former employer passed my personal details to a debt collection company

LegacyUser

My former employer passed my details to a debt collection company without informing me.

Can I make a complaint to a data protection commission?

Penny Tration

Well, did you owe your former employer a debt? If you do owe them money, there may be little you can do.


If you don't owe them anything, you could get in touch with the Data protection commissioner and ask about the situation.

LegacyUser

O.P. here Yes, I owe them money and I have started paying it. There was a delay in commencing to pay the money because I needed to get it looked over, I informed them of this, I then got back in touch with them to say that everything checked out and I was happy to move forward. I asked them to send me more details i.e. should I back pay the amount? when did they want the new commencement date to be? etc., they ignored my emails and my pleas for them to take care of this and let me know the arrangements. Next thing I know I am receiving letters and emails from a 'credit management' firm which is too nice a title for such a company in my book.

My question is more about them passing my personal information to a third party without informing me that they were going to do this.

Stheno

Companies seeking to recover debts do this all the time they don't have to inform you.

testicles

This post has been deleted.

Stheno

testicles wrote: »

They have to inform you when you sign up about data sharing and you must consent. I've never seen data sharing in an employment contract though.

U
Ah didn't think of that. Best thing for IP so is to contact the data protection commissioner

Irish_Elect_Eng

From the Data Protection FAQ.

1.17 My personal information has been passed to a debt collection agency?


The provision of personal details to a debt collection agency to pursue a debt of behalf of a business does not give rise to any data protection concerns provided an acceptable data protection contract was in place between the two entities. For instance the debt collection agency would only be able to use the data provided for the purpose of pursuing the debt. This Office would consider it good practice in any case to highlight the possible use of a debt collection agency in a "terms and conditions" document.


The sale of a "book" of debts by an entity to a debt collection company will not likely give rise to data protection concerns provided the entity tells its customers that it is doing so either at the time of the sale or very clearly in the original "terms and conditions".

Case Study:

CASE STUDY 7/99
Debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build database of debtors

The two complaints in this case study arose from the actions of a hospital and a debt collection company. The first complainant, an elderly man, attended the hospital on a number of occasions for medical treatment. The hospital subsequently sent him a bill for the treatment. He paid some of the outstanding amount, but he did not pay the full amount straight away. After a period, he was contacted at home on his unlisted telephone number by a debt collection service. The debt collection service said it was acting to recover the hospital's money. The second complaint was from a young college student who had attended the same hospital and had been written to by the same debt collection service in similar circumstances. The agency wrote to the complainant in the following terms -

If within 48 HOURS our client has not received payment, we will be given full instructions on the accounts. I would point out that once we have been instructed your name will be placed on our CREDIT INFORMATION BUREAU. This could affect your ability to obtain credit and loans from other companies.

The first complainant was concerned that his personal details - including his unlisted telephone number - had been passed by the hospital to a third party, and he felt that this contravened the Act. The second complainant was very concerned that "they will put me on a black list".

Section 2(1)(c) of the Data Protection Act provides inter alia that personal data -

(i) shall be kept only for one or more specified and lawful purposes, [and]

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes.

Section 1 of the Act defines "disclosure" in the following terms -

"disclosure", in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties ... .

From my investigation of the case, I established that the debt collection service was retained by the hospital as its agent for the purpose of collecting outstanding moneys. I determined that the relationship between the hospital and the debt collection service was a bona fide principal-agent relationship, in that: (i) there was a formal contractual relationship in place between the hospital and the debt collection service; (ii) the contract made clear that the hospital retained control over the personal records in question; and (iii) the debt collection service was not permitted to retain the personal data for longer than necessary for the purpose of collecting the debt. Accordingly, I concluded that the Data Protection Act did not preclude the hospital from passing personal data, including patients' telephone numbers held by the hospital, to the debt collection agency.

On the question of the retention of personal details on the debt collection agency's files, my Office had detailed discussions with the debt collection agency. It was pointed out that the agency had no entitlement to retain personal details regarding the hospital's patients, and that it certainly had no entitlement to use these details to create a credit reference "blacklist". The agency explained that the language it used on its correspondence with debtors was designed to put maximum pressure on the debtors to pay what they owed. However, I pointed out my view that it is not permissible for a debt collection agency, or indeed for any data controller, to misrepresent the purpose for which it keeps personal data, in order to put people under pressure to behave in a certain way. As a result of these discussions, the debt collection agency agreed to reword its letters so as to avoid any misrepresentation of what it is entitled to do with personal data it keeps as agent of the hospital. The managing director wrote to the complainants apologising for any inconvenience or distress caused, and confirming that the information had not been made available to any third party.