The little 'black books’ of luxury retail – are you on the data protection compliance 'A list'?

You are a luxury goods retailer with a customer list that is the envy of every bored housewife and tabloid editor.  Your customers are discerning and demanding, so you dutifully keep a note of important details such as clothing sizes and colour preferences -  and Duchess Zodiac Tahini, the Bichon Frisé’s, birthday and her requirement for only Icelandic water and venison carpaccio - in a leather-bound ‘little black book’, which is kept under lock and key in the shop safe at the end of every day.

Do you have to comply with the requirements of the Data Protection Act 1998 in relation to the contents of the black book and can the business send emails to those contacts without the 'opt out' of receiving more emails that usually accompanies marketing communications?


 

[caption id="attachment_8317" align="alignleft" width="240"]Ⓒ vince42 Ⓒ vince42[/caption]

Luxury goods retail and 'black books'

It is a common practice for luxury goods retailers to hold records of specific information about particular customers—the so-called little 'black book'.

'Black books' can be valuable resources for retailers servicing their big spending clientele to be able to look up individual customers' purchasing histories and preferences and other useful information about them. Such customers also demand a high level of discretion and retailers are expected, both by those customers and the law, to put in place appropriate safeguards to ensure that such information, often deeply personal, remains private and is handled properly.

Traditionally, these black books have been in hardcopy, although these days more are moving online. When multiple customers' data is aggregated in electronic form, this unleashes the potential for retailers to profile customers, mine the aggregated data for potential sales leads and to push targeted marketing to their 'most-valued customers', as well as a range of other activities.

This post focuses on black books in hardcopy format and the associated data protection issues.

When will the Data Protection Act 1998 apply?

The Data Protection Act 1998 (DPA 1998) will only apply to that information which is ‘personal data’. Section 1(1) of DPA 1998 defines ‘data’ as:

 'information which:

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,…(emphasis added)

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68…'

'relevant filing system' is defined as:

'any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.' (emphasis added)

Additionally, section 1(3) provides:

'In determining for the purposes of this Act whether any information is recorded with the intention—

(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) that it should form part of a relevant filing system,

it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.'

Accordingly, paper records can be covered by the DPA 1998 if these form part of a ‘relevant filing system’. Whether or not contact information in a ‘black book’ will be data in a relevant filing system, will depend primarily on how the information is structured.

The key authority on what is meant by 'relevant filing system' is set out in Durant v Financial Services Authority [2003] All ER (D) 124 (Dec). The Information Commissioner’s Office (ICO) also provides some guidance on what constitutes as a ‘relevant filing system’ and in particular says that, where files contain only a single category of information (ie about an individual’s account or profile), they are likely to comprise a relevant filing system (see the ICO’s Determining what information is ‘data’ for the purposes of the DPA).

The ICO’s FAQs and answers about relevant filing systems gives the following specific example under Q3:

 'Example

You own an exclusive designer dress shop. You have a number of files relating to your customers all of which contain common categories of indexed or sub-divided information about that particular customer: contact details, measurements, favoured designers, favoured colours, and favoured styles. On some of those files you have additional information under general headings such as “miscellaneous”, correspondence”, “other”. Your collection of files contain have been created to store customer profiles. The purpose of structuring the file using specific headings/tabs/index is to enable you to easily access particular information about each customer’s profile in order to provide better customer service. You may receive additional information that does not fit into any of the common profile categories (such as a letter of thanks from customer). The profile categories of information on these files will form part of a relevant filing system.' (emphasis added)

Additionally, it might be the case that the information is recorded manually at multiple store locations, possibly using a standard contact information form, either held in-store or in a central repository. So long as specific information within the set is readily accessible, the set of information will be data in a relevant filing system even if the information needs to be obtained from several different locations within the system.

The ICO’s FAQs and answers about relevant filing systems also includes a useful 'Quick guide to understanding the DPA definition of "relevant filing systems"'.

‘Personal data’ essentially means data relating to a living individual who can be identified from such data, either alone or with other information in the data controller’s possession (DPA 1998, s 1). Therefore, subject to satisfying the definition of ‘data’ above, personal data can include names, addresses and email addresses.

If the ‘black book’ does contain ‘personal data’ (as defined in the DPA 1998), then the requirements of the DPA 1998 will need to be complied with in relation to that personal data.

It may be that other legal obligations/rights may apply in relation to non-personal data, eg confidentiality, copyright, database rights, etc.

Emailing marketing communications to contacts from the ‘black book’

If the contacts in the ‘black book’ are from time to time emailed marketing communications of some description (or it is proposed that they will be), presumably a distribution list has been (or will be) saved and stored electronically on the organisation’s system (to save time in having to re-enter the details manually each time).

Therefore, even if the contact information in the ‘black book’ as a paper record did not come within the DPA 1998 definition of personal data, at the point when it is entered into the electronic system, it would be ‘data’, as in 'information which…is being processed by means of equipment operating automatically in response to instructions given for that purpose…', that is ‘personal data’. ‘Processing’ is defined broadly to mean obtaining, recording, holding, or carrying out any operation on personal data, and includes organisation or alteration, retrieval or use, disclosure, anonymisation, blocking or destruction.

In terms of whether an ‘opt-out’ notice has to be provided, Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426 provides that:

'(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

  • that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

  • the direct marketing is in respect of that person's similar products and services only; and

  • the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication(emphasis added).'

This means that all electronic marketing communications (by email or text) should contain an 'opt-out' of this kind.

This blog post was originally published as Q&A: If a business keeps a ‘black book’ of contacts, but keeps it private and does not keep an electronic version, does the Data Protection Act apply to its contents? Can the business send emails to those contacts without the opt out of receiving more emails that usually accompanies marketing shots? on the Lexis®PSL IP & IT service (subscribers only).

 

 

 

 

Relevant Articles
Area of Interest