Michael Isaacs, 80, from Epsom, Surrey was the sole director of Datasearch Services Limited (DSS). DSS is a tracing agent company, previously used by the Royal Bank of Scotland (RBS) to locate people who owed money to RBS and to determine their assets and ability to repay the debts.  

In February 2016, the ICO received a complaint from RBS with concerns about the contents of reports it had received from DSS.

Throughout the ICO’s investigation it became clear that Mr Issacs was routinely contacting organisations such as utilities companies, local councils, and GP surgeries, while pretending to be the named person and managing to pass basic security questions. He would use voice changing software to impersonate other people and to cover his tracks. Mr Isaacs would then record personal information such as monthly direct debits, bank account details, and outstanding mortgages to build up an in-depth profile of a person for RBS.

Isaacs was fined £10,560 with costs totalling £15,000, and the Commissioner got a Proceeds of Crime Order recovering £38,000 of his ill-gotten gains.

What do you need to do?

  • Review DPA policies and procedures and ensure these set appropriate responsibilities and provide staff guidance on what security or ID should be accepted as being valid.
  • Spot checks to ensure that reasonable and proportionate ID checks are consistently being conducted.
  • Ensure front line staff receive adequate training to give them the confidence not to be put under pressure by patients/third parties to share information where ID has not been confirmed.

Importance: Medium


For further discussion and support, including data protection awareness training services please email dpa@tiaa.co.uk