical and computer procedures are adequate with appropriate cross-checking to ensure high levels of data accuracy;
the general requirement to keep personal data up-to-date has been fully examined;
appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.

The fact is that the CU may have clerical procedures to check with known associates of members who they can't contact to get updated information, the procedure doesn't have to even be documented, this would cover the CU in this case I would imagine.

For the safe and secure, the CU has employed a former Guard to hand deliver a document in a sealed envelope addressed to the account holder, I would have thought this would pass the requirements for this piece. On a side note, financial information is not sensitive information under Data Protection.

Clareman

mrslancaster wrote: »

genuine question.. what happens when there is a DP breach? is the company fined or something

At the moment, there would be a fine of ~€500, in extreme cases a company would be ordered to cease processing of information. Data subjects can only "sue" to actual damages. There's a new regulation coming in next May (GDPR) and the fine can be up to 4% of global turnover or €10 million (whichever is larger) for the first offence.

my3cents

Clareman wrote: »

Well now you are going down an interesting rabbit hole and would be linked to the principle of "4 Safe and Secure" ("The nature of security used may take into account what is available technologically, the cost of implementation and the sensitivity of the data in question.") and "5 Keep it accurate, complete and up-to-date"

Looking at the case here where a letter is needed to be delivered to an account holder, as the CU knows their data is inaccurate. The instructions from the DPC for keeping data accurate is:

The fact is that the CU may have clerical procedures to check with known associates of members who they can't contact to get updated information, the procedure doesn't have to even be documented, this would cover the CU in this case I would imagine.

For the safe and secure, the CU has employed a former Guard to hand deliver a document in a sealed envelope addressed to the account holder, I would have thought this would pass the requirements for this piece. On a side note, financial information is not sensitive information under Data Protection.



If the CU didn't perform

Rubbish, safe and secure would have been delivering a document that asked if this was the address of the account holder not sending a third party the account holders account details and a statement.

Clareman

my3cents wrote: »

Rubbish, safe and secure would have been delivering a document that asked if this was the address of the account holder not sending a third party the account holders account details and a statement.

They know the address they have on file is wrong and they didn't send it to a third party, they sent it to another address but still to the Op, that's an important point, if the mother in law decided to open the letter she was committing a crime I think.

Personally, I'd be doing a subject access request to the CU for all the information they have and also I'd be asking why they contacted her partner's mother in law.

Dandelion6

Case Study 15: Allied Irish Banks – postal breaches

Not precisely same situation as OP's but this does contradict the claim some people are making that it wasn't a data breach because it had the OP's name on it and was sent in a sealed envelope.

Dandelion6

Case Study 11: Failure to update customer’s address compromises the confidentiality of personal data

Clareman

Dandelion6 wrote: »

Case Study 15: Allied Irish Banks – postal breaches

Not precisely same situation as OP's but this does contradict the claim some people are making that it wasn't a data breach because it had the OP's name on it and was sent in a sealed envelope.

That case study is to do with the AIB not updating the records in a timely manner, so they aren't keeping it accurate

Dandelion6

Clareman wrote: »

That case study is to do with the AIB not updating the records in a timely manner, so they aren't keeping it accurate

As indicated in the post you are quoting, that wasn't my point.

Clareman

Dandelion6 wrote: »

Case Study 11: Failure to update customer’s address compromises the confidentiality of personal data

But the Op didn't request for their information to be updated. I think the important thing to find out at this point is to find out the conversation by the delivery person and the mother in law, if it was a case of just throwing a letter in the letterbox then there would be concerns but if it was a case of "Does your son still go out with/married/whatever with piplip87?" and then asking "where do they live" or "will you give her this?"

The important fact here is the Op didn't update their records with the CU and the CU are trying to update their records.

Dandelion6

I think this is key from the second of those case studies:

"The Commissioner also formed the opinion that AIB contravened Section 2(1)(d) by failing to take appropriate security measures against unauthorised access to the complainant’s personal data by sending correspondence by post and by hand delivery to an address at which he no longer resided, while knowing that this was no longer his residential address."

In OP's case the Credit Union sent correspondence to an address that it knew OP did not reside at. That is the issue, that's what makes it a data breach.

Dandelion6

Clareman wrote: »

But the Op didn't request for their information to be updated. I think the important thing to find out at this point is to find out the conversation by the delivery person and the mother in law, if it was a case of just throwing a letter in the letterbox then there would be concerns but if it was a case of "Does your son still go out with/married/whatever with piplip87?" and then asking "where do they live" or "will you give her this?"

The important fact here is the Op didn't update their records with the CU and the CU are trying to update their records.

But they aren't entitled to try to update their records by giving OP's personal data to a third party. They could have asked MIL for a new address or asked MIL to let OP know to contact them with the new address.

Clareman

Dandelion6 wrote: »

I think this is key from the second of those case studies:

"The Commissioner also formed the opinion that AIB contravened Section 2(1)(d) by failing to take appropriate security measures against unauthorised access to the complainant’s personal data by sending correspondence by post and by hand delivery to an address at which he no longer resided, while knowing that this was no longer his residential address."

In OP's case the Credit Union sent correspondence to an address that it knew OP did not reside at. That is the issue, that's what makes it a data breach.

It all depends on how the attempted delivery went, in my opinion it's not a data breach but the AIB is because of repeated attempts of the user to update their records

Clareman

Dandelion6 wrote: »

But they aren't entitled to try to update their records by giving OP's personal data to a third party. They could have asked MIL for a new address or asked MIL to let OP know to contact them with the new address.

Again, it depends on how the attempted delivery went. Companies are entitled to link to third party systems to update records, for example companies can update their addresses databases by cross referencing with an Eircode database.

brian_t

Dampsquid wrote: »

It would have been illegal for you partners mother to open the letter.

Lots of people open their post without checking the name and address on the envelope.

It would only be a crime if she intentionally opened the letter knowing it had not been addressed to her.


Always better to check first.

Sam Quentin

brian_t wrote: »

Lots of people open their post without checking the name and address on the envelope.

It would only be a crime if she intentionally opened the letter knowing it had not been addressed to her.

Lots of people open their post without checking the name and address. REALLY!?

Dandelion6

Clareman wrote: »

Again, it depends on how the attempted delivery went. Companies are entitled to link to third party systems to update records, for example companies can update their addresses databases by cross referencing with an Eircode database.

There is legislation specifically setting out such use of Eircode as a legitimate form of data processing. By no means does this amount to a free-for-all for companies to update their records through data-sharing with third parties.