Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

How Sainsbury's is preparing for the new UK Data Protection Act [1999] PLBIRp 33; (1999) 49 Privacy Laws and Business International Report 18

How Sainsbury's is preparing for new Data Protection Act

JSAINSBURY PLC, one of the UK's largest retailers, treats its customer data with care. Preparing for compliance with the new UK Data Protection Act means, therefore, fine tuning rather than radical changes. Privacy Laws & Business talked to the Group's Data Protection Manager to find out the steps which are being taken.

The Sainsbury Group in the UK, consisting primarily of the supermarkets business, DIY business (Homebase, which sells home decorating and gardening products), hypermarket business (Savacentre) and Sainsbury's Bank, processes personal data of its 178 000 staff and 22 million loyalty card holders. The company has issued 14 million Reward cards, which can be used at Sainsbury's Supermarkets, and 8 million Spend & Save cards for Homebase customers. While all parts of the business have some personal data, such as employee data, the bulk of it relates to individuals who have applied for a loyalty card in order to benefit from special offers.

The group's data protection compliance is co-ordinated from its London headquarters. Jillian Hardwick, Group Data Protection Manager, is responsible for the whole of the group's data protection compliance, apart from Sainsbury's Bank. She is assisted by the company's nine Legal Advisers, who have a good knowledge of the current Data Protection Act 1984 and the new 1998 Act and its implications.

NEW ACT WILL NOT CAUSE PROBLEMS

PL&B: Will the introduction of the 1998 Act require Sainsbury's to change its compliance programme radically?

Jillian Hardwick: No dramatic changes are needed as we already constantly review our customer literature and business processes. It is more a question of building on the existing compliance programme. We currently do more than is required by the 1984 Act, because we believe it is good business practice. There are some areas we do need to re-evaluate, but we are not having to employ more staff or change our basic processes because of the new Act.

PL&B: What are the areas that will require more attention?

Jillian Hardwick: Manual data is one of them. Most of the manual data we hold is on employees. The only customer data we have on paper records would typically be their correspondence with us, where the personal information is their name and address.

We will have to start treating employment references differently as, up until now, we have not disclosed them relying on the fact that they were given to us in confidence. The new Act will require us to disclose references provided by outside organisations (not internal references), but only after we have taken steps to remove personal data relating to the writer.

With regard to manual data in general, some of the work needed is just to explode myths that some journalists have created about paper records under the new Act. I think some people have been unduly frightened about the issue of dealing with paper records within organisations, suggesting complex ways to avoid treating them as personal data. Our policy is already to provide employees with access to their paper records.

Another big area is our customer literature. As already said, we are constantly reviewing this. We have been in discussions with the Office of the Data Protection Registrar about the way in which we should obtain those customers' consent, who are making an insurance claim against the company. We need these customers' permission to pass their medical records to the insurers. The Data Protection Registrar's Office have commented on our proposed statement. Unfortunately, we cannot start to use this new literature yet as we do not want to wrongly suggest to customers that they have rights that are, in fact, not available until the new Act is in force.

PL&B: Are transborder data flows an issue for Sainsbury's?

Jillian Hardwick: Not really. We have a store in France, which, being in the EU, does not pose any problems with regard to transferring data. Sainsbury's also owns stores in Egypt and in America. The personnel data of the UK secondees that go and work there is covered by contracts.

PL&B: What cost implications does the new Act have for Sainsbury's?

Jillian Hardwick: It is hard to say what the cost of reviewing our compliance will be. There is some extra training to be done, but a lot of the compliance checks we are conducting now are part of an ongoing programme.

PL&B: What areas in the secondary legislation are you especially interested to see?

Jillian Hardwick: I am interested in seeing what level of security notification will be required. It has been suggested that perhaps compliance with the British Standard 7799 will be sufficient. I must say I will be disappointed if that is all that will be required. On the other hand, we do not want to go into a great level of detail and reveal all our company security arrangements, even though the information will be disclosed just to the Data Protection Commissioner.

PL&B: How do you ensure that your third party processors have the necessary security arrangements?

Jillian Hardwick: We do not use many third party processors, and I have already audited the two main ones. We build the security requirements into contracts, and require 100% confidentiality from third party processors. Sainsbury's does not process customer data abroad, and that obviously helps.

LOYALTY CARDS GENERATE MOST CUSTOMER DATA

Before the introduction of loyalty cards, Sainsbury's held only a limited amount of customer data. This type of personal data related to individuals who had corresponded with the company with regard to general enquiries, complaints and claims. However, the company's policy is that these data are generally not kept for longer than three months.

The nineties focus on relationship marketing has dramatically expanded the amount of personal data processed by the company. All customers applying for the loyalty cards in order to receive discounts and other benefits are asked a number of personal details. For example, when applying for a Reward card online, the form requests not just the necessary contact details, but also asks customers to state, for example, their average supermarket spend, where they normally shop and how many children they have. Having a full picture of its customers, Sainsbury's can then carefully target its marketing messages to different audiences. Importantly, it is possible to opt out from receiving any further information from the company. Apart from marketing purposes, the data is processed for trend monitoring, but in a depersonalised form.

PL&B: Did Sainsbury's revise its customer literature and the possibility to opt-out from direct marketing as a result of the Data Protection Act 1998?

Jillian Hardwick: Our customer literature is constantly being revised anyway, so we are not experiencing any extra cost or effort in that respect. We always offer an opt-out in our literature, and run our mailing lists against the Mailing Preference Service. Customers can also verbally refuse to receive any marketing materials by ringing our freephone helpline. It can potentially take eight weeks for the opt-out to take effect as mailing lists are prepared a long time in advance, but once operational, Sainsbury's always honours the opt-outs. Apart from our legal obligation to honour opt-outs, we do not want to annoy our customers. From a business point of view, it makes no sense mailing information to people who do not want it.

PL&B: Would you agree that customers may not be aware of how their data will be used when applying for a loyalty card?

Jillian Hardwick: We actually have more people ringing us to complain that they have not received vouchers even though their neighbour has! I believe that customers are much more sophisticated than we give them credit for. However, our new service, the interactive kiosk (computer- based customer service point), actually explains to users that customers' buying habits will be analysed in order to be able to offer them products of particular interest to them.

PL&B: The Direct Marketing Association and the National Consumer Council have suggested a standardised "customer rights" box, which would, among other things, tell people about their rights under the new Data Protection Act. What do you think about this proposal?

Jillian Hardwick: We support the idea in principle. However, I think that such a statement would end up being a compromise made between businesses which use customer data in many different ways. There would be those who only want to fulfil the requirements of the law, and others, such as Sainsbury's, who want to do a lot more than is required by the law. There is a danger that the message would have a completely different tone of voice than our literature normally has. Also, these type of statements tend to lose their impact very quickly. Once customers get used to seeing them, they do not bother reading them any longer.

RISK-BASED STAFF TRAINING

PL&B: How does Sainsbury's organise staff training?

Jillian Hardwick: We have organised our data protection training on an operational basis. All staff receive some training geared towards the business functions that they deal with. This risk-based, pragmatic training method means that staff will be aware of the data protection risks related to their job function, rather than being able to quote the Act's various clauses. At the end of the day, for the majority of staff it is best that they focus on key issues and are aware of what is illegal. Obviously staff in the marketing, IT, insurance and customer services departments, who deal with these questions every day, need to have a deeper understanding of the provisions. We have organised more formal, seminarbased training for them. However, for a wider audience within the organisation, we write procedures that enforce the law, and are easy for the staff to understand. I would say that a lot of the time the staff are not even aware that they are complying with the Data Protection Act specifically - but they do know what is right and wrong with regard to handling data.

PL&B: Apart from written procedures, what other measures are used to ensure compliance with the new Act?

Jillian Hardwick: Awareness raising. We have just had an awareness campaign during which we distributed posters to all stores. They give out the right message in plain English without even mentioning the words "data protection"! This was done deliberately as people tend to think that data protection is the job of the Data Protection Manager. When we speak about "business confidentiality" or "personal integrity", everyone regards it as their job as well.

We also sent out a leaflet to every member of staff with their salary cheques in February. The leaflet describes in more detail what data protection is about, and what staff should do when encountered by a data protection problem. These issues were also featured in our business television, which is a monthly satellite broadcast to all our stores. Although the slot was just two seconds, it was backed by a briefing sheet used by our team leaders. Members of staff could also phone us to ask further questions. The business TV will be used in the future to jog staffs' memories about data protection, although broadcasting time available is limited as other issues that need to be communicated to the staff, for example health and safety advice, is just as important as data protection.

PL&B: Was the awareness campaign timed to coincide with the introduction of the new Act?

Jillian Hardwick: We would have introduced the awareness campaign sooner or later anyway, but the Act gave us the impetus to go ahead with it at the beginning of the year.

PL&B: Is there a person at the store level who has responsibility for data protection?

Jillian Hardwick: There is not a nominated person as such. The majority of the personal data at store level is staff information, as the staff do not generally have access to customer data. The branch personnel managers deal with any enquiries to their stores, and will also deal with data protection issues in that respect. They have received formal training on how to handle personal data.

NO INCREASE EXPECTED IN SUBJECT ACCESS REQUESTS

PL&B: Do you deal with subject access requests centrally and how many do you receive a year?

Jillian Hardwick: Yes, all requests are processed here in London. We received 16 subject access requests in the first half of this year. This is an increase from last year. We deal with the requests as quickly as we can, normally in a week or so, and always within the prescribed 40 days. We do not charge for providing the information.

PL&B: Do you have to revise your procedures to be able to give information about the source of the data?

Jillian Hardwick: No. Most subject access requests are about Reward card information, and that is information received from the customers themselves. Other information would include their transaction history, where the codes we use need to be explained to the customer. Unless there is a dramatic increase in subject access requests, we will not have to change our procedures. Even if that were the case, it would be more of a question of resources, and perhaps hiring someone extra to deal with them, rather than changing the way we provide the information.

However, I do not expect to see the numbers of subject access requests to go up dramatically in our field of business. Supermarket customers are mainly interested in receiving their Reward Card points, rather than querying the data we hold about them. The question is, of course, very different for Sainsbury's Bank, as people are generally more concerned about their financial data.