How can personal data be misused?

A lot has been said in recent years about both how personal data is being collected and how it’s used by third parties: particularly given the growing number of data scandals that involve some of the largest companies in the world. But should you be concerned about the way your data is used once it’s been shared with a third party? We explain more about what personal data misuse is, how it works and some examples.

What is data misuse?

To give you some context, let’s first explain what data misuse is. It involves using information in ways the person who provided it never intended. Data protection laws exist to prevent this, built into all kinds of policies and agreements you sign up to, each one promising to use your information only for the reasons given.

While data misuse isn’t the same as data theft, it can lead to a data breach if the information is not given sufficient levels of protection.

What are some examples of data misuse?

The best way to get a clear idea of data misuse is to look at some real world examples. As our lives become more digitally-focused, data usage is more important than ever, with the conduct of several large organisations being put under the spotlight as a result.


Back in April of this year it was revealed by the Irish Data Protection Commission (DPC) that they were investigating Google (whose European head office is located in Dublin) following numerous complaints that location data was being processed without enough concern over data protection.


The ecommerce giant was the focus of an in-depth investigation by the EU’s antitrust authority to see if competitively sensitive information collected from marketplace sellers is used to their advantage. This was initially raised in 2019 but a year on it remains unclear whether charges will be formally brought or not.


Mark Zuckerberg’s behemoth social media company is no stranger to data misuse allegations. The Cambridge Analytica scandal was hugely significant, but the New York Times also published details that revealed how user’s data was regularly shared with other major tech firms like Apple, Amazon, Netflix, Microsoft and more.


Towards the end of 2019 Twitter published a statement admitting they had ‘inadvertently’ used personal data, such as email addresses or phone numbers, for advertising purposes. While some praise may be due for owning up to it rather than being exposed, they were unable to confirm how many people it affected, which given there are between 350 and 400 million active accounts, is pretty concerning.


A lot of speculation was raised about Leave. EU’s use of personal data during their Brexit campaign. Following an investigation, Aaron Banks’ political organisation and his business Eldon Insurance were fined by the Information Commissioner’s Office (ICO) for using personal data interchangeably between the two organisations.

Are there any laws that can prevent data misuse?

The fight against data misuse is ongoing, especially in the digital age, with the ICO also conducting a wider investigation into the ways that Advertising Technology (Ad Tech) companies compile and use their data. While we should have confidence that signing an agreement will mean the organisation will honour their side of the deal, unfortunately, this is not always the case.

In the UK we currently adhere to the European Union’s General Data Protection Regulation (GDPR). This replaced the Data Protection Act which was repealed in 2018. Post-Brexit, GDPR will be brought into UK law as ‘UK GDPR’, although additional changes may be implemented at a later date when the transitional period is finished.

What does GDPR cover?

Under GDPR law organisations must clearly state what the collected data is going to be used for. That must also be included in privacy information resources they provide to users. The organisation should regularly review and, if needed, update their processes and associated resources. Most importantly of all, individual consent must be given to secure the data and once again if they wish to use it for something other than what was originally agreed.

How can I see the information stored and/or used by an organisation?

Everyone has the right to ask an organisation whether they are storing or using your personal data. This is known as a subject access request and can be made either verbally or in writing. You can ask what personal data they hold, how it was collected, how it is being used and who it is being shared with.

Where a request is made verbally, it is also a good idea to follow this up with a written request so you have a clear record that can be referred to at a later date if needed.

If you want to know how to make a subject access request, be sure to include the following details:

  • Title the request using ‘subject access request’
  • Name
  • Address
  • Current date
  • Name of organisation being contacted
  • Reference/account number (if applicable)
  • Your contact details
  • A full list of all the personal data you are inquiring about
  • Any additional information that can help source the information
  • How you would like the data sent to you (digital of physical form)

Some organisations may ask you to complete a standard form, which is also acceptable, although be sure to include all of the key information listed above.

Remember, a subject access request can also be made by someone else on your behalf. If you are comfortable with them having access to your personal data, the following people can submit a request:

  • Anyone with parental responsibility or guardianship who is requesting on behalf of a child or young person.
  • Relatives or friends that are allowed by the individual.
  • Someone given legal permission to manage another person’s affairs.
  • Solicitors acting on the instruction of their clients.

Where a request is made by any of the above, the organisation will request proof that they have permission to do so. This will involve providing formal evidence such as written authorisation from you.

So there it is, data misuse in a nutshell. 

The views expressed in this article are those of the authors and do not necessarily reflect the views or policies of The World Financial Review.