Data Theft Dating – What is that? Guest post from Emma Green at Cyber Data

Recently I was invited on to Naga Munchetty’s radio programme on Radio5 Live to discuss the subject of data theft dating.

What on earth is that I hear you cry! Here’s a couple of examples, a guest checks into a hotel and the receptionist used the guest’s contact details to ask if they are single or would like to go on a date. How about someone orders a pizza and the delivery person starts bombarded them with personal texts and in some cases adult orientated selfies if you get my drift! I was invited on the radio programme as an expert to help listeners understand why, from a data protection perspective, it’s not ok to do this and the possible implications (never mind the moral and safeguarding concerns).

Your firm will be collecting and processing personal data and under the UK GDPR and Data Protection Act 2018 there are a number of things you must do to protect that personal data and ensure you are processing it in accordance with the law, not least to ensure that personal data within your controls is safe, secure, not kept for longer than is necessary and is used for the purpose it is collected for.

Why is this a data protection issue? Your firm is likely a controller of the personal data which would have been collected for a specific reason such as the examples above, when checking into a hotel or ordering a pizza delivery, this means your personal data cannot then be used for a different purpose such as being asked out on a date as this is a breach of the law.

Ok then, should one of your employees goes rogue, where do you stand…..well it depends!

For those not aware the case of Wm Morrisons Supermarket plc v Various Claimants [2020] UKSC 12, plays a big part to putting this into context. For background a senior internal auditor went rogue after being disciplined. Holding a grudge and as revenge for his telling off, he took 100k+ of employee’s personal data and splattered it all over the dark web….nothing happened so in a fit of pique he anonymously provided the personal data to a number of local newspapers surrounding Morrisons HQ in Bradford.

Suspicions arose and a subsequent investigation led to this particular employee being incarcerated for 8 years for Data Protection and Computer Misuse Act offences. Interestingly, an investigation by the Information Commissioners Office (ICO) concluded that Morrisons had done all they could and took no further action. In other words, Morrisons did have technical and organisational measures (policies, procedures and training etc) in place and therefore could not have prevented this rogue employee’s actions.

The reasons this case was so huge was the subsequent group action against Morrisons for vicarious liability, the tort of misuse of private information and the equitable remedy of breach of confidence. Spoiler alert - Morrisons won and they didn’t have to pay out compensation.

The point here is you need to ensure you have appropriate measures in place to demonstrate you’ve done all you can, this includes privacy frameworks and training. I often hear people say they had no idea one couldn’t use contact details for a different purpose, e.g. dating?? – this is down to lack of training….

So what should you do?

As an employer – ensure you take data protection seriously, no matter how small you are, you must comply. Training your staff is one thing you can do to educate them. If you don’t…should you be investigated by the ICO you may not have done all you can and find yourself in a heap of trouble.

As a victim – should your personal data be used as described above, respond to the perpetrator making it clear their advances are very much unwelcome and they are to stop immediately contacting you and they must delete your number/details. Make a complaint to the company who you provided your details to and make a complaint to the ICO. If you have any concerns for your safety contact the police.

To learn more about Cyber Data you can contact Emma Green at Cyber Data here.