Anyone have DPA knowledge?
Discussion
Eleven said:
It's also out of date and was only provided for a specific purpose. That purpose being other than what it is currently being used for.
If it's out of date - ie, you've moved - then there's no problem, right?But it doesn't matter what the purpose was. It's in the public domain. Horse. Stable. Door. Bolt.
Eleven said:
Answers below in caps for clarity, I'm not shouting.
used fairly and lawfully - was consent given for them to have this information in the first place?
I SUSPECT THEY GOT THE INFO FROM COMPANIES HOUSE. I MUST BRIEFLY HAVE BEEN A DIRECTOR REGISTERED AT THE ADDRESS.
used for limited, specifically stated purposes - if consent was given, for what stated purpose was it, and have they exceeded that?
I WOULD HAVE GIVEN IT BECAUSE I WAS LEGALLY REQUIRED TO AT THE TIME.
used in a way that is adequate, relevant and not excessive - is this excessive use, again, what initial consent was there?
IT COULD ONLY HAVE BEEN COMPANIES HOUSE. I NEVER GIVE OUT MY PERSONAL ADDRESS AND I HAVE ALWAYS OPTED OUT OF THE ELECTORAL ROLL (PUBLIC)
accurate - I think we can assume that it is at least accurate otherwise you wouldn't have a complaint
kept for no longer than is absolutely necessary - again, what was the initial purpose for this information, do they still have a legitimate reason for keeping it?
THEY HAVE NEVER BEEN GIVEN IT, THEY MUST HAVE HAD IT FROM COMPANIES HOUSE.
handled according to people’s data protection rights - if it is marketing related, you do have a legal right to request its deletion.
IT WOULD SEEM TO BE IN USE TO DRAW PEOPLE TO THE SITE TO SELL THEM MORE DATA.
kept safe and secure - err, Hell no if it's on a public web page.
IT IS NOT BEING KEPT SAFE AND SECURE.
not transferred outside the UK without adequate protection - again, it's on a web page, so you could argue that if it is browsed outside the UK, it has effectively been transferred without adequate protection.
QUITE
If you can ascertain an address, send a letter (recorded delivery) stating which parts of the DPA you believe them to have violated, and indicate that you have the ICO involved. A colleague has just got his information corrected and a few £100 'good will' out of a utilities company using this approach.
THIS OUTFIT OPERATES OUT A NEW BUILD HOURING ESTATE IN (AS I RECALL) BOLTON. I THINK THE OWNER IS A PRIVATE DETECTIVE WHO HAS DECIDED TO BRANCH OUT BY PIMPING PEOPLE'S PERSONAL DETAILS.
Good luck,
Mick
used fairly and lawfully - was consent given for them to have this information in the first place?
I SUSPECT THEY GOT THE INFO FROM COMPANIES HOUSE. I MUST BRIEFLY HAVE BEEN A DIRECTOR REGISTERED AT THE ADDRESS.
used for limited, specifically stated purposes - if consent was given, for what stated purpose was it, and have they exceeded that?
I WOULD HAVE GIVEN IT BECAUSE I WAS LEGALLY REQUIRED TO AT THE TIME.
used in a way that is adequate, relevant and not excessive - is this excessive use, again, what initial consent was there?
IT COULD ONLY HAVE BEEN COMPANIES HOUSE. I NEVER GIVE OUT MY PERSONAL ADDRESS AND I HAVE ALWAYS OPTED OUT OF THE ELECTORAL ROLL (PUBLIC)
accurate - I think we can assume that it is at least accurate otherwise you wouldn't have a complaint
kept for no longer than is absolutely necessary - again, what was the initial purpose for this information, do they still have a legitimate reason for keeping it?
THEY HAVE NEVER BEEN GIVEN IT, THEY MUST HAVE HAD IT FROM COMPANIES HOUSE.
handled according to people’s data protection rights - if it is marketing related, you do have a legal right to request its deletion.
IT WOULD SEEM TO BE IN USE TO DRAW PEOPLE TO THE SITE TO SELL THEM MORE DATA.
kept safe and secure - err, Hell no if it's on a public web page.
IT IS NOT BEING KEPT SAFE AND SECURE.
not transferred outside the UK without adequate protection - again, it's on a web page, so you could argue that if it is browsed outside the UK, it has effectively been transferred without adequate protection.
QUITE
If you can ascertain an address, send a letter (recorded delivery) stating which parts of the DPA you believe them to have violated, and indicate that you have the ICO involved. A colleague has just got his information corrected and a few £100 'good will' out of a utilities company using this approach.
THIS OUTFIT OPERATES OUT A NEW BUILD HOURING ESTATE IN (AS I RECALL) BOLTON. I THINK THE OWNER IS A PRIVATE DETECTIVE WHO HAS DECIDED TO BRANCH OUT BY PIMPING PEOPLE'S PERSONAL DETAILS.
Good luck,
Mick
There are a lot of misconceptions about data protection. Largely all it does is require people to register what they will do with data (and that can be pretty loose) as opposed to preventing them from doing it.
It's also overrated what people can do with data to the extent that people shred letters with their address on it, why? That is public domain information. Even your medical details is "so what?" Information really.
The rest of the world really doesn't have this, in the USA it's believed that it's a first amendment right to know this stuff, there is no privacy legislation worth talking about at all. That impacts on the design of computer systems to store personal data, many of which are not really secure at all because it's just not the priority to people outside the UK and, to some extent, EU. That's why the payment card industry has brought in their own data security standard that you have to adhere to, done for card details because it costs them money if that goes wrong, but not done to secure personal details.
Anyway, I'm straying, but personally I'd not worry about it, the data will be in a myriad of different places.
It's also overrated what people can do with data to the extent that people shred letters with their address on it, why? That is public domain information. Even your medical details is "so what?" Information really.
The rest of the world really doesn't have this, in the USA it's believed that it's a first amendment right to know this stuff, there is no privacy legislation worth talking about at all. That impacts on the design of computer systems to store personal data, many of which are not really secure at all because it's just not the priority to people outside the UK and, to some extent, EU. That's why the payment card industry has brought in their own data security standard that you have to adhere to, done for card details because it costs them money if that goes wrong, but not done to secure personal details.
Anyway, I'm straying, but personally I'd not worry about it, the data will be in a myriad of different places.
Steffan said:
I regularly recommend not recording home addresses on Companes House.There are provisions that allow alternatives. Sadly CH has become as much of a nuisance as advertising your address in the paper. Best avoided. Regrettably identity theft and Internet sutupidity and the scam business have consequences one of which is being aware how information can be genuinely provided but from that point...... Better to be safe .....
It used to be mandatory for directors. It's only been more recent that a service address could be used.HenryJM said:
There are a lot of misconceptions about data protection. Largely all it does is require people to register what they will do with data (and that can be pretty loose) as opposed to preventing them from doing it.
It's also overrated what people can do with data to the extent that people shred letters with their address on it, why? That is public domain information. Even your medical details is "so what?" Information really.
The rest of the world really doesn't have this, in the USA it's believed that it's a first amendment right to know this stuff, there is no privacy legislation worth talking about at all. That impacts on the design of computer systems to store personal data, many of which are not really secure at all because it's just not the priority to people outside the UK and, to some extent, EU. That's why the payment card industry has brought in their own data security standard that you have to adhere to, done for card details because it costs them money if that goes wrong, but not done to secure personal details.
Anyway, I'm straying, but personally I'd not worry about it, the data will be in a myriad of different places.
Henry talks good sense. Data protection law is particularly misunderstood by banks, service providers etc, and hence those stupid conversations when they call you but want you to provide lots of info before they will tell you why they have called. This is based on misreading the DPA.It's also overrated what people can do with data to the extent that people shred letters with their address on it, why? That is public domain information. Even your medical details is "so what?" Information really.
The rest of the world really doesn't have this, in the USA it's believed that it's a first amendment right to know this stuff, there is no privacy legislation worth talking about at all. That impacts on the design of computer systems to store personal data, many of which are not really secure at all because it's just not the priority to people outside the UK and, to some extent, EU. That's why the payment card industry has brought in their own data security standard that you have to adhere to, done for card details because it costs them money if that goes wrong, but not done to secure personal details.
Anyway, I'm straying, but personally I'd not worry about it, the data will be in a myriad of different places.
Subject to a rather daft and practically unenforceable recent ECJ ruling about the so called right to be forgotten, you can't re write history, and public domain info remains in the public domain.
Absurd misreadings of data protection can lead to ridiculous outcomes such as this one: a lawyer mentioned on his website that he had acted in a particular case. The case had been heard in public and is reported in major law report series, available on free websites etc. A stupid ombudsman nonetheless said that the lawyer should pay compensation to the client who objected to having his name mentioned. It's not me, by the way,but the ruling is to be challenged with the backing of the professional body, as it's plainly bonkers.
Breadvan72 said:
Henry talks good sense. Data protection law is particularly misunderstood by banks, service providers etc, and hence those stupid conversations when they call you but want you to provide lots of info before they will tell you why they have called. This is based on misreading the DPA.
Subject to a rather daft and practically unenforceable recent ECJ ruling about the so called right to be forgotten, you can't re write history, and public domain info remains in the public domain.
Absurd misreadings of data protection can lead to ridiculous outcomes such as this one: a lawyer mentioned on his website that he had acted in a particular case. The case had been heard in public and is reported in major law report series, available on free websites etc. A stupid ombudsman nonetheless said that the lawyer should pay compensation to the client who objected to having his name mentioned. It's not me, by the way,but the ruling is to be challenged with the backing of the professional body, as it's plainly bonkers.
I can see merit in that complaint on a common sense basis. The subject provided information because he or she was obliged to do so for a specific legal purpose. Why should a solicitor then be able to use that information for marketing purposes?Subject to a rather daft and practically unenforceable recent ECJ ruling about the so called right to be forgotten, you can't re write history, and public domain info remains in the public domain.
Absurd misreadings of data protection can lead to ridiculous outcomes such as this one: a lawyer mentioned on his website that he had acted in a particular case. The case had been heard in public and is reported in major law report series, available on free websites etc. A stupid ombudsman nonetheless said that the lawyer should pay compensation to the client who objected to having his name mentioned. It's not me, by the way,but the ruling is to be challenged with the backing of the professional body, as it's plainly bonkers.
You have an opinion about how concerned individuals should be about how their data is used. It is not an opinion shared by everyone.
You are spectacularly missing the point. The lawyer was reporting a public fact. A case happened. It was held in public. The parties to it and its outcome are part of the public record. Data protection has no application at all in that scenario. Trying to conceal history is rather Stalinist, don't you think?
Edited by anonymous-user on Friday 15th August 08:33
Breadvan72 said:
Data protection law is particularly misunderstood by banks, service providers etc,
...then there are areas with far stricter regulation over handling of data. I work in Pharma and some of the rules we're bound by are challenging when trying to get the most out of our data.It's important to understand that the DPA isn't without teeth - my wife's company recently got a severe telling off for misuse of personal data trying to track down a client - an employee acting with good intentions using information they had to hand. Had the ICO judged their misuse to be more severe and serial rather than a one-off mistake the fines they were liable to were significant.
Breadvan72 said:
You are spectacularly missing the point. The lawyer was reporting a public fact. A case happened. It was held in public. The parties to it and its outcome are part of the public record. Data protection has no application at all in that scenario. Trying to conceal history is rather Stalinist, don't you think?
Was it also reported that the lawyer had acted in the case? Or was that not an aspect of the complaint?Edited by Breadvan72 on Friday 15th August 08:33
I think one of the things that people miss with law is that it matters not one iota what you think it should be. It only matters what it is. You may want something to be against the law, it may cry out for it to be so, but so what? All that matters (unless you are going into campaigning) is what it is and how it is interpreted.
So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
HenryJM said:
I think one of the things that people miss with law is that it matters not one iota what you think it should be. It only matters what it is. You may want something to be against the law, it may cry out for it to be so, but so what? All that matters (unless you are going into campaigning) is what it is and how it is interpreted.
So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
Couple of things there. So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
The second principle of data protection is:
2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
If I am correct, the data was provided to Companies House for use in connection with a limited company of whioh I was a director. It is being used to market the services of a people locator. In my view the current use is incompatible with the reason for which the data was provided.
Secondly, S10 of the DPA says:
10 Right to prevent processing likely to cause damage or distress.E+W+S+N.I.
(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b)that damage or distress is or would be unwarranted.
I have made it clear to the data controller why the data being used this way is likely to cause distress. I did this in writing. He has refused to remove it.
As far as I am aware the law is on my side. But then I am not a lawyer.
Eleven said:
HenryJM said:
I think one of the things that people miss with law is that it matters not one iota what you think it should be. It only matters what it is. You may want something to be against the law, it may cry out for it to be so, but so what? All that matters (unless you are going into campaigning) is what it is and how it is interpreted.
So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
Couple of things there. So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
The second principle of data protection is:
2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
If I am correct, the data was provided to Companies House for use in connection with a limited company of whioh I was a director. It is being used to market the services of a people locator. In my view the current use is incompatible with the reason for which the data was provided.
Secondly, S10 of the DPA says:
10 Right to prevent processing likely to cause damage or distress.E+W+S+N.I.
(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b)that damage or distress is or would be unwarranted.
I have made it clear to the data controller why the data being used this way is likely to cause distress. I did this in writing. He has refused to remove it.
As far as I am aware the law is on my side. But then I am not a lawyer.
In this case they are obviously not like that, as I read it they are primarily hiding behind 7(3):
Where a data controller—
(a)reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and
(b)has informed him of that requirement,
the data controller is not obliged to comply with the request unless he is supplied with that further information.
The difficulty is that your recourse is to court and/or the ICO. At court it's a lot of hassle and cost for the verdict of them ordering them to take it down. With the ICO it's slow wheels grinding on something that probably won't excite them too much. So they'll get to it eventually.
HenryJM said:
Eleven said:
HenryJM said:
I think one of the things that people miss with law is that it matters not one iota what you think it should be. It only matters what it is. You may want something to be against the law, it may cry out for it to be so, but so what? All that matters (unless you are going into campaigning) is what it is and how it is interpreted.
So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
Couple of things there. So it matters not one jot whether you want someone to do something with your data, there is no relevance whatsoever if you think it is wrong, all that matters is whether it is actually contrary to legislation or not.
The second principle of data protection is:
2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
If I am correct, the data was provided to Companies House for use in connection with a limited company of whioh I was a director. It is being used to market the services of a people locator. In my view the current use is incompatible with the reason for which the data was provided.
Secondly, S10 of the DPA says:
10 Right to prevent processing likely to cause damage or distress.E+W+S+N.I.
(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b)that damage or distress is or would be unwarranted.
I have made it clear to the data controller why the data being used this way is likely to cause distress. I did this in writing. He has refused to remove it.
As far as I am aware the law is on my side. But then I am not a lawyer.
In this case they are obviously not like that, as I read it they are primarily hiding behind 7(3):
Where a data controller—
(a)reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and
(b)has informed him of that requirement,
the data controller is not obliged to comply with the request unless he is supplied with that further information.
The difficulty is that your recourse is to court and/or the ICO. At court it's a lot of hassle and cost for the verdict of them ordering them to take it down. With the ICO it's slow wheels grinding on something that probably won't excite them too much. So they'll get to it eventually.
Having stated that he couldn't identify the data subject (me) he has then updated the record on his site to say that I am at the address as of yesterday. If he cannot identify me as the data subject he should not be updating the record.
Eleven said:
As I mentioned in my OP, the data controller was asking for more information than he required to identify me. Almost certainly because that data has value to him.
Having stated that he couldn't identify the data subject (me) he has then updated the record on his site to say that I am at the address as of yesterday. If he cannot identify me as the data subject he should not be updating the record.
No he shouldn't, he certainly sounds out of line but I think the problem is that the means of doing anything about it are potentially slow and/or expensive. Having stated that he couldn't identify the data subject (me) he has then updated the record on his site to say that I am at the address as of yesterday. If he cannot identify me as the data subject he should not be updating the record.
You could ask Google to remove that website from the results that appear when someone searches for your name:
https://support.google.com/legal/contact/lr_eudpa?...
The information would still be there and certainly visible via other search engines, and indeed Google outside of the EU. You might consider it better than nothing, if other options aren't available.
As I understand it, Google would inform the website in question that they have removed that specific result, so they would certainly know you were behind it. That could either be good or bad.
https://support.google.com/legal/contact/lr_eudpa?...
The information would still be there and certainly visible via other search engines, and indeed Google outside of the EU. You might consider it better than nothing, if other options aren't available.
As I understand it, Google would inform the website in question that they have removed that specific result, so they would certainly know you were behind it. That could either be good or bad.
dredge said:
You could ask Google to remove that website from the results that appear when someone searches for your name:
https://support.google.com/legal/contact/lr_eudpa?...
The information would still be there and certainly visible via other search engines, and indeed Google outside of the EU. You might consider it better than nothing, if other options aren't available.
As I understand it, Google would inform the website in question that they have removed that specific result, so they would certainly know you were behind it. That could either be good or bad.
Thanks Dregde, I knew that existed but couldn't find it! I have submitted a request.https://support.google.com/legal/contact/lr_eudpa?...
The information would still be there and certainly visible via other search engines, and indeed Google outside of the EU. You might consider it better than nothing, if other options aren't available.
As I understand it, Google would inform the website in question that they have removed that specific result, so they would certainly know you were behind it. That could either be good or bad.
The ICO seem pretty helpful and have asked that I call them on Monday when my case will be on their system.
t... porn acronym dyslexia. 
Ignore me. Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff