Page 248 - E-Bussiness and E-Commerce Management Strategy, Implementation, and Practice
P. 248
M04_CHAF9601_04_SE_C04.QXD:D01_CHAF7409_04_SE_C01.QXD 16/4/09 11:11 Page 215
Chapter 4 E-environment 215
The guidelines state: ‘To comply with this Principle, data controllers will need to review
their personal data regularly and to delete the information which is no longer required for
their purposes.’
It might be in a company’s interests to ‘clean data’ so that records that are not relevant
are archived or deleted, for example if a customer has not purchased for ten years.
However, there is the possibility that the customer may still buy again, in which case the
information would be useful.
If a relationship between the organization and the data subject ends, then data should
be deleted. This will be clear in some instances, for example when an employee leaves a
company their personal data should be deleted. With a consumer who has purchased
products from a company this is less clear since frequency of purchase will vary, for
example, a car manufacturer could justifiably hold data for several years.
6 Processed in accordance with the data subject’s rights.
In full: ‘Personal data shall be processed in accordance with the rights of data subjects under
this Act.’
One aspect of the data subject’s rights is the option to request a copy of their personal
Subject access data from an organization; this is known as a ‘subject access request’. For payment of a
request small fee such as £10 or £30, an individual can request information which must be supplied
A request by a data by the organization within 40 days. This includes all information on paper files and on
subject to view personal
data from an organization. computer. If you requested this information from your bank there might be several boxes
of transactions!
Other aspects of a data subject’s rights which the law upholds are designed to prevent
or control processing which:
causes damage or distress (for example repeatedly sending mailshots to someone who
has died);
is used for direct marketing (for example, in the UK consumers can subscribe to the
mail, e-mail or telephone preference service to avoid unsolicited mailings, e-mails or
phone calls). This invaluable service is provided by the Direct Marketing Association
(www.dmaconsumers.org). If you subscribe to these services organizations must check
against these ‘exclusion lists’ before contacting you. If they don’t, and some don’t, they
are breaking the law.
is used for automatic decision taking – automated credit checks, for example, may result in
unjust decisions on taking a loan – these can be investigated if you feel the decision is unfair.
7 Secure.
In full:‘Appropriate technical and organizational measures shall be taken against unauthorised
or unlawful processing of personal data and against accidental loss or destruction of, or damage
to, personal data.’
This guideline places a legal imperative on organizations to prevent unauthorized
internal or external access to information and also its modification or destruction. Of
course, most organizations would want to do this anyway since the information has value
to their organization and the reputational damage of losing customer information or being
subject to a hack attack can be severe. For example, in late 2006, online clothing retail group
TJX Inc (owner of TK Maxx) was hacked, resulting in loss of credit card details of over 45
million customer details in the US and Europe. TJX later said in its security filing that its
potential liability (loss) from the computer intrusion(s) was $118 million.
Techniques for managing data security are discussed in Chapter 11.
Of course, the cost of security measures will vary according to the level of security
required. The Act allows for this through this provision:
(i) Taking into account the state of technological development at any time and the cost of
implementing any measures, the measures must ensure a level of security appropriate to:
(a) the harm that might result from a breach of security; and (b) the nature of the data to
be protected. (ii) The data controller must take reasonable steps to ensure the reliability
of staff having access to the personal data.
