Our workshop supervisor discovered a supplier’s delivery driver writing down the registration numbers of the vehicles we are repairing. When we asked him what he was doing he said that it was part of his duties to record a number of registration numbers each week for his employer.
Over recent weeks we have had a number of mysterious data leaks with customers complaining that we have leaked their data which we have not, could this be our data leak?
What can we do?
You have posed two questions, ‘is this the data leak?’ and ‘what can you do?’
Dealing with second question first ‘what can we do?’
The supplier’s delivery driver is in/on your premises when he is recording this information, and you have the right to reasonably control what takes place in/on you premises. Therefore, you can instruct the delivery driver to stop recording registration numbers otherwise he will be refused entry to the premises.
You should also contact the supplier and arrange to meet with them to discuss the recording of registration numbers. You need to identify whether the driver is following the instructions of his employer or acting on his own behalf.
When you meet with the supplier explain your concerns and instruct them to notify their employees not to record data from your premises unless they have your written permission to do so. If the supplier refuses, which is unlikely, transfer your business to another supplier.
If you still wish to use the supplier and you have concerns regarding the collection of data from your premises, then instruct the delivery driver to visit reception first before he unloads. Instruct your employees not to unload the delivery driver unless he has reported to reception. Once he reports to reception someone can be tasked with monitoring the unloading and conduct of the delivery driver.
Whether this is your data leak is an entirely different question; however, it is unlikely that a delivery driver collecting registration numbers alone is a breach of data protection law.
The Data Protection Act 1998 protects and regulates the processing of personal data and introduces 8 pdf Data Protection Principles (29 KB) .
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Given the fact that the registration number alone does not identify the owner/driver of the vehicle, and that standing on a road this information could be collected, it is unlikely that recording registration numbers is your leak.
However, this information may contribute to your leak if it is used with other data, for example, if your supplier is a franchised dealer they may have access to customer details that purchased the vehicle. In reality, if the supplier is a franchise dealer the parts are probably ordered by confirming the registration or chassis number, therefore the supplier is likely to already have this data.
It is unlikely that the supplier is your leak but with any good fault finding technique once you have identified a potential weakness you should ensure that weakness is dealt with and move on to the next suspected area.
Whilst you are considering the possibility of data leaks from the workshop area, it would be sensible to review what data is provided to the workshop and whether they need ‘everything’ regarding the repair to that vehicle in the ‘job pack’.
How likely is it that your employees will leave customers' details contained in the ‘job pack’ on the windscreen of the vehicle? If this is happening then this could potentially be your leak. Review what information your technicians need and only give them the minimum amount removing any unnecessary personal customer details
You are fortunate that the delivery driver was writing registration numbers down and you were able to notice this. With today’s technology it would be pretty simple for someone to record these details on a phone or £10 spy pen from eBay and you may never know.
To guard against covert recording of data and employees it would be sensible to display signs at every entrance and within the office/reception and on doors leading to the workshop saying;
[insert company name] is committed to providing its employees with a safe working environment, please note that Visitors are only allowed access to our premises on the strict condition that they do not photograph, film or record by any method our employees without first obtaining written permission from [insert legal name Ltd].’
There are a number of rumours within the industry that data is being leaked from software systems. If you are experiencing complaints from customers being bombarded by claims companies, then try testing your software systems by creating a test repair, using your own private vehicle and mobile phone number.
If you start to receive calls from claims companies try and narrow the search by using different vehicles and mobile numbers to test each process separately.
Make sure you record the steps that you have taken with the date and time and any calls you receive. If you identify a leak then you should contact the Information Commission on 0303 123 1113 or at https://ico.org.uk/concerns
For further information on the Information Commission and whether you need to register read http://www.retailmotorlaw.co.uk/index.php?option=com_content&view=article&id=233:do-i-need-to-register-with-the-information-commission&catid=34:our-company&Itemid=78