When businesses hear references to the Data Protection Act 1998 (“the DPA”), they often put it in the context of their own obligations to protect their employees’ personal data. However retailers should also be aware that they can often hold a lot of information about their customers and that they have obligations to ensure that they store and protect that information in a way that complies with the DDA.
Of particular concern for customers is their personal financial information such as credit card and bank details. It is absolutely essential that this type of information is obtained and stored securely, especially with the increased number of cases of credit card fraud. In addition any records containing financial information should be deleted when it is no longer necessary for you to keep it. It is important to have clear policies that your employees are aware of and to ensure that the information is dealt with and kept in a secure fashion.
As online transactions continue to increase, retailers will obtain more personal information about their customers. Often, retailers will have contact information about their customers, such as home address, e-mail address and phone numbers. Again to avoid breaching the DPA it is important to ensure that information of this nature is secure and is only available to your employees who actually need to use it.
This can be insured by ensuring that all your security systems are up to date and it would be good practice to have checks in place every couple of months to ensure your security system is still as secure as possible and if not, to upgrade it accordingly. Further, the information should be password protected and only accessible to those employees who actually need to utilise it.
Customers should also be fully aware of how their addresses will be used. A customer who makes an online order would quite rightly assume that their address will only be used for the purposes that they supplied it for (such as a home delivery). If you intend to use the detail for other purposes (such as to send information about promotions and sales etc), then it is important to obtain the customers consent for that use.
One way of doing this would be to have a tick box for customers to give their consent to having their address passed on and to make it clear alongside the tick box as to who the information will be passed on to.
It is not enough to simply include in the small print that their address may be used for other purposes. Equally it is not good practice to have a tick box that customers tick if they do NOT want their addresses to be used for other purposes.
If you wanted to “introduce” your customers to other companies or third parties by forwarding on their contact details it is even more important that the customers give their express consent to have their details passed on. Furthermore, the details that are passed on should be restricted as even if a customer consents for their details to be passed on, it would probably not be reasonable to pass on their mobile phone number which was probably only supplied in case there was a problem, for example with a delivery.
Remember, customers have data protection rights as well as employees and you want to avoid if possible any court claims or phone calls from the Information Commissioner!