Duncan
Your colleague can assert her right under section 42 of the DPA, and write to the Information Commissioner and ask him to assess whether this practice complies with Principle 7. It doesn't sound to me that they are employing appropriate organisational measures to keep this information secure.
The ICO can issue an Enforcement Notice to the hotel to cahnge their practices if necessary.
Simon
---- Original message ----
>Date: Thu, 19 Oct 2006 11:33:07 +0100
>From: Jim Whitaker <[log in to unmask]>
>Subject: Re: [data-protection] Hotel keeping card details...
>To: [log in to unmask]
>
>This hotel is so obviously in breach of its agreement with whoever is
>its Card Merchant that she ought to be able to have them dealt with
>quite easily. (And whoever she spoke to in her bank needs a
>refresher. Her card issuer is the one she needs to get at.)
>
>See https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf if you
>want the full details. Leaving aside the need to store only some
>details and then in a protected (electronic and encrypted)
>environment, the retention of the security code is prohibited. They
>should not even be loking at that data since it is for transactions
>when the cardholder is not present.
>
>"3.2.2 Do not store the card-validation code or value (three-digit or
>four-digit number printed on the front or back of a payment card) used
>to verify card-not-present transactions."
>
>If she wants to take this further find out who the Hotel's Card
>Merchant is and write to them and her card-issuer pointing out what
>has happened. Add that she now disclaims all responsibility for
>fradulent use of her card because of the Hotel's improper use of her
>data.
>
>(Risk: The card issuer will invalidate and renew her card. But then
>that is only reasonable.)
>
>So many things wrong with this that it is difficult to know where to
>go next. If I was really annoyed I would start with any trade
>associations the Hotel belongs to, the local Chamber of Commerce and
>Tourist Board. Trading Standards?
>
>But then I'm lazy and not too risk averse so I would probably just go
>elsewhere next time.
>
>Regards
>
>Jim
>
>=============================================================
>
>Quoting Paul Ticher <[log in to unmask]>:
>
>> As I understand it, all hotels are required by law to keep details of
>> guests, although not all do so in fact. (I asked once when I was asked
>> to fill in a long registration form in a hotel belonging to a large
>> chain and they immediately produced an impressive laminated card with
>> the justification on it. Obviously I wasn't the first person to have
>> asked. I don't remember the details of the legislation it referred to.)
>>
>> The question then is, not whether they keep the details, but whether
>> they comply with the Principles - for example whether they limit the
>> information to what is relevant and not excessive, whether they have
>> appropriate security, and whether they limit the purpose (not using the
>> information for marketing without prior notice and an option to opt
>> out, for example).
>>
>> Paul Ticher
>> 0116 273 8191
>> 22 Stoughton Drive North, Leicester LE5 5UB
>>
>> I hereby require any recipient of this message not to use my personal data
>> for direct marketing purposes.
>>
>>
>> ----- Original Message ----- From: "Nick Landau" <[log in to unmask]>
>> To: <[log in to unmask]>
>> Sent: Thursday, October 19, 2006 10:32 AM
>> Subject: Re: Hotel keeping card details...
>>
>>
>>> I think that there is a problem - and I would think in an
>>> organisation like a hotel if the customer is uncomfortable with
>>> something then there is a problem as far as the customer is
>>> concerned.
>>>
>>> It is not clear to me whether the colleague expressed her concern
>>> simply to the local branch or to the head office.
>>>
>>> Refer them to the website on Prevention of Identity Fraud
>>> http://www.stop-idfraud.co.uk/
>>>
>>> She could also write to the consumer programme on Radio 4 "You and
>>> Yours". This is the sort of individual case that they like
>>> featuring - and they also covered the general problem earlier in
>>> the week.
>>>
>>> Nick Landau
>>>
>>> ---- Original Message ----
>>> From: "Duncan Langford" <[log in to unmask]>
>>> To: <[log in to unmask]>
>>> Sent: Thursday, October 19, 2006 10:20 AM
>>> Subject: [data-protection] Hotel keeping card details...
>>>
>>>> A colleague has just asked me about a situation she'd recently
>>>> encountered when staying at a hotel (a member of a large chain).
>>>>
>>>> Her name and credit card details (including the 3-digit number on the
>>>> back) were written down on an index card, and then stored in an
>>>> easily-accessible box on the counter.
>>>>
>>>> The hotel felt there was no problem; her bank felt there was no
>>>> problem... but what does the list think?
>>>>
>>>> And what, if anything could she do about it?
>>>>
>>>> - duncan
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
>Any queries about sending or receiving message please send to the list owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
***************************************************************************
This e-mail is confidential and privileged. If you are not the intended
recipient please accept our apologies; please do not disclose, copy or
distribute information in this e-mail or take any action in reliance on its
contents: to do so is strictly prohibited and may be unlawful. Please
inform us that this message has gone astray before deleting it. Thank you
for your co-operation.
***************************************************************************
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|