How 6 companies were put to test on personal data

Shirts and ties. Cases of wine. Books, shoelaces, waterproof trousers and posters. Telephone calls and emails.

A decade’s worth of supermarket shopping, photographs, opinions, likes, dislikes and friendship networks. Not to mention salary, age, address, pension, job applications and national insurance number.

That is just a small selection of the personal information stored by retailers, social media groups, employers and telecoms providers.

For years, we have handed our personal details over to an array of businesses and then forgotten about it — and most of us are ignorant of what they do with our data and how some sell it on.

So how do we go about finding out? And what will happen when EU-wide rules due to come into force in less than four months give citizens enhanced powers to see and control their personal data?

The Financial Times put half a dozen companies to the test to see how well they complied with rules under the UK 1998 Data Protection Act, and how likely they were to be ready for the General Data Protection Regulation, which comes into force on May 25.

The FT sent them so-called subject access requests, a written request from an individual to see a copy of the information an organisation holds about them, using a template letter from the UK Information Commissioner’s website.

There is an assumption that large companies which are used to handling data and can afford data protection teams are likely to be the most prepared to comply with the incoming regulations, while small and medium-sized businesses will struggle.

But in the FT’s experience, the reverse was true. Two huge companies — Amazon and Facebook — did not reply to the written requests. Facebook also missed a follow-up email request.

Instead, the social media site offers a “download your info” function that produces a file containing advertisements you have clicked on, friends made (and unmade), everything ever posted on your timeline, a history of logins, devices used and IP addresses, that show the location of devices, as well as unexplained information on cookies, password changes and “checkpoints completed”.

Asked why it had not replied to the SAR, the company said: “People can access their account data in many places on Facebook, including ‘download your information’, activity log, and their profile. We provide information about the ways we use data in our data policy and elsewhere on Facebook.”

Amazon supplies a UK postal address on its website — although it does not appear that this is specifically for personal data requests.

Asked why it had not replied to the posted request, Amazon said it had not received it and asked for another 48 hours to respond. The data did not arrive in that time either.

By contrast, Majestic Wine, the drinks retailer, and Charles Tyrwhitt, the clothing company, responded well within the statutory deadline. Apple, the tech group, and Aimia Coalition Loyalty Ltd, better known as Nectar, the loyalty card company, also replied quickly.

“It is clear great strides have been made towards preparing for GDPR,” said Rohan Massey, head of the privacy and cyber security practice at Ropes and Gray, the law firm, that reviewed the companies’ SAR responses. “But businesses all have their own interpretation and are at different stages of the process.”

Much of the information provided by Majestic, Charles Tyrwhitt and Nectar was as expected: name, address, email and lists of transactions.

Data provided by Apple were more complex. One file marked “iCloud logs” presented a history of every moment of access to a bookmarked web page, contacts, calendar and Find My iPhone function, including the device used — a total of 3,314 data points.

But this went back only one month from the day when the company supplied the information. Apple stated: “If you use iCloud you will note that we have extremely short retention periods for how long we store such data and we have provided all data that was available to us at the time at which we processed your request on our systems.”

Another file provided a history of 123 purchases from iTunes, including apps, music and extra data, plus 1,296 updates to those apps. An accompanying document explained terms such as “DS Signon” or “login_machine_guid_nr”, and the smorgasbord of identification numbers, such as IP addresses.

Overall, while some businesses were clearly aware of their obligations, the responses were erratic and most fell short in some way of a comprehensive SAR response.

According to the Information Commissioner’s Office, anyone making a written request is entitled not just to a description of the personal data but also to be told the reasons it is being processed, and whether it will be passed on to other organisations or people.

Only Charles Tyrwhitt listed the entities with which it shared the data — 13 in all, from marketing companies to Experian, the credit rating agency. All 13 had been given the consumer’s name, address or email address, with several also receiving order details.

Majestic said it did not give information other than the actual data because it was not asked specifically to do so in the SAR but it acknowledged that “on a strict interpretation of the rules we should have provided it unprompted”. Nectar did not list its “participating companies” but does name them — 33 in all — on its website.

Apple says it does not sell personal information to external advertisers or other organisations, though it does have its own advertising platform.

As Mr Massey pointed out, GDPR will only make compliance tougher. In addition to the existing rules, individuals will also have the right to know for how long their information is stored, to have their data transmitted from one organisation to another (for example, to switch banks or mobile phone providers) and to have their personal information erased without having to apply to a court.

Just as importantly, businesses will be expected to explain in plain language how and why they process and store our data and to obtain clear user consent to do so — seen as one of the biggest challenges as it will require “a positive opt-in”, according to the information commissioner, rather than pre-ticked boxes or other default methods.

Words by Barney Thompson 

Financial Times has the latest UK and international business, finance, economic and political news, comment and analysis.


Brought to you by
Brought yo you by

Related articles