We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

What data can companies legitimately keep about you?

chile_paul
chile_paul Posts: 412 Forumite
in Consumer rights
Hi all,

I'm wondering if we have any Data Protection experts amongst the MSE community who can help me out?

I'm trying to understand what data companies can legitimately keep about a consumer after you have finished doing business with them i.e. what data could a car insurance company keep about a customer after they have cancelled their insurance policy to move elsewhere.

With all of the recent data breaches that have been publicised I've been considering the amount of data that companies I've previously been doing business with will still hold about me.

Is there any legitimate reason for these companies to continue to hold the following data items or would I be able to insist that they remove these from their records:

Name
Address
Date of Birth
User Names and Passwords
Answers to security questions
Any bank or payment details
Any IP address details

Comments

  • maninthestreet
    maninthestreet Posts: 16,127 Forumite
    Part of the Furniture
    https://ico.org.uk/for-the-public/
    "You were only supposed to blow the bl**dy doors off!!"
  • cono1717
    cono1717 Posts: 762 Forumite
    Part of the Furniture 500 Posts Name Dropper
    Companies may keep data for no longer than is necessary, the problem is that it's very vague. One could argue that such information would need to be kept for financial/tax purposes which can require a company to keep information for 6 years.
  • bap98189
    bap98189 Posts: 3,804 Forumite
    Part of the Furniture 1,000 Posts
    chile_paul wrote: »
    Hi all,

    I'm trying to understand what data companies can legitimately keep about a consumer after you have finished doing business with them i.e. what data could a car insurance company keep about a customer after they have cancelled their insurance policy to move elsewhere.

    Taking your example of a car insurance company, they will have good reason to keep your personal data for a number of years. For starters - assuming you were a customer they are legally obliged to keep records relating to the transaction for 7 years. There will also be good reasons for keeping details about you for a number of years in case of any retrospective legal action.
  • chile_paul
    chile_paul Posts: 412 Forumite
    bap98189 wrote: »
    Taking your example of a car insurance company, they will have good reason to keep your personal data for a number of years. For starters - assuming you were a customer they are legally obliged to keep records relating to the transaction for 7 years. There will also be good reasons for keeping details about you for a number of years in case of any retrospective legal action.

    Thank you, I understand they have good reason to keep some data about me. My question was more around what data would be legitimate.

    For example, in order to deal with the scenario you outlined I would imagine that it would be reasonable to keep details of name, address, vehicle registration number, possibly contact telephone numbers.

    However (in my opinion) it wouldn't be legitimate to keep details of user name, password, payment details, IP addresses etc etc and it is these details that I'm more concerned about with regards to identity theft.
  • TonyMMM
    TonyMMM Posts: 3,449 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    They can keep whatever is stated in their ico registration, as long as by doing so they are complying with the data protection rules/principles.
  • JethroUK
    JethroUK Posts: 1,959 Forumite
    You could request data they no longer be deleted if they can't prove satisfactory reason to keep it they will have to delete it
    When will the "Edit" and "Quote" button get fixed on the mobile web interface?
  • shaun_from_Africa
    shaun_from_Africa Posts: 12,858 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    chile_paul wrote: »
    However (in my opinion) it wouldn't be legitimate to keep details of user name, password, payment details, IP addresses etc etc and it is these details that I'm more concerned about with regards to identity theft.


    If you have finished doing business with the company concerned, simply log on to their website and change your password to something so complex that it could never be randomly guessed by a third party.


    Regarding things such as payment details and IP addresses, I would think that they do have a legitimate reason to keep records of these.
    Say for example, you contacted them in 3 or 4 years stating that you didn't authorise a payment that they took. If they had no record of the IP address used to make this payment or what actual account the payment originated from, how could they attempt to dispute your claim?
  • Stevie_Palimo
    Stevie_Palimo Posts: 3,306 Forumite
    1,000 Posts Combo Breaker
    It is indeed a very grey area regarding the DPA and to be frank although the ICO list certain rules about it they do tend to allow overlaps of time frames and so on in exceptional circumstances.


    Most Companies do keep data for a long period of time and even if an account/business transaction is complete your details are used for future marketing or sold on in a lot of instances of which most people have no clue about due to not reading the full t&c's of the said Company.


    Should you not wish to have any marketing at all then in this day and age you would need to bin the mobile phone, laptop and home address and go move under a rock somewhere as pretty much each and every transaction we carry out from a loyalty card, insurance, buying items via any card or online will then gather your details that are sold on countless times.


    Working in finance it is surprising what information is often sold these days and even I am surprised at some of the places this has came from with very detailed information being listed and sold.
  • hcb42
    hcb42 Posts: 5,962 Forumite
    there are rules about credit cards under PCI compliance
  • System
    System Posts: 178,443 Community Admin
    10,000 Posts Photogenic Name Dropper
    hcb42 wrote: »
    there are rules about credit cards under PCI compliance

    The rules on handling card data are pretty strict. Smaller companies will often leave it to be processed one of the (big) third party merchant account providers, so the business doesn't need to touch it. PCI compliance is hard work if you keep card data in house. Think worldpay, barclays, sagepay, paypal etc

    Passwords are generally stored in such a way that they can't be recovered. This is why it has to be changed when you forget it. There aren't rules on this and the job has been done poorly on many sites, but the internet is learning.
    This is a system account and does not represent a real person. To contact the Forum Team email forumteam@moneysavingexpert.com
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 354.7K Banking & Borrowing
  • 254.5K Reduce Debt & Boost Income
  • 455.6K Spending & Discounts
  • 247.6K Work, Benefits & Business
  • 604.5K Mortgages, Homes & Bills
  • 178.6K Life & Family
  • 262.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture