I'm honestly stumped as to what to do. Bet Victor now won't deal with me and will only deal with this through the Gaming Commission (even though I haven't contacted them yet as I've had promises of contact from the head of CS at BV).
Honestly, I am mind blown by this.
I with I could let Victor know of how his staff were handling this!
If anyone wants to PM me with advice that they'd rather not post here I'd really appreciate that.
You've hit the nail on the head. Why not write to Victor himself? Special delivery. He won't be hard to find on 192.com or similar. If you have irrefutable evidence of their 'indsicretion' why not issue a small claims summons? Then they will have to communicate with you. Make it clear this is NOT going to go away, as they hope by their obfuscation and stalling that it will. From what you've said the GC may not be the best avenue to pursue here, because this matter is governed by proper legislation as opposed to a government QUANGO like the GC. This is actually a prosecutable offence if you read the DPA, as opposed to GC jurisdiction.
Here is advice by the companies organization to UK businesses, concerning this type of situation:
What should I do if there is a security breach?
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively. The breach may arise from a theft, a deliberate attack on your systems,
from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. Having a policy on dealing with information security breaches is another example of an organisational security measure you may have to take to comply with the seventh data protection principle.
There are four important elements to any breach-management plan:
1. Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.
2. Assessing the risks – you should assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
3. Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
4. Evaluation and response – it is important that you investigate the causes of the breach and also evaluate the effectiveness of your response to it. If necessary, you should then update your policies and procedures accordingly.
These issues are considered in greater detail in our Guidance on information security breach management. We have also produced Notification of Data Security Breaches to the ICO. This is guidance on:
•the circumstances in which we expect organisations to notify us of security breaches;
•the information we need in those circumstances; and
•what organisations can expect us to do after notifying us.