Misuse of My Data by Motability (probable ID theft/Benefit Fraud)

[BankFodder]

Post the letter of claim here. But first of all, please will you post up here the list you have put together detailing every incident which as occurred as a result of this sum which has affected you – and the way it has affected you.

Also please will you talk about the stress or distress you have experienced and your family has experienced – if any

 

[MOSS 41]

Yes I will do - 

I have kept every detail , even the hospital visit and discharge letter for chest pain when I had an anxiety attack in the days after finding out - after dealing with police , action fraud 

they still haven’t even confirmed they’ve removed my details or proved they have from all these places they had no place putting them 

still awaiting direct line response DSAR and     DVLA and them obviously 

literature , and solicitors (which I won’t use - do myself hopefully) 

say it’s 2k a breach - so two companies or three if you include dvla - And more if medical distress 

now it’s all new and I don’t expect 6k plus as suggested - but I’m not taking this and letting them brush it aside for nothing. 
I feel Violated and angry, they try and use some garbage about override errors and ‘not really an issue’ nor data breach

 

 

[BankFodder]

If there are medical records that it will help enormously if you can get a doctor to put in writing that this was affected or caused or increased by the data breach which you are dealing with.

[MOSS 41]

Yes -

im going to sleep on it and write response when in a clear head tomorrow - then I shall upload 

along with their current reply and see what you think 

[MOSS 41]

right this is my draft letter before action

it was hard to make it any shorter as so many breaches to highlight and why it fails legislation.

i cant upload their email reply before this

but basically denying a breach, admitting overrides happened, but its of no consequence  etc have £250 etc as has legal disclaimer at bottom of email 

its just a draft 

 

 

if you have time to read it 

draft letter before action.pdf

[BankFodder]

Standby for a reply later on

[BankFodder]

It's rather verbose – too much narrative and too much astonishment.

But the first question which occurs to me is why are you giving them 30 days?

Also, you have headed it – formal complaint – letter before action.

Which is it? A formal complaint or a letter before action

 

 

[MOSS 41]

I can adjust the heading , it’s just a draft , 

I found it hard to get reduce  the narrative as need to explain the breaches and why they are breaches which they deny - I could have go at making sentences shorter and more punchy 

I thought 30 days as I don’t have their dsar reply yet , which may be important or hold important evidence which deepens the claim 

and gives them an opportunity to settle out of court for something reasonable ?

 

[BankFodder]

Let's start making this an ordinary letter of complaint. A formal letter of complaint and not a letter of claim.

 

Outline everything that has happened but with less narrative. Do it in a bullet pointed chronology if possible.

 

Please stop talking about how astonished you are and how emotional you are and how you can scarcely believe blah blah blah blah.

Post a draft here

[MOSS 41]

The formal complaint has already been done and answered - denying their liability 

this is the next step to take to ico now I’ve had a reply and sort legal redress 

 

[BankFodder]

Have we seen your formal complaint?

Have we seen their response?

Also what is the return date for the SAR

[MOSS 41]

No as done before, when less information available , more info comes form the DSAR received from other parties like RSA insurance which is how I found out it was second car taken in my name and insurance policy and this had been going on since 2018 

so sent an additional note to original complaint as an attachment.

 

I can’t post their response as it’s a email form legal dept with cannot disclose notice 

but crux of their answer was - 

my details were overridden onto another ladies claim In 2018 by their software, because our surnames were similar that’s how it was all taken in my name both times 

but they say not a breach as because they held my data from 15 yrs ago when I was an appointee for my daughter , and as such that 15 yr ago info given was consent to use my data 

bearing in mind I have never been a customer or claimed benefits myself and it was my specific details used 

they have another two weeks to respond to my DSAR 

 

 

[MOSS 41]

And I have removed any emotive language, tidied sentences - change heading to 

letter before action 

[BankFodder]

Check back for a reply later on. But in terms of any confidentiality or non disclosure warning at the top of a letter, you should disregard this.

They are not able to bind you unilaterally into any duty and that kind of stuff is simply designed to frighten you.

Tell us what the letter says and don't worry about their threats and warnings

You should be taking control and not giving into this kind of stuff from these people who have treated you so badly

[BankFodder]

Waiting for you to upload their letter

[Ethel Street]

6 hours ago, MOSS 41 said:

but they say not a breach as because they held my data from 15 yrs ago when I was an appointee for my daughter , and as such that 15 yr ago info given was consent to use my data 

You need to do more research on that assertion by insurers, talk to ICO and look at their website.

Three potential issues come to mind

1. When you give an organisation permission to use your data you consent to it being used for specified purposes. You don't agree that they can use it for any purpose they want to for all time. So did consent given 15 years ago include what they did use it for later? They surely aren't suggesting that your consent given 15 years ago entitled them to attach your details to another lady's claim in 2018?

2. Since you gave consent 15 years ago data protection law has changed. In particular there was a new law in 2018, the Data Protection Act 2018, also referred to as 'GDPR'. I have a feeling that companies had to get new permissions when the 2018 Act came into force but I'm not sure of the details. Something else for you to investigate with ICO.

3. Did they have a business reason to retain your details for 15 years? One of the general principles is that businesses aren't supposed to retain people's data for longer than they need to. Possibly they did, I haven't read back over the whole thread. But again, something else for you to investigate with ICO.

[stu007]

Hi

In post#21 you mention another insurance policy taken out for the same car in with your details.

Motability Insurance Provider was RSA for years but Motability has very recently changed its Insurance Provider to Direct Line.

So all that has happened with Motability Insurance Provider is the new Insurance Provider Direct Line has updated its records to show your details for that car on its Insurance Policy.

Post#25

I find Motability legal teams response disgraceful to state no data breach as appointed for daughter many years ago but your details overwritten onto someone who has a similar name. Also not a data breach as you were appointee they were allowed to share your details with other organisations under T&C.

a) This is not Maladministration at all they have miss-used your Data onto vehicle documentation and insurance policies of someone with a similar name.
b) As appointee to your daughter they were allowed to share data with other organisations under there T&C but your appointee ended when your daughter didn't either have a motability car or you stopped being appointee.
c) You have not given them any consent to use your data on policies/motability vehicles taken out in this unknown persons name.
d) your name would have been added to DLVA Database for those 3 different Motability vehicles.
e) if during the period of these Motability Cars if they have been in any accidents and claims made you will be unaware of this.
f) the Motability cars details and insurance details with you name/data on them sent to this other unknown person at an unknown address
e) This is to do with a Data Breach and should have been responded to by Motability Data Controller so why has Motability Legal Team not passed this to Motability Data Controller.

Therefore Motability due to the above have not only done a Data Breach but illegally taken out insurance policies in your name and registered Motability Vehicles in your name with DVLA.

Motability Legal Team really need a serious lesson if they think this ain't a Data Breach

I agree formal complaint to ICO/FOS

With the new Data Protection Act and General Data Protection Regulations 2018 you have rights to request Erasure of your Data and to also Object.

 

These may be useful:

Note: If you are going to use the below letters you must make sure and specifically address them FAO Motability Data Controller

RIGHT TO ERASURE

 

                                                                                                                                                                                                                                                                                                                                                                                                           [Insert Full Name Here]

[Insert Full Address Here]

 

[Insert Company Name Here]

[Insert Company Address Here]

[Insert Date Here]

 

 

To Whom it may Concern / Controller Officer

Formal Right to Erasure under Article 17 General Data Protection Regulations

I am giving your [Insert Company Name/etc] notice that under the General Data Protection Regulation (GDPR) Article 17, Recital 65 & 66: http://www.privacy-regulation.eu/en/article-17-right-to-erasure-'right-to-be-forgotten'-GDPR.htm

I am of the opinion that I have fulfilled the requirements set out in Article 17 (1) of the GDPR.

http://www.privacy-regulation.eu/en/article-17-right-to-erasure-'right-to-be-forgotten'-GDPR.htm

I am now hereby requesting that your Company immediately Erase my Personal Data concerning me in accordance with Article 15 Recital 63 & 64 of GDPR. http://www.privacy-regulation.eu/en/article-15-right-of-access-by-the-data-subject-GDPR.htm

Please erase All Personal Data concerning me as defined in Article 4 (1) of GDPR. http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm

Please delete the following Personal Data concerning me:

[Insert a list here of all Personal Data you wish to be deleted]

 

 

If I have previously given my consent to the processing of my Personal Data either according to:

Article 6 (1) of GDPR. http://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm

Article 9 (2) of GDPR. http://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-of-personal-data-GDPR.htm

I now Fully Withdraw my Consent to the above Processing of my Personal Data.

In addition I am also now objecting to the Processing of my Personal Data (which includes profiling) in accordance to Article 21 of GDPR.

http://www.privacy-regulation.eu/en/article-21-right-to-object-GDPR.htm

If you have disclosed the affected Personal Data to a Third Parties, you have to communicate my request Right to Erasure of the affected Personal Data as well as any references to the data to all recipients as per Article 19 of GDPR. http://www.privacy-regulation.eu/en/article-19-notification-obligation-regarding-rectification-or-erasure-of-personal-data-or-restriction-of-processing-GDPR.htm

My request explicitly includes any other Services and Companies for which you are the Controller as defined by Article 4 (7) of GDPR. http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm

I am including the following information necessary to identify me:

 

Full Name

Date of Birth

Full Address

Email Address

National Insurance Number, etc

If you object to my Right to Erasure request to have to fully justify your reasons for the objection.

As laid down in Article 12 (3) of GDPR you have to confirm the Right to erasure to me without undue delay and in any event within One Month of receipt of this request. http://www.privacy-regulation.eu/en/article-12-transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject-GDPR.htm

If you fail to acknowledge nor respond to my request without undue delay and in any event within one month of receipt I will without further correspondence report your failure to comply to the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/

 

Your Sincerely

 

[Insert Full Name]

 

 

 

RIGHT TO REQUEST RECTIFICATION

 

[Insert Full Name Here]

[Insert Full Address Here]

 

 

[Insert Company Name Here]

[Insert Company Address Here]

[Insert Date Here]

 

 

To Whom it may Concern / Controller Officer

Formal Right to Request Rectification of Personal Data under Article 16 of General Data Protection Regulations

I am giving your [Insert Company Name/etc) notice Requesting the Rectification of Inaccurate Personal Data concerning me under Article 16 of GDPR. http://www.privacy-regulation.eu/en/article-16-right-to-rectification-GDPR.htm

Please make the following Rectifications to my Personal Data as follows:

[Insert a list here of all Personal Data you wish to be Rectified]

 

If you have disclosed the affected Personal Data to a Third Parties, you have to communicate my request Right to Rectification of the affected Personal Data as well as any references to the data to all recipients as per Article 19 of GDPR. http://www.privacy-regulation.eu/en/article-19-notification-obligation-regarding-rectification-or-erasure-of-personal-data-or-restriction-of-processing-GDPR.htm

My request explicitly includes any other Services and Companies for which you are the Controller as defined by Article 4 (7) of GDPR. http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm

I am including the following information necessary to identify me:

Full Name

Date of Birth

Full Address

Email Address

National Insurance Number, etc

If you object to my Right to Rectification request you have to fully justify your reasons for the objection.

As laid down in Article 12 (3) of GDPR you have to confirm the Right to Rectification to me without undue delay and in any event within One Month of receipt of this request. http://www.privacy-regulation.eu/en/article-12-transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject-GDPR.htm

If you fail to acknowledge nor respond to my request without undue delay and in any event within One Month of receipt I will without further correspondence report your failure to comply to the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/

 

Your Sincerely

 

[Insert Full Name]

 

[MOSS 41]

Thanks for above .

yes I agree , consent for data is given for specific purposes, so even if when I was or am an appointee for daughter - it only would relate to anything she did , or had 

it most certainly would not stretch to putting cars i nothing about in my name , and insuring them in my name when another woman the other side of country is using and her self not the registered keeper  or insured 

yes direct line took over form RSA, it’s the reciept of this new direct line policy sent to my home address with all my details on, that alerted me to fact there was insurance I knew nothing about and then all the other facts came to light, that this had been going on since 2018 with two vehicles 

for motability to say, I being an appointee makes me their ‘customer’ so can use my data is just baffling - most certainly not to set up vehicles and insurance I have nothing to do with , I might add in my name alone , not even through my daughters channels 

 

plus I think they are just lying over this data overide because of similar name 

to pick up and order a motability car, you need ID documents and a PIN code, so utility bill and driving licence to be taken to dealership - if the log book and insurance are in my name - and I know this other woman’s name now they breached her rights and told me - her name, address wouldn’t have matched - so she shouldn’t have been able to collect car , or at least it would have been flagged wrong details were down and motability would of had to correct to allow collection / something is still too fishy about this 

 

 

 

[MOSS 41]

Their response MYCOMMENTS

We write further to your letters to us dated 14^th, 22^nd, and 29^th September and have addressed your concerns below.

 

As the appointee for your daughter, Miss xxxxx, you qualify as a Motability Operations Limited (“MO”) customer. ’Appointee’ is a term used by the DWP for an individual who has the right to deal with the benefits of someone who cannot manage their own affairs. As you opted to be the appointee for your daughter, you are the hirer of the vehicle (as per your agreement) and therefore a customer of MO.   

Me nor my daughter hired these two vehicles, so are not customers under these vehicles

 

We have investigated the issues here and detail the following course of events that led to your concerns. In or around 2018 a new MO customer, who has the same surname and date of birth as you joined the Motability Scheme. Their details were uploaded onto our system by the vehicle dealership and through a technical error were uploaded to the MO customer reference number (the “CRN”) linked to you when you were a Scheme customer around 15 years ago. At this point, your details were overwritten with the new customer’s details.

thats a lie, my details were used and not overwritten with hers as DSAR from RSA shows policies taken in my name not hers in 2018 and again in 2021 -how did they collect car and with what ID as registered to my name, address DOB with DVLA and insurer?you need driving licence utility bill and pin code to collect a car with matching details-DSAR shows my details were used to register car and policies not hers

 

As Insurance and Loss and Damage Protection (the “Insurance Policy”) is provided to MO customers as part of every hire agreement whether that is in respect of a mobility scooter or vehicle, the application generates a data feed to our insurer to facilitate the provision of Insurance.  The data feed includes name, address, date birth and product details. The information that the insurer shares to the Motor Insurance Database (MID) is limited to the vehicle details, no personal data is held within the MID. To ensure that the insurer’s data remains accurate and up to date, any changes to MO’s customer relationship management system, Alfa will generate a notification to the insurer.

Rubbish the insurers are third parties and given my details to set up policies without consent or knowledge- DVLA has me as registered keeper, confirmed by motability staff who told me to ring police and action fraud

 

The customer’s application in 2018 had no impact on you or your information as all details registered to the CRN at the time were theirs. In April 2021, the same customer applied for another vehicle on the Scheme. Again, this had no impact on you or your information. 

no impact? vehicles in my name, responsible for the risks and responsibilities, insurances in my name, the policies show my details used not hers! so how can they say all info was hers when i have the documents. They applied again in 2021 and they used my data all over again and say no impact?

 

You made an application for a mobility scooter on the Scheme, as the appointee on behalf of your daughter, in or around August 2022. As part of the application process the dealership entered your details onto our system. The online application system is designed to identify duplicate customer records.  This process meant that your original CRN was flagged as an existing record, and the customer’s details that were linked to the CRN at the time were overwritten and reverted to your details.

my daughter ordered scooter, my details were simply reverted at this point? i have evidence in my name alone (nothing to do with daughter) since 2018 by documents and insurance DSAR, this is a lie- plus if identified to them at this point something was wrong why wasnt this brought to my attention as a data breach here

 

This change and your application for a mobility scooter triggered two notifications to the insurer, who at the time were Royal and Sun Alliance Insurance plc (“RSA). For the application for the mobility scooter, it triggered a data feed (your name, address and product details) to RSA to enable them to issue the relevant policy schedule to evidence the Insurance for the mobility scooter you lease on behalf of your daughter. The second notification to RSA was triggered by the fact that your details overwrote those relating to the other customer. Your name was updated as the insured party for vehicle registration DY21XWO.  

again a lie, my name was not just updated here at this point i have the evidence going back to 2018 as above its always been in my name. Also my daughter now 21 and doesnt live with me did not receive insurance, she only just been insured two weeks ago since the complaint, so they lie there too about insurance going out last year-shes been uninsured

 

The sharing of personal information with the insurer is necessary to provide you with the mobility scooter as an MO customer and is covered by the terms and conditions of your agreement with us. As of 1 September 2023, MO transitioned our insurance provider from RSA to Direct Line Group (“DLG”).  You will have received communication relating to this transition from RSA to DLG in July and/or August of this year.

can only share data for specific purposes, not to take out cars and policies i know nothing about 

 

To clarify, MO customers are beneficiaries under the Insurance Policy and MO are the sole policy holder. Whilst we acknowledge that you should not have been registered as a beneficiary for a Motability Scheme vehicle that was not leased in your name, we reassure you that there has been no breach of your personal information, nor has it been use for any fraudulent purposes. No incidents have occurred nor have any claims been processed under your name as a beneficiary for this vehicle. Both RSA and DLG have at all times held your personal information lawfully to provide you with insurance cover for the mobility scooter.

how can you say no breach of personal info- DVLA, RSA, Directline, Car dealership all given my data without consent or knowledge-they admit i am beneficiary for the vehicle/s if you include earlier vehicle-when they said above dont worry her details were used not mine? evidence shows they used mine, contradicting themselves here

 

As above, MO customers are beneficiaries under our Insurance Policy, therefore, you are not and will never have been a policy holder. We have investigated our records and you have only been incorrectly registered as a beneficiary for the one Motability Scheme vehicle.

not true- insurance policy docs clearly in  my name, for the above to be true , motability would be the insured party and renters just named drivers- we wouldnt even get the documents- i have evidence from RSA DSAR, policy holder on both cars 2018 fabia and 2021 kamniq

 

We acknowledge that this situation may have caused distress and upset to you. We therefore offer you our sincere apologies and as a gesture of goodwill a compensation amount of £250.

 

We acknowledge receipt of your subject access request which we received on 19^th September and will revert within 30 days from this date in accordance with data protection legislation. We will respond to your request by email which is an intelligible format as required under the relevant legislation. The email will be encrypted in order to protect your personal information.

 

The Data Protection Officer will be responsible for overseeing the response to your request. If you have any questions about your request, please contact them. Details can be found in the Privacy Notice provided to you at the signing of your agreement.

 

Yours sincerely,

 

Edited October 5, 2023 by MOSS 41

[MOSS 41]

i assume to now take this to ICO, i just bullet point what happened and provide correspondences and policies as evidence ? but i dont really ever hear anything  back, as its effectively taken out of my hands

should i wait for DSAR response from Motability first? although i dont think it will be complete and selective, because of what they have done, to protect their own interests.

 

[BankFodder]

I definitely think the you should wait for the SAR first. Then check it carefully for what it contains – and also for anything that it doesn't contain which might be much more interesting.

There is only a couple of weeks more I think so let's see what happens. If they don't make the disclosure then that also will help you

Also it seems that your daughter herself is the victim of a data breach. How old is she?

[MOSS 41]

My daughter is 21 , they have said to me that the policies and dvla have been taken in my name only and that’s how they look based on evidence 

in initial phone calls nothing mentioned about my daughter , I don’t hold currently any evidence that her details have been given to anyone ? On what I hold right now 

 

the only avenue is that her scooter wasn’t insured until 10 days ago , yet she’s had it 14 months - so was it insured under other ladies name and docs sent there ? I don’t know 

 

 

 

 

 

 

 

[MOSS 41]

Small update , got direct line SAR reponse 

and as per RSA and I’m getting very little 

Ie 4 lines just saying policy number the car, my details that’s it 

so I fail to believe that’s the only place anything mentions me- for instance where’s the transcript of our phone call (as it’s recorded) my details in an application form etc - 

as another example when I did an SAR to a bank , it listed everything, emails I made, phone calls , applications, even emails between employees that held my data etc 

 

should I be accepting their SAR response as sufficient as I don’t think it is ?

 

 

 

 

 

[BankFodder]

Before we go further, can we please recap.

Please could you list out every incident in which you believe that your identity has been used incorrectly.
We would like a bullet pointed list please. No more than half a dozen words per line. Put them in chronological order with the date.

The format than talking about is the kind of format that I suggest using as the index in our court bundle advice.

Secondly, can you please list out in a bullet pointed chronology every item of correspondence that you have – letter, message – anything and dates of phone calls.
From what I understand of the disclosure you have received, most the things that you will list are not included in the disclosure yet should have been.

Once again, for this list, keep it brief and use the index format suggested in our court bundle advice