-Caveat Lector-
>From http://www.guardian.co.uk/online/story/0,3605,715871,00.html
}}}>Begin
Track your every move
Big-name companies monitor all your purchases - and you have a right to see the
results. S A Mathieson reports
S A Mathieson
Thursday May 16, 2002
The Guardian
Sixteen years after the introduction of data protection legislation in the UK,
organisations should know what to do when individuals want to see the personal data
held on them, as they were warned recently by the information commissioner,
Elizabeth France. So Online tested four companies to see how they responded to
such requests - and to find out exactly what data they hold on us. All complied with
the requests, which were made as a customer.
The supermarket
Sainsbury's took three weeks to compile a quarter-inch wedge of documents, using
the Reward card number. Every purchase from the past three years was listed,
including the store name, the date and time, and the price paid. "This period of time
allows us to monitor trends in purchasing, which helps us predict the level of
stockholding required in future, and ensures we send customers information they will
be interested in," said Sainsbury's. Sainsbury's recorded the method of payment at
each visit, whether a card was swiped or keyed into the till, the staff number, and
even which check-out was used. Sainsbury's said this was kept for security and in
case of customer queries.
The supermarket uses its data to categorise customers. Apart from the data
volunteered when the loyalty card is issued, Sainsbury's draws conclusions from your
address, using a categorisation system called Acorn. The area of south London I
registered, Streatham, was described as category C, "rising"; group 7, "prosperous
metropolitan professional"; and type 20, "gentrified multi-ethnic areas". Sainsbury's
said this is used to plan mailshots, store formats and new ranges of goods.
An increasing number of companies use customer relationship management (CRM)
software to trawl their information. Sainsbury's is no exception. The print-outs it
sent
show it classes customers by frequency of visits, average spend per visit and other
subjects, such as whether they buy organic food. I fell into a segment for customers
who "buy products which suggest they enjoy trying new and different ingredients in
their cooking". These segments are used to decide what kind of mailshots to send
you, potentially making junk mail less junky. Customers can also opt out.
"If you never buy any pet food, you're not going to be interested in getting coupons
for it," says Mike Phillips, an analyst at research firm Datamonitor. He says that
Tesco's Clubcard system is more sophisticated than Sainsbury's. "Tesco sends all its
members a quarterly balance statement with a set of promotional coupons driven by
the customer's past behaviour. It sends out five versions of its magazine, depending
on age group," he says, adding that Clubcard has been one of the factors allowing
Tesco to draw clear of Sainsbury's as the UK's largest supermarket.
Sinister uses of loyalty card data have been mooted. In 1999, the ministry of
agriculture suggested cross- checking purchases of genetically modified food with
health records, effectively making the cards part of a huge medical experiment. The
supermarkets declined to take part.
You can avoid such data retention by not getting a loyalty card. Some supermarkets,
such as Waitrose, don't bother, and Safeway abandoned its scheme two years ago.
Such schemes are expensive: Phillips says Sainsbury's is thought to spend about
�150m on it annually. "It's expensive if you don't extract the maximum value out of
the data you collect," he says. That's done by persuading customers to spend more.
The internet service provider
Freeserve passed our request to Energis Squared in Leeds, which operates the
ISP's network. Energis produced the data in two weeks, after it was agreed to limit
the search to the earliest records available and the latest month of data. The
information falls into two sets. The first, Radius logs, show to the second when the
customer logged in and out, how many seconds the connection lasted, the internet
protocol address allocated during the session, and which phone number called
which.
The second set of data was labelled Email History. It contained the header
information from every email received by the account in the period: the return
address provided by the sender, the ISP from which the email originated, the date
and time of sending, an ID code, and the title of the email. All are retained. The
contents of emails and data on websites visited were not retained. The surprise
came in the date of the earliest retained data. In both sets, this was from August 20
of last year, more than seven months before this query was completed at the start of
April. In November, Freeserve told Online it retained such data for just three months.
Freeserve declined to comment.
However, ISPs are in a legal grey area on data retention. The anti-terrorism law
introduced in November seems to require them to keep communications data, while
data protection law says they should delete it swiftly. ISPs are expecting the final
version of a code of conduct soon.
Freeserve seems to be hedging its bets. Energis Squared also held contact data, the
number of times the account had been accessed since its creation, how many
seconds had been spent online, and administrative data on whether the account is
suspended or limited in any way.
The bank
Co-operative Bank offered to provide much of its data free, but charged �10 for the
complete set. It took the full 40 days to produce the data. The bank held every
address provided by the customer, including the "previous address" required when
opening the account. There were quarterly and monthly statistics for the average
amounts coming in and going out of the account, along with lists of standing orders.
Also, potentially of use in a dispute with a bank, was a Notes section. This recorded
customer service transactions, such as a call requesting a new cash-card after one
had been damaged. The data did not include statements of accounts, although these
are retained.
"The bank takes the view that the data protection regulations are not there to replace
existing bank services," said a spokesperson. "You've had all your statements
anyway." CRM software makes it possible for banks to categorise customers
according to profitability, then give the "good" customers better service -
automatically switching them to a human operator rather than an automated system,
for example. Co-operative said it didn't segment customers for different levels of
service.
The phone company
BT's reply arrived in nine days. It consisted of just three pages of data: basic
contact
and transaction details, and a log of contacts made, such as those made to sort out
faults on the line. A BT spokesperson confirmed that the firm holds seven years'
worth of call records - essentially the data on your phone bill. "There's no
particularly
sinister reason it wasn't included. It's assumed that [the customer] received it on
their
bill."
Do it yourself
You have a right under the Data Protection Act 1998 to see data held on you within
the European Union. The law requires organisations to comply with your subject
access request - the legal term - within 40 days. They can charge up to �10. Of the
four in this article, all charged �10 except Sainsbury's, which did not charge.
Phone the organisation's customer service number, and ask to whom a "Data
Protection Act subject access request" should be addressed. It's useful to get a
phone number as well. A good alternative is to call head office and ask for the legal
department.
Some organisations may request that you limit the terms of your query, but you don't
have to agree. You also don't have to give a reason for your request.
When writing, say you are making a subject access request under the Data
Protection Act 1998. See link below for advice. Click on Compliance Advice, then
FAQs - Subject access.
You should get an acknowledgement within a few days. If not, phone the person you
wrote to.
If the organisation refuses to fulfil your request within 40 days, it is breaking the
law.
You can contact the information commissioner's office on 01625 545700, or at the
link below. It can take up your complaint with the organisation.
� If you have problems with any subject access request, Online would like to hear.
Comments to [EMAIL PROTECTED]
Guardian Unlimited � Guardian Newspapers Limited 2002
End<{{{
~~~~~~~~~~~~~~~
Forwarded as information only; no automatic endorsement
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
In accordance with Title 17 U.S.C. section 107, this material
is distributed without charge or profit to those who have
expressed a prior interest in receiving this type of information
for non-profit research and educational purposes only.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Do not believe in anything simply because you have heard it. Do not believe
simply because it has been handed down for many generations. Do not
believe in anything simply because it is spoken and rumored by many. Do
not believe in anything simply because it is written in Holy Scriptures. Do not
believe in anything merely on the authority of Teachers, elders or wise men.
Believe only after careful observation and analysis, when you find that it
agrees with reason and is conducive to the good and benefit of one and all.
Then accept it and live up to it."
The Buddha on Belief, from the Kalama Sutta
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Always do sober what you said you'd do drunk. That will
teach you to keep your mouth shut."
--- Ernest Hemingway
<A HREF="http://www.ctrl.org/";>www.ctrl.org</A>
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substance�not soap-boxing�please! These are
sordid matters and 'conspiracy theory'�with its many half-truths, mis-
directions and outright frauds�is used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://peach.ease.lsoft.com/archives/ctrl.html
<A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of
[EMAIL PROTECTED]</A>
http:[EMAIL PROTECTED]/
<A HREF="http:[EMAIL PROTECTED]/";>ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
