I return to an area of interest that I have touched upon before. This might be something of a 'Friday question' were it not for a client having to frame a reply to the ICO that touches upon the five questions I pose below.
Scenario 1
A retailer holds data about the transactions made by a customer - call them Customer A - in one of the retailer's shops. These are keyed by payment card number. The customer has also made purchases online from the retailer using the same payment card, so the retailer has their name, address and other details. Consequently, the in-store transactions data are the personal data of the customer.
At some point in their shopping history, the customer began to use a loyalty card issued by the retailer. The transaction history contains the number of that card were it was used.
However, the customer did not register the card.
Question 1) Is the loyalty card number personal data?
Scenario 2
Someone, possibly Customer A, but maybe a member of their family - call this new person Customer B - makes purchases in the shop using a different payment card but also using the unregistered loyalty card. The retailer has no means of identifying the user of the payment card (cardholder names are not collected from the card when it is used in a PED - 'PIN Entry Reader').
Question 2) If the answer to Q1 is 'Yes', are the transactions made using the other payment card the personal data of Customer A?
Scenario 3
Subsequently, Customer B registers the loyalty card with their details.
Question 3) Do the transaction data for Customer A become the personal data of Customer B, or the personal data of both?
Scenario 4
Stay with the above three scenarios but with the modification that the retailer did not know who Customer A was (i.e. they had never supplied their details). The original transaction data are not, by definition, personal data in scenarios 1or 2. The retailer has two payment card numbers against a tally of transactions, and one loyalty card number against some to all of them.
Question 4) In scenario 3, do the transaction data including the payment card number of the (anonymous) Customer A become the personal data of Customer B?
Question 5) How does the retailer treat the data when he learns (e.g. through an online purchase) the identity of Customer A?
Commentary (with rhetorical questions)
The world of data protection in retailing seems significantly more complex than it appears to be for most public sector data controllers. The types of issues above are not uncommon.
Another example is where a customer pays with their card for a gift to be delivered to someone else. The retailer has the card number (only) of the purchaser but the name and address details of the recipient. Whose personal data are the card number and transaction details? If details are known of both parties, what data can be supplied to one who makes an s.7 SAR? Whose data are the details of an order placed in joint names, but subsequently amended by one of the parties?
M
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|