re: Cost on Contract by Vishal Vashisht
The DPA permits victims of breaches to take the offending company to court and litigate for damages providing damage can be shown. Damage does not have to be monetry it can also be psychological - so it is arguable that receiving calls several times a day can cause undue stress, but there would probably need to be logs of calls.
Let me further add that I am incredibly disappointed with the tone of this article and as someone who spends the vast majority of his time defending consumers privacy rights I am incredibly disappointed with Bill's reporting on this issue.
The misuse of personal data in the UK is a very significant problem that causes 100s of thousands of people a great deal of stress on a daily basis - for example, just yesterday we received a scam call at 5am in the morning and I know we are not alone with this problem. But more importantly our personal data is protected under law - and with the Lisbon Treaty going through Data Privacy will soon be a fundamental right on par with the European Convention on Human Rights and for good reasons which should be common sense for anyone who has been following the privacy debate over the past 20+ years.
Also, the media, ICO and T-Mobile are using their staff as a scapegoat. We need to remember that actually under the Data Protection Act it is the duty of the Data Controller to ensure that sufficient safeguards and security are in place to prevent the misuse of personal data within the organisation - a point which has clearly been missed in all the reporting on this issue so far. T-Mobile obviously did not have sufficient safeguards in place otherwise this breach would not have happened in the first place - and under the DPA it is ultimately the company and the data controller who are liable - not the staff. T-Mobile are reported as saying they take Data Security very seriously - well obviously not seriously enough!
Furthermore, this practise of selling personal data to data brokers is systemic to the entire commercial arena (not just telecoms) and I find it astonishing that ICO seem to only just be recognising that - this breach came as a surprise to no-one who has even the slightest interest in consumer rights.
Should there be custodial sentences and larger fines (1 million Euros are already being discussed within Europe and £500 000 was recently discussed in the UK) damn right there should be. We live in one of the least privacy conscious countries in the entire world and pretty much top the surveillance league table of all developed western states and rank in the top 5 on a global scale. It is about time our fundamental rights to privacy were upheld and without substantial penalties to do that there is no deterrant.
For years we have been complaining that ICO have no enforcement powers so I am dismayed to see anyone criticize ICO for using whatever weapon they have in their arsenal to increase their enforcement powers. Last week I spoke at the BEUC Forums 2009 conference in Brussels - the focus of the event was Consumer Privacy and Behavioural Advertising and the resounding message which came out of the event was an utter lack of enforcement despite there being reasonably strong legislation throughout Europe to protect the privacy rights of the citizen.
Everyone should be aware that the Telecoms Reform Package (which is about to go through Europe) makes the reporting of data breaches compulsory for the telecoms industry - so in future don't be surprised to see more of this type of news hitting the press.
To sum up, ultimately it is T-Mobile whom are both responsible and liable for this breach and yes consumers do have an option to seek remedy throgh the courts and I would seriously suggest that if they have evidence of damage that they take the steps outlined in the DPA to take T-Mobile to court - if for no other reason than to send a clear message to the sector as a whole that these breaches are unacceptable and will carry consequences.
This is a personal statement by me and whereas it probably matches the opinions of my colleagues it is not an official statement on behalf of Privacy International.