This question is primarily aimed at a Finance Sector scenario. It came up in discussion with some like minded strange people (like myself) and we couldn't agree on an outcome. I'd be interested to see what others takes on it are.
Scenario,
Organisation "A" follows the 5th Principle of DP stringently and deletes all customer data after the standard financial retention periods have elapsed. The organisation doesn't offer PPI as the PPI selling is outsourced to organisation "B". Under current PPI claims requirements organisations that sell PPI have to keep records of the sale and the account for a set period which goes above and beyond the normal 7 years financial retention periods. Currently organisation B complies with this but doesn't state or keep records on what the PPI the product was covering (IE, Fridge, TV, Cat etc).
Question,
Would organisation A have to mirror the retention requirements placed on Organisation B so that should a PPI query come in from the regulator the query can be answered in full, even though the only PPI query is around misselling rather than what the product was the payments cover? If they would, what legal requirement would they rely on in order to "supercede" compliance with the 5th Principle of the Data Protection Act?
My inital thoughts were "no". PPI mis-selling claims are aimed soley at the mis-selling of PPI. If the selling of it is outsourced then it's down to the outsourcing company to provide the evidence to enquiries as they were the ones that sold it in the first place?
S.
Scott Sammons
Information Governance Practioner
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|