The admission yesterday by T-Mobile that they had suffered a dataloss measured in the hundreds of thousands came hard on the heels of the admission that the head of an Indian IT outsourcing company had sold medical records from a UK private hospital for £4 each. In both cases the data was sold to companies who then used it to market to these people.

Can you trust purchased data?

We have found that many databases that are available for purchase in the UK are not what they seem. In many cases data is being sold without consent from the individuals on the database for their data to be sold. In some cases we have found that data collected on the web has had permission flags deliberately altered because systems errors meant the data owner could not be sure who had consented to what and so changed the flags to maximise the data that could be re-sold.

What is your legal position?

Under the ICO guidelines you need to be sure that ANY data you purchase and use in a marketing campaign has been obtained legally and with consent for it to be re-sold. Merely asking for a warranty that the data can be legally sold is not enough. You need to be sure that the data was collected with the consent to resell and this is especially true if it is data with email addresses. Far worse than the ICO fines is the bad press you will get if you are caught out using illegally obtained data.

What next?

If you are regularly purchasing third party data you need to do two things: Firstly document what you are getting from where and get warranties and copies of data capture forms and privacy policies that relate to that data. Secondly audit the data provider – the list broker AND the list owner to ensure that you are not using illegally obtained data. We regularly undertake such “due diligence” audits for clients and you can find out more by emailing tim.beadle@atriumgroup.com