Tesco data – the response

By Dafydd Vaughan Monday October 19, 2009

Tesco have now responded to our data protection request. They’ve sent through a 13 page letter which includes printouts and screen shots from their various systems. Unfortunately, they haven’t provided me with an electronic copy of anything, so I’d have to retype everything in order to use the data for anything useful. We will be requesting that the data is re-sent in electronic format in our next request to the company. We believe that this shouldn’t really prove too difficult as the data of course resides on Tesco’s computer systems.

Interestingly, while they do seem to have a fair amount of information about me – including my lifestyle profile (“Commonplace Brands” / “Mainstream”) and my lifestyle affluence (“Mid-Market”), they have not provided me with anything really detailed.

I was hoping that I would be sent a list of the products I’d purchased, or at the very least a list of my favourites. Tesco should hold this data as it is referenced in the event of a product return and is used to build up my favourites profile when shopping online at Tesco.com. Unfortunately, all I’ve received is my basic marketing profile, a list of how much I’ve spent since 30th July 2007 and some printouts from the customer service system that recorded the data protection request.

We’re going to follow all this up with Tesco. We will also be reminding them that they have still lost some of my personal data (a photocopy of my driving licence) while attempting to process the request – which is very concerning.

More broadly, we shall be seeking a public guarantee that future requests will be handled quicker and more simply than mine has been.

In the meantime, you can take a browse through the wonderful Tesco screen shots below. Please note that I’ve blurred out anything that I’ve classed as personal data (both mine and those of Tesco employees).

Continue Reading

Data protection requests done right

By Dafydd Vaughan Thursday October 8, 2009

While we’re still waiting for a full response from Tesco, I wanted to tell you about a Data Protection Request that went right.

At the same time as making the original Tesco request, I also sent out a few other requests to some smaller businesses.  Included amongst this group was a business that used to sell tickets and merchandise for music festivals.  I already had a rough idea what data they held about me, but I wanted to test how well they handled a Data Protection Request.

Within a few days of receiving my letter, their Data Officer contacted me to confirm some details.  A few days after that I was contacted again to say that they had found the data I was after and would be sending it on shortly.  Soon after, it was sat in my inbox.

Not only had they sent all the data I was after, but they automatically suppressed my email addresses from any further marketing and asked me if I wanted the data deleted from their database.

I was really impressed by the way this request was handled.  Not only did they communicate with me throughout the entire process, but they took steps that were not necessary to complete the task.  This should be used by all organisations as a good example of how to handle a Data Protection Request.

Was there anything surprising in the data?  Yes – the password I’d used for the website in plain text.  Let this be a reminder to everyone, never use the same password on more than one site, and always expect your password to be visible to anyone looking at the database!

While we’re still waiting for a full response from Tesco, I wanted to tell you about a Data Protection Request that went right.

At the same time as making the original Tesco request, I also sent out a few other requests to some smaller businesses.  Included amongst this group was a business that used to sell tickets and merchandise for music festivals.  I already had a rough idea what data they held about me, but I wanted to test how well they handled a Data Protection Request.

Within a few days of receiving my letter, their Data Officer contacted me to confirm some details.  A few days after that I was contacted again to say that they had found the data I was after and would be sending it on shortly.  Soon after, it was sat in my inbox.

Not only had they sent all the data I was after, but they automatically suppressed my email addresses from any further marketing and asked me if I wanted the data deleted from their database.

I was really impressed by the way this request was handled.  Not only did they communicate with me throughout the entire process, but they took steps that were not necessary to complete the task.  This should be used by all organisations as a good example of how to handle a Data Protection Request.

Was there anything surprising in the data?  Yes – the password I’d used for the website in plain text.  Let this be a reminder to everyone, never use the same password on more than one site, and always expect your password to be visible to anyone looking at the database!

Continue Reading

A response from Tesco

By Dafydd Vaughan Monday September 14, 2009

This weekend I received a letter from Tesco, apologising for the loss of my original letter.  In it they say that “despite extensive investigations, we are unable to find any trace of your letter”.  This doesn’t do much to ease my concerns – there is still a letter with a copy of my driving license missing somewhere.

To be fair on Tesco, they have provided me with a £10.00 voucher as a gesture of goodwill and to cover the costs of postage.   Of course, compensation isn’t what we are after, so the voucher will sit in a locked draw for now.

A copy of the letter Tesco sent me is below.

Continue Reading

Tesco – The next step

By Dafydd Vaughan Friday September 11, 2009

Yesterday I spent a bit of time on the phone to the Information Commissioner’s Office (ICO) to find out what to do next.  The person I talked to seemed quite concerned that they have lost the letter I sent them – and believes I am right in assuming it is in itself a breach of the DPA.

They have recommended that I resend the letter (as requested) to Tesco’s HQ, and include a coverletter explaining my concerns and asking them to explain what has happened.  If I don’t receive a satisfactory response, I need to fill out a complaint form and submit it to the ICO.

The new letter has been posted today by recorded delivery.

As before, I’ve reproduced the text (with some personal details removed) below.

Continue Reading

Tesco – More revelations

By Dafydd Vaughan Tuesday September 8, 2009

Tesco didn’t call be back, so I called them.  As expected, I was passed from department to department (and even ended up speaking to the Caretaker for their Dundee office at one point), however, I finally got a straight answer from them.  It appears that my letter was received and was sent to another office, however not the correct office.  Instead of sending it to the Cheshunt HQ, it was instead sent to the IT offices.  From here, they appear to have lost all trace of the letter.  Tesco have asked me to resend the letter to their HQ.

This raises a few points – firstly, it does not reflect well on their internal processes if they have not put it through their own logging procedure.  Secondly, there is now a letter with some of my personal details (including a photocopy of my driving license) missing somewhere.  This in itself would appear to be a breach of the Data Protection Act.

Before I proceed, I think I need to get some advice from the Information Commissioner’s Office who are responsible for the DPA.

Continue Reading

Tesco – The (lost) letter

By Dafydd Vaughan Thursday September 3, 2009

It appears that our request has hit a wall before it’s even started.

I contacted Tesco today to ask why they hadn’t been in touch to confirm my identity.  They had no record of the letter arriving.  After showing them the Royal Mail proof of delivery and a bit of toing and froing, it appears that the letter has been received, but not processed correctly.  They believe it has been re-sent to their head quarters in Cheshunt, but the person who deals with these requests has gone home for the day (surprise, surprise).  I’ve been promised a call back tomorrow.

Continue Reading

Tesco – The letter

By Dafydd Vaughan Saturday August 15, 2009

The letter to Tesco was sent by recorded delivery on 14th August 2009.  Tesco signed for the letter on 15th August.  They now have 40 days to respond to the request.

We’ve reproduced the text of the letter below (with some identifying elements removed).

Continue Reading

Getting our data from Tesco

By Dafydd Vaughan Friday August 14, 2009

As we are all well aware, everytime you purchase something from a supermarket (or any other place for that matter), information about the purchase is recorded.  Sometimes, this data contains information that means it can be traced back to you.  This especially happens if you use a loyalty card such as Nectar or Tesco Clubcard. So, what data is actually collected each time you scan your clubcard?  We wanted to find out.

The Data Protection Act (DPA) allows people to request copies of the data companies hold about them.  Using the DPA, we’ve sent a request to Tesco to find out what information they have about me.

Why are we doing this?  Partly because we’re curious people, but also because we might find out something of use.  Tesco might hold some data that we could use to build a fantastic new service, or it might just be a list of things I’ve bought over the last few years.  At the very least, it’ll enable us to write a guide for helping other people make requests under the DPA.  However, until we ask, we won’t find out!

You can follow the progress of our request from start to finish on our DataBlog (RSS feed), or using the tescodata tag (RSS feed).

If you’ve made Data Protection Act requests to Tesco before, please let us know your experiences.

Continue Reading