Track your every move: using the Data Protection Act on supermarkets, ISPs, banks and telcos

In 2012, the government is considering telling companies to provide personal data in a machine readable format. But as long as you don’t mind getting wodges of paper you have been able to get this data for many years, under the Data Protection Act (something I also used to find the base stations used by my mobile phone).

This is what I found out for the Guardian about my own shopping and web-surfing habits in 2002: the costs and time limits still apply, and I have updated links and contact details. Freeserve no longer exists, but in general the following would remain my advice for anyone wishing to access their data, unless there’s very obvious information about subject access request processes on the organisation’s web site.

First published in the Guardian’s Online supplement, Thursday 16 May 2002, titled ‘Track your every move’.

Sixteen years after the introduction of data protection legislation in the UK, organisations should know what to do when individuals want to see the personal data held on them, as they were warned recently by the information commissioner, Elizabeth France. So Online tested four companies to see how they responded to such requests – and to find out exactly what data they hold on us. All complied with the requests, which were made as a customer.

The supermarket

Sainsbury’s took three weeks to compile a quarter-inch wedge of documents, using the Reward card number. Every purchase from the past three years was listed, including the store name, the date and time, and the price paid. “This period of time allows us to monitor trends in purchasing, which helps us predict the level of stockholding required in future, and ensures we send customers information they will be interested in,” said Sainsbury’s. Sainsbury’s recorded the method of payment at each visit, whether a card was swiped or keyed into the till, the staff number, and even which check-out was used. Sainsbury’s said this was kept for security and in case of customer queries.

The supermarket uses its data to categorise customers. Apart from the data volunteered when the loyalty card is issued, Sainsbury’s draws conclusions from your address, using a categorisation system called Acorn. The area of south London I registered, Streatham, was described as category C, “rising”; group 7, “prosperous metropolitan professional”; and type 20, “gentrified multi-ethnic areas”. Sainsbury’s said this is used to plan mailshots, store formats and new ranges of goods.

An increasing number of companies use customer relationship management (CRM) software to trawl their information. Sainsbury’s is no exception. The print-outs it sent show it classes customers by frequency of visits, average spend per visit and other subjects, such as whether they buy organic food. I fell into a segment for customers who “buy products which suggest they enjoy trying new and different ingredients in their cooking”. These segments are used to decide what kind of mailshots to send you, potentially making junk mail less junky. Customers can also opt out.

“If you never buy any pet food, you’re not going to be interested in getting coupons for it,” says Mike Phillips, an analyst at research firm Datamonitor. He says that Tesco’s Clubcard system is more sophisticated than Sainsbury’s. “Tesco sends all its members a quarterly balance statement with a set of promotional coupons driven by the customer’s past behaviour. It sends out five versions of its magazine, depending on age group,” he says, adding that Clubcard has been one of the factors allowing Tesco to draw clear of Sainsbury’s as the UK’s largest supermarket.

Sinister uses of loyalty card data have been mooted. In 1999, the ministry of agriculture suggested cross-checking purchases of genetically modified food with health records, effectively making the cards part of a huge medical experiment. The supermarkets declined to take part.

You can avoid such data retention by not getting a loyalty card. Some supermarkets, such as Waitrose, don’t bother, and Safeway abandoned its scheme two years ago. Such schemes are expensive: Phillips says Sainsbury’s is thought to spend about £150m on it annually. “It’s expensive if you don’t extract the maximum value out of the data you collect,” he says. That’s done by persuading customers to spend more.

The internet service provider

Freeserve passed our request to Energis Squared in Leeds, which operates the ISP’s network. Energis produced the data in two weeks, after it was agreed to limit the search to the earliest records available and the latest month of data. The information falls into two sets. The first, Radius logs, show to the second when the customer logged in and out, how many seconds the connection lasted, the internet protocol address allocated during the session, and which phone number called which.

The second set of data was labelled Email History. It contained the header information from every email received by the account in the period: the return address provided by the sender, the ISP from which the email originated, the date and time of sending, an ID code, and the title of the email. All are retained. The contents of emails and data on websites visited were not retained. The surprise came in the date of the earliest retained data. In both sets, this was from August 20 of last year, more than seven months before this query was completed at the start of April. In November, Freeserve told Online it retained such data for just three months. Freeserve declined to comment.

However, ISPs are in a legal grey area on data retention. The anti-terrorism law introduced in November seems to require them to keep communications data, while data protection law says they should delete it swiftly. ISPs are expecting the final version of a code of conduct soon.

Freeserve seems to be hedging its bets. Energis Squared also held contact data, the number of times the account had been accessed since its creation, how many seconds had been spent online, and administrative data on whether the account is suspended or limited in any way.

The bank

Co-operative Bank offered to provide much of its data free, but charged £10 for the complete set. It took the full 40 days to produce the data. The bank held every address provided by the customer, including the “previous address” required when opening the account. There were quarterly and monthly statistics for the average amounts coming in and going out of the account, along with lists of standing orders. Also, potentially of use in a dispute with a bank, was a Notes section. This recorded customer service transactions, such as a call requesting a new cash-card after one had been damaged. The data did not include statements of accounts, although these are retained.

“The bank takes the view that the data protection regulations are not there to replace existing bank services,” said a spokesperson. “You’ve had all your statements anyway.” CRM software makes it possible for banks to categorise customers according to profitability, then give the “good” customers better service – automatically switching them to a human operator rather than an automated system, for example. Co-operative said it didn’t segment customers for different levels of service.

The phone company

BT’s reply arrived in nine days. It consisted of just three pages of data: basic contact and transaction details, and a log of contacts made, such as those made to sort out faults on the line. A BT spokesperson confirmed that the firm holds seven years’ worth of call records – essentially the data on your phone bill. “There’s no particularly sinister reason it wasn’t included. It’s assumed that [the customer] received it on their bill.”

Do it yourself

  • You have a right under the Data Protection Act 1998 to see data held on you within the European Union. The law requires organisations to comply with your subject access request – the legal term – within 40 days. They can charge up to £10. Of the four in this article, all charged £10 except Sainsbury’s, which did not charge.
  • Phone the organisation’s customer service number, and ask to whom a “Data Protection Act subject access request” should be addressed. It’s useful to get a phone number as well. A good alternative is to call head office and ask for the legal department.
  • Some organisations may request that you limit the terms of your query, but you don’t have to agree. You also don’t have to give a reason for your request.
  • When writing, say you are making a subject access request under the Data Protection Act 1998. See this link for advice.
  • You should get an acknowledgement within a few days. If not, phone the person you wrote to.
  • If the organisation refuses to fulfil your request within 40 days, it is breaking the law. You can contact the information commissioner’s office on 0303 123 1113, or through this link. It can take up your complaint with the organisation.