Re Selling your data post. 

I would tend to agree with Antoinette suspicions, the economics would not
add up and risks would be too great for buyer and seller.

In the UK we already have substantial numbers of mystery shopping survey
organisations who buy a right from consumers to use their address for market
surveys. They add other created data to it and as one example ring insurers
for quotes simply to test prices. The amount of 'created' data by this means
is not insignificant given the data set required for an insurance quote.

Insurers validate address and post code which in such cases check out as
valid as this is the genuine data and then despatch their quote. At the same
time the data is obviously retained and will be added to a set of data for
marketing.  The individual receiving the quotes pass to the the Mystery
Shopper orgnaisation as part of their agreement.

The data integrity risks for the insurer have been identified given data
provided for quotes can never be proven as data with integrity without a
active link to the person its supposed to relate to eg by a premium being
paid.

Such data is kept very firmly in check for only direct  marketing or market
research activities given data integrity can not be proven.

If consumer responses are received e.g a quote accepted and premium paid
then this assists identifying genuine data from unverified data. Such data
can be reasonably identified as having more integrity as it is then
connected to a paid product.

As far as DPA is concerned the mystery shopper data created in this manner
arguably does not relate to a set of data about a living individual in the
posession of the data controller as the data is created around an
authenticate postal address only and supplied by an unknown third party who
has provided a data controller with a false profile simply to test prices.

Legitimate mystery shopping organisations in this context require the
consent of the consumer and work under various codes of practice. However
from my own researches I was never able to identify exactly how effective
policing of this occurred.  Working without the individuals consent would
cause individuals and the target organisation problems and appear to give
rise to an argument that the Mystery Shopper organisations may be committing
an offence of 'attempting to obtain a pecuniary advantage by deception'
given they are paid for their services.

The loser in this process is the marketing operation who gets a corrupted
database which will give no returns from such consumers. They also however
would appear to be likely sponsors of such surveys in testing their
competitors prices.

This process is based on the consumer getting paid to permit his address to
be used for marketing.

I discovered the above proceses by investigating a consumer DPA complaint
where no consent had been given to the Mystery Shopper organisation. The
clue being in the fact the consumer had received 15 quotes from different
companies one of which was from our company.

The buying of data concept without any controls gives opportunities also for
organised crime.

No one would pay such large sums for data which could not be validated, and
if there was sufficient data in the set to enable validation of content, the
risks for consumers would be too high.

eg. Fred and Bill inc offered a detailed list of 100,000 consumers at £150 a
throw. Assuming they decide its worth paying 15m for they procced but decide
as a precaution to validate.
Excuse me HSBC can you just confirm this balance, Passwords ah hang on a
bit - now where is it - here we are data item 56 - It matches thank you. OK
Bill send them the cheque the data is accurate.

Meanwhile Organised Crime inc. walk away with their 15m and for good measure
clean out the consumers bank account / investments etc using the same data.
Fred and Bill inc become suspects.

Risks exists in an initiative called 'Aggregation' another marketing /
profiling initiative from across the water. This is based on consumers
giving their data to one company who then pools the data from other
companies the consumer tells them about with the benefit to the consumer of
having a one stop view of their accounts. This is somewhat oversimplified
and controls and regulation can be built but can consumers rely on such
controls. Consumers today have many regulators to protect their interests
e.g. OIC, Financial Services Authotity,  General Insurance Standards Council
to name but three but do these give value for money and how quickly can the
consumer get redress when they fail.

I'll manage my own data thanks


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
David Wyatt.