Slashdot Mirror
Deleting Personal Data from Private Institutions?
An anonymous reader asks: "This site has many readers who are familiar with the liabilities of personal data being stored on servers owned by private institutions. Bank records, phone records, credit records, flight records, basically any type of digital transaction can be (and likely are) stored indefinitely for whatever reason. Are there processes by which one can request a removal of personal data, or by signing contracts with these companies, do they own the rights to the information? If you have attempted such an erasure, have you encountered resistance?"
with the passage of Sarbanes-Oxley. Might be harder than ever to get them to do it, since they could face prison time for violating the act.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Just file for copyright of all personal information pertaining to yourself, and when a problem arises, simply file a DMCA violation complaint against them.
:)
HAHA that would totally fsck up the SarBox rules
Support NYCountryLawyer RIAA vs People
Back when amazon.com was a new company struggling to get customers, they said they would never share your personal information with anyone -- and then a few years later stabbed everyone in the back by reversing this policy. At that time, I did not want to be their customer anymore and wanted my customer data expunged. I was told that there was no way to stop being a customer and have historical information purged.
I'd guess that even if you did get someone at a company to state that your personal information had been expunged, there's a very high probability that nothing was actually done and that all of your information was still there. This is purely based on my experience with various levels of customer service and managers--they'll tell you what you want to hear just to make you go away.
This guy's the limit!
Well, here in Belgium it's simple. There's a law that gives you the right to request all info they have on you, and allows you to order them to delete it. I'm not 100% sure, but I think at least a few other European counties have a law like that.
Computers are useless. They can only give you answers. -- Pablo Picasso
Some registration systems offer the patient the option of masking personal data, but it's still sent off to various vendors and ancillary systems during the course of treatment. Along the way it's cached, stored in databases and printed ... and it's not uncommon for the data to find its way into files that fail to be deleted. I've seen dump/bug check files and other temp files containing personal information. Lord knows what forensic tools could uncover.
So my answer would be no, given current architectures and system implementation methods.
I know, this is worse with all of the personal data that firms have, and many times, they were collected some other way other than the customer giving it to them.
For example, I once switched over to Sprint telephone service. When I canceled, they wanted my SSN. I said, "That's funny, I never gave it to you." Long story short, they had it allright! They "needed" it so that they could cancel my service.
My only guess is that the credit bureaus are pimping our data - ALL of our data! don't get me started on ChoicePoint!!!
Not for long. Because of the "War on Terror", the US government has been putting pressure on the EU to drop many of those privacy laws so that you folks can be checked on.
Even if there wasn't a "War on Terror", here in the United States of Corporate America firms would put a kibosh on any laws that put too many restraints on their ability to check folks' credit and to build marketing lists.
I tried, back when eBay bought PayPal and said they'd turn over anything to anyone, to remove myself from both userbases. It failed miserably. They said they would not remove me from their records. In fact, I still have an accessible profile at eBay (and presumably at PayPal).
-bZj
.sig
The only way to be sure is not to give out information in the first place and simply pay for things with cash (Wikipedia entry for "Cash" for those of you who are unfamiliar with it).
Really, it's a trade off for using services in our modern culture. The thing is that nobody is forcing you to give away any of your information.
It is possible to keep your data private, if you so choose. My home address, in fact, is in no databases except for my power company, and I receive -zero- mail there, which is, as far as I can tell, the only way to be sure that that particular data isn't floating around out there.
Asking for deletion will probably only increase the amount of your information stored by the company and increase the chance of ID theft. Not only will the request not result in the removal of existing information, but it will add more information and instances of your information. If you contact the company, you will be both in the old customer DB and in recent copies of the customer service contact DB. Second, if the company outsources customer contact, then that 3rd party service provide will probably end up with a cached (= potentially permanent) copy of your records. And third, every contact you make increases the chance that you will touch a corrupt customer service person that is siphoning data for criminal purposes.
Its like a hornets nest. You may not like them, but disturbing them will only make things worse.
Two wrongs don't make a right, but three lefts do.
The question is a good one can you place a copyright over your name, address SSI number and so forth and then force the removal of such form private databases?
Suppose you're running a one-person business and one of your customers is obnoxious to you. Should you be required to forget all about it and treat them as any new customer next time you see them? Requiring businesses to delete records about their customers is essentially enforced amnesia. Whenever there's a transaction, it seems pretty reasonable for both sides to remember what happened.
And then there's the question not only of what you should remember but who should you tell. If you have a bad experience as a customer, most people would feel perfectly justified in telling their friends, posting to their blog, and engaging in other bad publicity towards the company. When a business gets ripped off, who are they allowed to tell? Should assholes and deadbeats get a free pass next time?
The other side to this is that we've grown accustomed to a certain amount of anonymity when dealing with larger businesses. This is a sort of automatic forgiveness. Some kind of forgiveness is essential, because memories are fallible, records can be wrong, and people change. Not to mention that there's an enormous power imbalance when you're dealing with a big business. But the question of how long you should remember, what you should forgive and forget, and how that should affect peoples' reputations doesn't have simple answers.
In the UK, all you need to do is write to the company in question and tell them you want the data deleted. Thanks to the Data Protection Act, they must then comply.
You can also ask for a copy of all data held about you, although in that case the company is entitled to a "reasonable" fee (usually £10) to cover admin costs.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Junkbusters has some advice. http://www.junkbusters.com/junkdata.html
They also have a lot of good information for dealing with the DMA and others.
My only guess is that the credit bureaus are pimping our data - ALL of our data! don't get me started on ChoicePoint!!!
The only thing that surprises me about this is that anyone is surprised about this.
There is a very simple principle of human behavior that acts as a foundation for most schools of psychology and also economics: People respond to their incentives.
In general , when you give people incentive to do something, they do it!
I don't understand why people would expect anything else. There is money to be made off of personal data collection and reselling. Why in the world WOULDN'T people start making money in this way? To expect otherwise simply makes NO sense.
If you are displeased by this use of information about you, your only recourse is to get new laws passed and find ways of ensuring their enforcement. This won't stop the data trading of course, but it will reduce it (hopefully to more acceptable levels).
And good luck with that.
The real question here, which I don't think has been resolved in legislation or court judgements, is that of ownership. Whose data is it, anyway? Is it yours, because it describes and identifies you (not to mention the potential harm to you if it is released)? Or, since the company has taken pains to acquire, organize, and analyze it, and presumably has made some profit from it, does it belong to them? If the former, then one could argue that no company can legally hang on to something that ultimately belongs to you. If the latter, then you likewise can't really expect a company to give it up just on your say-so.
The answer, of course, is that it doesn't exclusively belong to either party. For instance, Amazon.com might have your credit card and mailing information, which one could argue belongs to you (the customer), but also has your buying history and has generated recommendations and analyzed then for trends to better their business and processes, all of which could be considered Amazon's.
This won't be settled anytime soon. At the risk of bringing the libertarians down on me, I would suggest that some intelligentlycrafted legislation (note the stress - it's easy to come up with crap legislation, or let the lobbyists write it for you) should be drafted to make a clear demarkation about what rights a customer has to what data, and what companies are allowed to do with it, particularly after you sever your relationship together.
Even if you could get the customer support monkey to delete all your data in their live system, any reputable place I'm sure will have backup sets with your data. Good luck getting your data removed from shelves of tape libraries.
today is spelling optional day.
...infact, most businesses with practices like this fail miserably. Infact, I encountered just such a situation today!
My company recently bought a handful of off-lease refurb machines from a major brand distributor (the OEM). They were marked cleaned, and sanitized, and sent to us without an operating system. Or, atleast, that's what we'd ordered.
Imagine my level of surprise when I found LIVE DATA on the only machine I've unpacked so far. These are off-lease, and came from a company that's folded, but the disks weren't scrubbed at all.
Informatus Technologicus
...you don't own your home or your landlord has never run your credit--for that matter you have no credit (good luck owning a home then)--you're not employed, don't pay taxes, don't vote, have never been cited for any infraction of law (much less anything worse or actively sued or been sued for anything), don't drive, have no insurance of any kind, do not have a passport, have never sought medical care. Even after that, the POSTAL SERVICE certainly has your address and THEY certainly give that out as a matter of course.
Yes, SOME databases are best avoided (say, spammers, unnecessary creditors and sweepstakes operations), but to attempt to be in NO databases...well, that becomes an exercise in pointless histrionics.
the best way to do it is not to contact them or do anything.inactivity is the #1 reason for you to be removed from a database. just toss their junk mail into the bin. if they include a paid return envolope, wrap a turd in a plastic bag and mail it back to them for fun, but certainly don't call them or anything. if they call you, hang up in their ear, or put them on hold and walk away and waste some of THEIR time. anything to make you a waste of their time will make you unattractive.
If you mod me down, I will become more powerful than you can imagine....
In France we have a law since 1978 that regulates storage and access to data linked to a person name.
Requiring a company to delete all your data is defined in this law.
The Commission Informatique et Libertés is a administrative authority that was created by this law and whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.
This is impossible to do. However, I was thinking if the reverse is possible. To keep and diseminate critical information about companies and its C-level employees. So, DoubleClick tracks us. Maybe we should track DoubleClick's CEO. How about seeing up a web site like a total fan would? Make him more popular than Britney Spears. Users can submit pictures of him driving down the highway, going shopping, visiting clients, taking a bathroom break at the rest stop. And lets not stop at examining his purchasing habits. Those flowers he picked up might not go to his wife. Make sure the audit trail doesn't stop, follow up. Keep records of all cars in his driveway. All along with time tagged information tied into Google Earth. Hey, if "National Inquire" appeals to "Inquiring minds that need to know," maybe we might want to know as well.
Canadian law controls this though PIPEDA
Please refer to Personal
Information Protection and Electronic Documents Act (PIPEDA) for further information.
-Ghost
Credit Card companies absolutely cannot open credit accounts for you without you first applying. I'm not going to spend time looking up the law for you, but you should be able to google it fairly quickly.
The other possibility is your identity has been stolen. Might want to look into that, as it is much more likely the cause of your experience, rather than banks openly flouting federal law.
Good luck!
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock