April 02 2014

Selling Personal Data? Commercial firm ParrisWhittaker in The Bahamas warn of the risks

Back to news overview

Save as PDF

/images/uploads/blog/parriswhittaker_credit_cards.jpg
The legal implications for businesses and other organisations seeking to sell client/customer data for profit are not to be underestimated. The issue has recently come to the fore with news that the UK’s mega-successful price comparison website Moneysupermarket.com plans to sell home insurance data (and possibly data from other areas of its business) to raise around £10 million. The expert commercial lawyers at ParrisWhittaker are increasingly called on by business clients to advise on data protection and related issues.

The legal implications for businesses and other organisations seeking to sell client/customer data for profit are not to be underestimated.

The issue has recently come to the fore with news that the UK’s mega-successful price comparison website Moneysupermarket.com plans to sell home insurance data (and possibly data from other areas of its business) to raise around £10million. The expert commercial lawyers at Parris Whittaker are increasingly called on by business clients to advise on data protection and related issues.

What are the legal implications?

There are intellectual property, confidentiality and, notably, data protection implications. The Data Protection (Privacy of Personal Information) Act 2003 (‘the Act’) governs the data protection requirements of organisations. The Act applies where a data controller (an employer, for instance) processes personal data. “Processing” data means “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data” – which covers virtually any use which can be made of that data.

Companies should have in mind the ‘10 data protection principles’ set out in the Act. These are:

Data or the information constituting the data should be collected by means which are both lawful and fair in the circumstances of the case.
Data should be adequate, relevant and not excessive.
Data should be accurate and, where necessary, kept up to date.
Data should not be kept longer than is necessary for the purposes for which it is processed except in the case of personal data kept for historical, statistical or research purposes.
Data should not be used or disclosed in any manner incompatible with that purpose or those purposes
Data should be processed in accordance with the rights of the data subject under the Act.
Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
Data should not be transferred to a country or territory outside the Commonwealth of The Bahamas unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What are the limits to what companies may legally sell?

Personal data relating to living individuals who can be identified from that information (whether on its own or when combined with other information in the possession of the data controller) may ONLY be sold in circumstances in which they have been told their data may be passed on to other organisations in this way. This may, for instance, be made clear via appropriate wording incorporated into their fair processing or privacy notices.

In addition, businesses selling such data must ensure the purchaser will not use it for any other purpose for which the seller would have used it.

Extra caution should be exercised in relation to ‘sensitive personal data’ (notably health information) and explicit consent from the individual concerned must first be obtained – and it must be voluntary. Appropriate technical measures (encryption, for instance) must be used to secure sensitive personal data.

Business must also be aware that the Act requires organisations to inform data subjects of a proposed sale.

Overseas sale or disclosure

Organisations should take care to comply with the Act in respect of any disclosure or transfer of personal data overseas as it falls within the eighth data protection principle (above). Furthermore, the Act states:

“In the context of the internet, if the information is placed on a website without specific consent from the individual, this may be in breach of the Act since the data can be accessed in countries with less stringent data protection laws.”

What should we do?

Businesses must review and implement their data protection policies, and privacy notices dealing with the prospect of personal data being sold to a third party and ensure they are sufficiently robust. They must also implement appropriate organizational measures to safeguard personal data to ensure that if a sale or transfer of such data later takes place, the requirements of the Act have been complied with.

How can we help?

If your business is planning to sell data, take expert legal advice from ParrisWhittaker’s commercial lawyers to minimize the risks of breaching data protection legislation.