Page 247 - E-Bussiness and E-Commerce Management Strategy, Implementation, and Practice
P. 247
M04_CHAF9601_04_SE_C04.QXD:D01_CHAF7409_04_SE_C01.QXD 16/4/09 11:11 Page 214
214 Part 1 Introduction
Do I understand?
• the purpose
• likely consequences
• future use
…of my given data
‘Data controller’
‘Data subject’
Individual in organization
i.e. prospect
responsible for
or customer
personal data
1 Obtain ‘personal data’
4 Modify and
delete data 2 Store ‘personal data’
3 Disseminate and use
‘personal data’
Information flows that need to be understood for compliance with data
Figure 4.8
protection legislation
Whether future communications will be sent to the individual (explicit consent is
required for this in online channels, which is clarified by the related Privacy and Electronic
Communications Regulation Act which is referred to below);
Whether the data will be passed on to third parties (again explicit consent is required);
How long the data will be kept for.
3 Adequate, relevant and not excessive.
In full: ‘Personal data shall be adequate, relevant and not excessive in relation to the purpose
or purposes for which they are processed.’
This specifies that the minimum necessary amount of data is requested for processing.
There is difficulty in reconciling this provision between the needs of the individual and the
needs of the company. The more details that an organization has about a customer, the
better they can understand that customer and so develop products and marketing
communications specific to that customer which they are more likely to respond to.
4 Accurate.
In full: ‘Personal data shall be accurate and, where necessary, kept up to date.’
It is clearly also in the interest of an organization in an ongoing relationship with a
partner that the data is kept accurate and up-to-date. The guidelines on the Act suggest
that additional steps should be taken to check data are accurate, in case they are in error,
for example due to mis-keying by the data subject or the organization or for some other
reason. Inaccurate data is defined in the guidelines as: ‘incorrect or misleading as to any
matter of fact’.
The guidelines go on to discuss the importance of keeping information up-to-date. This
is only necessary where there is an ongoing relationship and the rights of the individual
may be affected if they are not up-to-date. This implies, for example that a credit-checking
agency should keep credit scores up-to-date.
5 Not kept longer than necessary.
In full: ‘Personal data processed for any purpose or purposes shall not be kept for longer than
is necessary for that purpose or those purposes.’
