Do you know who keeps Data on you? Where it is kept? And who can access it?
The vast majority of people are aware that personal, often sensitive, data about them is retained by a number of organisations. The steady move towards online shopping, amplified by the global lockdown, has resulted in a far greater number of people adding even more personal data to the mass of data already circulating.
In a recent survey, individuals considerably underestimated the number of commercial enterprises that hold personal data on them with a view to making it available to others. Most people who responded to the survey believed that their data was held on up to twenty data sources whereas it is closer to fifty.
There are a variety of reasons that data is collected and sold on, for example, most people are aware that financial organisations, such as mortgage providers, access the credit rating of proposed borrowers via organisations such as Experion UK, Transunion and Equifax. The need to establish the credibility of an individual before making a large loan is recognised and goes without question.
It is not so widely recognised however that there are other organisations that collect data involving such information as arrests, criminal records and associations with perceived risky organisations such as those linked to terrorism. Individuals with an unblemished record may consider that they have nothing to worry about but that may not be entirely true. The opportunity for error is high. Misinformation can and does have a serious impact. The best case is that it can be extremely hard to expunge from your record, but is eventually achievable; the worst case is that you are regarded as a potential criminal or terrorist without even being aware that such highly damaging information is held against your name.
Khizar Arif, a partner, commented “Personal information is inextricably bound to reputation and inaccurate information can cause enormous damage and have significant impact on the life of an individual.” He further commented “the fact that personal data must be treated as confidential by all parties, works against a person trying to find out what information is actually held against their name.”
Inaccurate and erroneous data entry is an issue that is difficult to avoid. The bottom line is that, despite all efforts to make systems failsafe, human beings are dealing and inputting data into scores of systems and one small error can be round the globe in far less than 40 minutes. Correcting misinformation is a much harder battle. First, you have to know that misinformation is held against your name and this may not be obvious as you may never know why some opportunities faded away or that it was due to incorrect data.
Incorrect information has the potential to cause very real and immediate harm to a person depending on the individual’s situation.
A lady in her nineties, living alone in poor health, was the target of an armed police crack of dawn raid and only the extensive pleadings of her horrified neighbours, who, to their shock, had seen the large numbers of armed police gathered in and around the lady’s front garden and about to crash through her front door, prevented them breaking down her front door and charging into the house.
Eventually, the far from convinced, lead police officer decided to knock on her door as opposed to breaking it down, whereupon the sight of armed police wearing body armour terrified the elderly lady into temporary speechlessness and breathing difficulties, leaving her unable to answer any of the questions that were immediately put to her.
The error, it transpired, was caused by incorrect data. Three years previously a police officer had called at her house only to discover that the person they were seeking lived in the same road but had a different door number. Apologies were made at the time and promises were made to correct the record, which obviously did not happen.
After such a double blunder the lady was never troubled again. In this instance, other than a terrifying experience which left her seriously shaken, that was the only consequence of the data error.
Clearly there is a need to ensure that certain individuals, who have, perhaps, been involved with criminal activities, are monitored or restricted regarding their future activities in certain circumstances. However, what if you are erroneously identified as a criminal?
A former inmate of Guantanamo Bay who was subsequently recognised as innocent and released discovered that a global data provider illegally held data against his name for several years that identified him as a terrorist.
Whilst the incorrect assertion remained visible the victim suffered a number of detriments including having numerous bank accounts summarily closed and subsequently being unable to access banking facilities. The data provider in question is a prominent global organisation used by banks and financial institutions in their due diligence procedures.
The victim pointed to a number of breaches over and above the fact that he was listed as a terrorist, including alleging that he had been acquitted on a charge of terrorism, whereas he was never even charged; and that he was extradited to the UK, whereas he was in fact repatriated. Also, as the data provider is a worldwide organisation, he believes that inaccurate information may have been transferred outside the EEA illegally. The victim’s attempts to remedy the errors he had uncovered by removal of the inaccurate data were refused by the data provider.
The victim had to resort to the High Court for remedies including an apology and compensation for the breaches against his name. Regrettably, this is not the first time the same data provider had to pay compensation for data breaches alleging terrorism. In this instance the consequences were serious and far-reaching.
So how do you know if inaccurate data is being held against your name and how do you remedy it? Often the realisation that damaging data that does not apply to you is held against your name is unravelled almost as part of a jigsaw puzzle:
- Too many rejected job applications,
- Or job offers extended and suddenly withdrawn,
- Sudden bank account closures without explanation,
- Memberships rejected,
- Employment abruptly terminated or
- Inexplicable hate mail or trolling.
The first port of call is the Information Commissioner’s Office (ICO) . The right to rectification under The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (UK GDPR) which applies following Brexit. An application to the data controller in the organisation that holds your data for the removal of incorrect information must be responded to within one month. Giambrone’s expert data protection and defamation lawyers can provide comprehensive guidance as to how to put right data breaches and obtain compensation for such breaches.