Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deleting Personal Data from Private Institutions?

Posted by Cliff on from the static-on-your-digital-paper-trail dept.

An anonymous reader asks: "This site has many readers who are familiar with the liabilities of personal data being stored on servers owned by private institutions. Bank records, phone records, credit records, flight records, basically any type of digital transaction can be (and likely are) stored indefinitely for whatever reason. Are there processes by which one can request a removal of personal data, or by signing contracts with these companies, do they own the rights to the information? If you have attempted such an erasure, have you encountered resistance?"

26 of 103 comments (clear)

  1. The rules have changed by unassimilatible · · Score: 4, Interesting

    with the passage of Sarbanes-Oxley. Might be harder than ever to get them to do it, since they could face prison time for violating the act.

    --
    Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
  2. Sounds easy enough to me... by zappepcs · · Score: 4, Funny

    Just file for copyright of all personal information pertaining to yourself, and when a problem arises, simply file a DMCA violation complaint against them.

    HAHA that would totally fsck up the SarBox rules :)

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:Sounds easy enough to me... by SEWilco · · Score: 2, Funny

      Sorry, BRILLIANT is not allowed on Slashdot. Was it Insightful or Informative?

    2. Re:Sounds easy enough to me... by itchyfish · · Score: 2, Interesting

      Actually, the lawsuit involving Major League Baseball and the fantasy leagues could make this a distinct possibility. MLB is saying that stats (numbers) generated from a ballgame are copyrighted, and owned by MLB, and therefore the fantasy leagues can't use the numbers without permission, i.e. pay. I don't think the suit has been resolved yet, but if MLB wins, it's not a big stretch to apply that to data generated by an individual.

  3. Amazon.com won't... by scottsk · · Score: 4, Informative

    Back when amazon.com was a new company struggling to get customers, they said they would never share your personal information with anyone -- and then a few years later stabbed everyone in the back by reversing this policy. At that time, I did not want to be their customer anymore and wanted my customer data expunged. I was told that there was no way to stop being a customer and have historical information purged.

    1. Re:Amazon.com won't... by Skewray · · Score: 4, Interesting

      I just get into the online form for the company in question and enter crazy trash into all the blanks. Afterwards, all they have is junk that has nothing to do with me. The likelihood that anyone searches the backups is nil.

    2. Re:Amazon.com won't... by Reality+Master+101 · · Score: 4, Informative

      I just get into the online form for the company in question and enter crazy trash into all the blanks. Afterwards, all they have is junk that has nothing to do with me. The likelihood that anyone searches the backups is nil.

      That's assuming they don't keep easy-accessible audit trails and change logs for all of the fields. All of my e-commerce systems do. It's actually kind of funny when people change their information to garbage to keep us from tracking them when they bounce payments or something like that.

      --
      Sometimes it's best to just let stupid people be stupid.
    3. Re:Amazon.com won't... by Guido+von+Guido · · Score: 2, Insightful
      It's actually kind of funny when people change their information to garbage to keep us from tracking them when they bounce payments or something like that.

      Do you bother to look through the audit trail when they haven't bounced a payment or done anything dodgy like that? The original poster's stated intent wasn't to cheat anybody, after all.

    4. Re:Amazon.com won't... by Reality+Master+101 · · Score: 4, Interesting

      Do you bother to look through the audit trail when they haven't bounced a payment or done anything dodgy like that? The original poster's stated intent wasn't to cheat anybody, after all.

      There's an automated system that tracks new customers against all the old data in order to identify people who've cheated the company in the past. So it depends on what you define as "bother to look through". If I was going to create a marketing list for whatever reason, I might use the old data, but who knows what other people do with stuff like this. My point is only that any semi-competent company is going to have a policy of "never throw away data", especially if it's customer changeable.

      --
      Sometimes it's best to just let stupid people be stupid.
    5. Re:Amazon.com won't... by Nutria · · Score: 2, Insightful

      My point is only that any semi-competent company is going to have a policy of "never throw away data", especially if it's customer changeable.

      This is only valid when data storage is inexpensive enough for you to to allocate magnetic media to store said data.

      While the NSA has (probably) been doing this for years, and Wal-Mart and MasterCard/Visa for about 15 years, it's only been broadly feasible since the introduction of inexpensive 100GB hard drives. Even now, we only keep tape archives for 7 years.

      Note that this whole thread, plus 500GB, and, this year, 1TB drives, means the absolute end of privacy. I estimate that a 42U rack can fit 240 drives. By the end of this year, that means that a company will fit 240TB in 4.75 cu ft.

      --
      "I don't know, therefore Aliens" Wafflebox1
    6. Re:Amazon.com won't... by Reality+Master+101 · · Score: 2, Interesting

      This is only valid when data storage is inexpensive enough for you to to allocate magnetic media to store said data.

      Eh, it's not as hard (or as storage-consuming) as you might think. I developed a medical system in the early 90s that kept a history of all changes. The fact is that usually one gets new data much faster than old data changes. It depends on the application, of course, but that's been my experience. Of course, I only store what actually changes, I don't clone entire records.

      --
      Sometimes it's best to just let stupid people be stupid.
  4. just a hunch by gEvil+(beta) · · Score: 4, Insightful

    I'd guess that even if you did get someone at a company to state that your personal information had been expunged, there's a very high probability that nothing was actually done and that all of your information was still there. This is purely based on my experience with various levels of customer service and managers--they'll tell you what you want to hear just to make you go away.

    --
    This guy's the limit!
    1. Re:just a hunch by TubeSteak · · Score: 4, Insightful
      they'll tell you what you want to hear just to make you go away.
      Which is why you _always_ insist on written confirmation.

      Never take their word for it.
      --
      [Fuck Beta]
      o0t!
    2. Re:just a hunch by bcattwoo · · Score: 2, Insightful

      they'll tell you what you want to hear just to make you go away.
      Which is why you _always_ insist on written confirmation.

      Never take their word for it.
      How is their written word any more reliable then their spoken one? Is the paper dipped in truth serum?

      Sure companies are more reluctant to lie in writing, but short of a data thief documenting the act of stealing your data from them, there is little chance of getting caught.
    3. Re:just a hunch by Matt+Perry · · Score: 2, Informative
      How is their written word any more reliable then their spoken one?
      When it's in writing it becomes legally binding and can be used in court as evidence should you ever need to go down that path. If it's not in writing then it's just your word against theirs.

      This is a fundamental thing to understand about business, and I would say a fundamental life lesson. If it's not in writing, it means nothing. Never take someone's word on something, particularly if it's regarding something that's important to you. When dealing with companies always write down the time and date when you place calls, note who you talked to, and what was discussed. Always ask for a written follow up if appropriate. Keep accurate records of things that are important to you.

      Several months ago I received a letter from my bank saying that they had been informed by the county that I hadn't paid my property taxes. The letter indicated that I need to provide proof of payment of my taxes or else they were going to raise the interest rate on my home loan. I called about this and they apologized, said it was a computer error, and said that my account shows that the taxes are up to date. I asked for them to send me a letter with those details. I got the letter about a week and a half later. Now, had I not asked for a letter, and had the problem not have really been resolved as the person told me, it would have been my word against the person on the phone (who might have been a temp worker). If this ever pops up again for some reason, I have the original letter and their apology letter in my mortgage files.

      Believe me, I have learned this the hard way. *ALWAYS* get things in writing.
      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  5. In Europe by MeltUp · · Score: 5, Informative

    Well, here in Belgium it's simple. There's a law that gives you the right to request all info they have on you, and allows you to order them to delete it. I'm not 100% sure, but I think at least a few other European counties have a law like that.

    --
    Computers are useless. They can only give you answers. -- Pablo Picasso
    1. Re:In Europe by Wally4u · · Score: 4, Informative

      The dutch privacy act give room for this. http://home.planet.nl/~privacy1/wbp_en_rev.htm You can demand you personal data to be destroyed except when it has a specific purpose (ie bank records, police records etc). If they fail to do so, or sell the data without written consent they can be fined.

  6. I know in health IT the data is everywhere by Average_Joe_Sixpack · · Score: 4, Interesting

    Some registration systems offer the patient the option of masking personal data, but it's still sent off to various vendors and ancillary systems during the course of treatment. Along the way it's cached, stored in databases and printed ... and it's not uncommon for the data to find its way into files that fail to be deleted. I've seen dump/bug check files and other temp files containing personal information. Lord knows what forensic tools could uncover.

    So my answer would be no, given current architectures and system implementation methods.

  7. A Guy sued over being on a mailing list... by Anonymous Coward · · Score: 5, Insightful
    a few years ago. He was tired of getting all of that junk mail ("Direct Marketing" according to Advo) and started suing those junk mail companies. He lost on every appeal. They won every time!

    I know, this is worse with all of the personal data that firms have, and many times, they were collected some other way other than the customer giving it to them.

    For example, I once switched over to Sprint telephone service. When I canceled, they wanted my SSN. I said, "That's funny, I never gave it to you." Long story short, they had it allright! They "needed" it so that they could cancel my service.

    My only guess is that the credit bureaus are pimping our data - ALL of our data! don't get me started on ChoicePoint!!!

    1. Re:A Guy sued over being on a mailing list... by nickcoons · · Score: 3, Insightful

      My only guess is that the credit bureaus are pimping our data - ALL of our data!

      I remember about five years back when I was running credit reports for applicants. Even though the policy of the company was to require all of the blanks filled in on their application, the software we then entered that data into would pull the credit report of the individual even without us filling in all the gaps. The system would let us put in enough information to sufficiently identify someone (like a name and address), and it would fill in the gaps (like a missing social security number).

      So in short response to your comment, yes, the credit bureaus do seem to be providing more than what is necessary to view a credit report.

  8. The only way to be sure... by NineNine · · Score: 2, Interesting

    The only way to be sure is not to give out information in the first place and simply pay for things with cash (Wikipedia entry for "Cash" for those of you who are unfamiliar with it).

    Really, it's a trade off for using services in our modern culture. The thing is that nobody is forcing you to give away any of your information.

    It is possible to keep your data private, if you so choose. My home address, in fact, is in no databases except for my power company, and I receive -zero- mail there, which is, as far as I can tell, the only way to be sure that that particular data isn't floating around out there.

    1. Re:The only way to be sure... by arth1 · · Score: 3, Insightful
      The only way to be sure is not to give out information in the first place and simply pay for things with cash (Wikipedia entry for "Cash" for those of you who are unfamiliar with it).

      Really, it's a trade off for using services in our modern culture. The thing is that nobody is forcing you to give away any of your information.


      This is technically true, but useless in practice.
      Nobody forces you to cash a checks, but try caching one without being a registered customer or handing over your full personalia for registration. Nobody forces you to drive a car, but try getting car insurance without giving up your SSN and other private data.
      Or try getting a job, but refuse to give out your social security number. Chances are you won't get a job, and will end up on the street. You won't get welfare, because that requires registration of your personalia.
      In reality, not handing over your information is impossible, unless you live on a reservation or Amish society.

      --
      *Art
  9. It's not that simple by skybrian · · Score: 3, Insightful

    Suppose you're running a one-person business and one of your customers is obnoxious to you. Should you be required to forget all about it and treat them as any new customer next time you see them? Requiring businesses to delete records about their customers is essentially enforced amnesia. Whenever there's a transaction, it seems pretty reasonable for both sides to remember what happened.

    And then there's the question not only of what you should remember but who should you tell. If you have a bad experience as a customer, most people would feel perfectly justified in telling their friends, posting to their blog, and engaging in other bad publicity towards the company. When a business gets ripped off, who are they allowed to tell? Should assholes and deadbeats get a free pass next time?

    The other side to this is that we've grown accustomed to a certain amount of anonymity when dealing with larger businesses. This is a sort of automatic forgiveness. Some kind of forgiveness is essential, because memories are fallible, records can be wrong, and people change. Not to mention that there's an enormous power imbalance when you're dealing with a big business. But the question of how long you should remember, what you should forgive and forget, and how that should affect peoples' reputations doesn't have simple answers.

  10. Data Protection Act by AmiMoJo · · Score: 3, Informative

    In the UK, all you need to do is write to the company in question and tell them you want the data deleted. Thanks to the Data Protection Act, they must then comply.

    You can also ask for a copy of all data held about you, although in that case the company is entitled to a "reasonable" fee (usually £10) to cover admin costs.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Data Protection Act by ajs318 · · Score: 3, Informative

      But the UK Data Protection Act assigns a "rightful purpose" to the data they are storing about you, and anything other than that rightful purpose (including internal systems testing, technically!) is a misuse -- which is a breach of the Act. If you've asked them to remove your data then it now has no rightful purpose, so anything they do with it from then on is in breach of the Act.

      Note that at least until not long ago, data stored by non-computerised means was exempt from any legal protection whatsoever. There was at lease one organisation which used this loophole to their advantage, and held much information on "Undesirables" (such as dope smokers, trade unionists, people who donated to Amnesty International, people seen wearing a Levellers t-shirt ..... that kind of Undesirable) on paper in filing cabinets. And there was nothing anyone could do about it. I'm not sure if the 1998 amendments sought to block this.

      --
      Je fume. Tu fumes. Nous fûmes!
  11. Provided... by C10H14N2 · · Score: 2, Insightful

    ...you don't own your home or your landlord has never run your credit--for that matter you have no credit (good luck owning a home then)--you're not employed, don't pay taxes, don't vote, have never been cited for any infraction of law (much less anything worse or actively sued or been sued for anything), don't drive, have no insurance of any kind, do not have a passport, have never sought medical care. Even after that, the POSTAL SERVICE certainly has your address and THEY certainly give that out as a matter of course.

    Yes, SOME databases are best avoided (say, spammers, unnecessary creditors and sweepstakes operations), but to attempt to be in NO databases...well, that becomes an exercise in pointless histrionics.