Data Protection Act

http://www.ico.gov.uk/what_we_cover/data_protection/the_basics.aspx

The basics
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:




* Fairly and lawfully processed
* Processed for limited purposes
* Adequate, relevant and not excessive
* Accurate and up to date
* Not kept for longer than is necessary
* Processed in line with your rights
* Secure
* Not transferred to other countries without adequate protection


The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

Should an individual or organisation feel they're being denied access to personal information they're entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office for help. Complaints are usually dealt with informally, but if this isn't possible, enforcement action can be taken.



How I see it if they still my info (bank details etc) as I left over 8 months ago, then to me they are certainly breaking
"Not kept for longer than is necessary".

Edited by deleted (Fri 18-May-07 07:50:02)

In reply to:

---

How I see it if they still my info (bank details etc) as I left over 8 months ago, then to me they are certainly breaking
"Not kept for longer than is necessary".

---

Unfortunately, IMHO, a totally gray area!!

As examples:-
1) they will need to keep your defunct username quarantined to prevent its use by another person - therefore it is "reasonable" that this is kept for many years.
2) For various Accountancy/Taxation reasons, they need to keep ALL of their financial information intact for (I think) 6 years!

Cheers for the reply.

I can see a user name being blocked, and think that is a good idea.
But with the tax issues, thought that they would have to keep details of the transactions of amount paid, but no need to still keep the bank account number where it came from.
But I don't know so any views are welcome.

EDIT I am not a PAYG cumstomer as didn't need the service or PN e-mail (Thank God!)

Edited by deleted (Fri 18-May-07 08:14:17)

As I posted on another thread, it may also depend on whether you remain a PAYG customer or not.

If people still have logins and there is a place to store credit card information is it PNs duty to remove this or is it up to the indivdual to remove the details if they do not want them there but want to maintain a PAYG account?
This would obviously be different if you indicate to PN that you want to close your account.

Yes, I would not imagine that they would need individuals bank details for Tax records.

In reply to:

---

no need to still keep the bank account number where it came from.

---

tbh, I'm guessing here, it may depend on how the money was paid!!

e.g. if it was from some form of Direct Debit (or Credit Card Continuous payment), then they could be subjected to a query on any transactions, many years on. Accordingly, I would have thought that they would need to keep your details.

As an example, I recently purchased something from Dabs (who I hadn't used for many, many years) & I was surprised that (under personal info) was listed details of Credit Card that had expired FOUR YEARS ago!!

Which again people could claim fails under the DPA. But a lot of the DPA is down to what the company can show as reasonable to keep. If they have a sound business reason for keeping the information then they are generally allowed to do so. If you keep all of your financial records in a large database and you can show that you need that information for x years then I think it would be very easy to justify why you should not go to the effort of deleting out particular fields for a user when they stop being a customer.

I see you point of the first issue.

But with the Dabs one, I take it you have a account with them, and have never cancelled it.
So can see why they would still have all details (even if CC is out od date).
But in my case I cancelled my account with PN

TBH never thought about it before, but with the e-mail issue even if nothing else was taken it has me wondering.
If as quoted they have suffered underinvestment, how surcure are any bank details they hold on me?

From a security point of view given their recent track record then I think that could be the biggest concern. They do certainly seem to attract more failures than a lot of other ISPs and that may come from a higher reliance on web interfaces etc. There is a lot more you can do on the PN system web pages than a lot of others and that may attract attention to people that want a challenge getting in?

It will also mean that they have many more systems to keep patched which may be the place where they fall down more. Could be there is more emphasis placed on adding features rather than maintaining what they have in a better way.

I think for people that cancel an account it would be easier to argue that they should possibly delete the customer info but I think there is still room for a company to be able to show reason why the keep it.
I do not know if equal waiting is given for each point covered by the DPA and feel that there is probably more emphasis placed on companies using the information in the way intended, ensuring it is secure (as far as they reasonably can), not releasing to others without permission etc.
The part regarding keeping longer than required is a more open ended point as it is easier to show that you have a need to keep it for a specified period as long as you treat it in the proper way and give the individual access to what you hold. But again this would need a case to be raised by the ICO to determine what their opinion of reasonable duration is in each case.

David,

You do have the right to request what information is held by plusnet about you...why don't you request it and actually find out....