What To Do When an Organisation Asks for It'; ?>
Privacy laws generally include a requirement that personal data must not be collected
unless it is relevant, and the data collected must not be excessive.
But most forms that people are expected to fill in when they deal with organisations
contain requests for personal data that is irrelevant. And the excessive data
that they ask for may be sensitive to you.
This document provides guidance on what you should do when you're confronted
by unreasonable demands of these kinds.
If you just want the summary, you can skip the explanations and go to the
Two companion documents deal with the following related topics:
Why Do Organisations Need Personal Data?
For some interactions between people and organisations, the organisation needs
no information about you at all. For example, when you make a general enquiry
at a front counter, to a call-centre, or by email or web-form, the organisation
has no justification for demanding any information about you. (But of course
they can ask for it, and if it's 'what name should I use for you?', 'where shall
I send the brochure?' or 'what number do you want me to call you back on?',
you probably want to give it to them).
Similarly, no personal data is needed for a great many consumer purchases,
all the way from a cup of coffee, via a supermarket trolley-full of goods, to
a houseful of furniture – provided that the seller has received payment
in cash or some other reliable form that can't 'go bad' on them.
On the other hand, for many interactions between people and organisations,
the organisation may need some personal data. There are three broad reasons
that are good ones:
- the data is needed to enable the organisation to do what you're
- they can't send you the right pair of shoes without knowing your
- they can't send them without a name and a delivery address
- they may have difficulty looking up your file without the identifying
code that the organisation provided to you
- if you're asking for a government benefit, then they need enough
information to know that you qualify for it
- the organisation is legally required to collect the data
- you are buying controlled goods (such as explosives or even fireworks)
- you are conducting one of the kinds of business that is subject
to the ridiculously excessive reporting provisions relating to 'anti-money-laundering'
- the organisation (reasonably enough) wants to protect its own interests
- if it's advancing you credit, it needs enough details to track you
down if you don't fulfil your side of the bargain
- they're not permitted to disclose your own personal data back to
you unless they're sufficiently confident that it's really you –
so they need some information from you in order to achieve that confidence
There is a fourth broad reason, that may or may not be good enough to justify
demands for data:
- the organisation wants to further its own interests
In particular, it wants to build up a more detailed picture about
you, in order to sell more to you, or project more convincing advertising
at you and thereby manipulate your behaviour
Until the 1980s, customer profile data was a useful 'optional extra'
for retailers. But it became fashionable among marketers. Worse still, in
recent years some Internet-based corporations (e.g. Google, Facebook) have
become completely dependent on targeted advertising, which feeds off your
private data and the streams of data that are generated about your behaviour
on the Internet
Some of the data that an organisation seeks from you, or from somewhere else,
may be sensitive. For example, you may wish to avoid having your home-address
in the organisation's files if one of the people in the household has been subjected
to harassment or stalking; so you might provide a P.O. Box, or an indirect address
c/- someone else, or just the address of a trusted friend or relative. Sensitivity
is a personal thing, not something that can be decided by companies, government
agencies or even parliaments.
But most people, most of the time, are happy to provide data to organisations,
provided that they understand why it is relevant, and they regard the organisation
as being trustworthy.
This document is about what you should do when personal data is demanded that
you think is unreasonable.
Take into account the following:
- sometimes organisations have a legitimate reason for asking for particular
items of personal data. So they may reasonably adopt the position that if
you don't provide it, or provide them with access to it, they can't do business
- sometimes the person that you're dealing with won't know what that reason
is. But you have every right to ask them to find out and tell you
- sometimes the request for personal data is incidental or accidental, e.g.
where one business form is used for many different situations, and some of
the data is only relevant in some of them. The person you're dealing with
may have to be encouraged to realise that that's the case, i.e. that the item
of data is essential in some circumstancs, but not this one
- sometimes the request for personal data is there because of insensitivity
or insufficient understanding on the part of the person who designed the system
or the form, and that may have been some person who's long gone from the organisation
- the person you're dealing with may, personally, be sympathetic with
your concerns, but may feel that they have to represent their employer's position
when they're talking to you
The Action Points
If you don't want to provide particular personal data, or even any personal
data at all, here's what we suggest you should do:
The First Round – Negotiate
- Ask the organisation why it wants the information.
It's possible that they will have an explanation that satisifies your concerns
- If the answer fails to convince you the information is necessary, then:
If the organisation's reason is only partly relevant, then provide the information
that you think is relevant.
- leave the space blank, or
- put in that space something like ''not applicable'', or
- advise the person you're talking to that the data is "not applicable"
For example, instead of revealing your birth date, it may suffice to declare
that you are over the age of 18, or under the age of 65
If the organisation persists in asking for the data, you may want to ask
for more information about their privacy policies generally, and their use
of this data in particular. In particular:
- who uses it? You may be less concerned if it is used only by
that particular organisation, for this particular decision; whereas you
may be much more concerned if the data is used by other organisations
in a corporate group, or combined with other data they have about you.
(Unfortunately, it often is)
- who may have access to it? You may be comfortable with law
enforcement agencies having access if they get a search warrant; but you
may be more concerned if a regulator, an auditor, or an industry association
also has access to the data
- how long is it stored? If it's kept for a month, or until
your application has been rejected, and is then destroyed, it's less likely
to do you harm than if it's captured into the organisation's computer
system and no-one can tell you when or even if it will ever be deleted
- where is it stored? You may accept it being in the filing cabinet
beside your local branch-manager; but you may not be comfortable with
it appearing on call-centre screens in Bangalore and Manila
In many cases, organisations will accept forms that don't disclose irrelevant
data, and in some cases they will overlook the fact that the data hasn't been
provided (e.g. because they know that the form doesn't work in all circumstances).
The Second Round – Negotiate Harder
If the organisation persists, here's what you can do next:
- If the organisation insists that all sections must be completed, avoid
unpleasant confrontation. (It doesn't help anybody)
For example, in some circumstances you can ask for a form to take home
and mail in. Or you can print out the web-form that refuses to let you leave
an answer blank, write in the answers, and mail it in
- If the organisation still says that it won't accept the document, tell them
that "I want a formal internal review by a senior manager, before
I complain officially to the regulator".
Be vague about which regulator you will complain to. Let them imagine whichever
regulator they're most concerned about.
If they refuse to pass it up to a manager, write down the date and time, and
the name of the person who did the refusing, and preferably the words they
used. (They look bad in the eyes of a regulator if they had an opportunity
to review the decision and failed to do so).
- If a manager conducts a review, patiently explain your concern
– remember that it may be the first time that the manager has
heard about the problem. You might want to mention identity theft, sensitivity
of the data to you, or sensitivity of that kind of information in our culture.
You do not have to expose yourself – that's the point of privacy! –
but the manager needs to be able to understand that you are both concerned
and rational. Ask again why they need that personal data . If you still meet
resistance, you can increase the pressure.
- you can ask whether you can go higher up the chain. It's an educational
process for the organisation as well as for you
- you can say that you will now have to go to the regulator. But say
it late; and say it as an explanation, not as a threat
Many problems can be resolved in a reasonable manner at this stage.
The Third Round – Take it to a Regulator
If the organisation still unreasonably demands personal data, write down the
reasons you are concerned about it.
If your reasons make sense once you see them on paper, consider sending a letter
of complaint to the relevant regulator or oversight agency, such as a Privacy
There are resources on this web-site that can help
you work out who to write to, and how to prepare the complaint
The Fourth Round – Take it to the Media
Some regulators are effective; but all regulators have limited powers, many
have very limited resources, and some have very little real commitment to actually
helping people. So sometimes the most effective approach is to get the media
involved in the matter.