Privacy laws generally include a requirement that personal data must not be collected unless it is relevant, and the data collected must not be excessive.
But most forms that people are expected to fill in when they deal with organisations contain requests for personal data that is irrelevant. And the excessive data that they ask for may be sensitive to you.
This document provides guidance on what you should do when you’re confronted by unreasonable demands of these kinds.
If you just want the summary, you can skip the explanations and go to the Action Points.
Two companion documents deal with the following related topics:
- if you’re concerned about having to sign unreasonable statements, see ‘Unfair Authorisations’
- if you’re concerned about demands for copies of ‘id’, see the ‘Identity Scanning’
Why Do Organisations Need Personal Data?
For some interactions between people and organisations, the organisation needs no information about you at all. For example, when you make a general enquiry at a front counter, to a call-centre, or by email or web-form, the organisation has no justification for demanding any information about you. (But of course they can ask for it, and if it’s ‘what name should I use for you?’, ‘where shall I send the brochure?’ or ‘what number do you want me to call you back on?’, you probably want to give it to them).
Similarly, no personal data is needed for a great many consumer purchases, all the way from a cup of coffee, via a supermarket trolley-full of goods, to a houseful of furniture – provided that the seller has received payment in cash or some other reliable form that can’t ‘go bad’ on them.
On the other hand, for many interactions between people and organisations, the organisation may need some personal data. There are three broad reasons that are good ones:
- the data is needed to enable the organisation to do what you’re asking
- they can’t send you the right pair of shoes without knowing your shoe-size
- they can’t send them without a name and a delivery address
- they may have difficulty looking up your file without the identifying code that the organisation provided to you
- if you’re asking for a government benefit, then they need enough information to know that you qualify for it
- the organisation is legally required to collect the data
- you are buying controlled goods (such as explosives or even fireworks)
- you are conducting one of the kinds of business that is subject to the ridiculously excessive reporting provisions relating to ‘anti-money-laundering’
- the organisation (reasonably enough) wants to protect its own interests
- if it’s advancing you credit, it needs enough details to track you down if you don’t fulfil your side of the bargain
- they’re not permitted to disclose your own personal data back to you unless they’re sufficiently confident that it’s really you – so they need some information from you in order to achieve that confidence
There is a fourth broad reason, that may or may not be good enough to justify demands for data:
- the organisation wants to further its own interests
In particular, it wants to build up a more detailed picture about you, in order to sell more to you, or project more convincing advertising at you and thereby manipulate your behaviour
Until the 1980s, customer profile data was a useful ‘optional extra’ for retailers. But it became fashionable among marketers. Worse still, in recent years some Internet-based corporations (e.g. Google, Facebook) have become completely dependent on targeted advertising, which feeds off your private data and the streams of data that are generated about your behaviour on the Internet
Some of the data that an organisation seeks from you, or from somewhere else, may be sensitive. For example, you may wish to avoid having your home-address in the organisation’s files if one of the people in the household has been subjected to harassment or stalking; so you might provide a P.O. Box, or an indirect address c/- someone else, or just the address of a trusted friend or relative. Sensitivity is a personal thing, not something that can be decided by companies, government agencies or even parliaments.
But most people, most of the time, are happy to provide data to organisations, provided that they understand why it is relevant, and they regard the organisation as being trustworthy.
This document is about what you should do when personal data is demanded that you think is unreasonable.
Take into account the following:
- sometimes organisations have a legitimate reason for asking for particular items of personal data. So they may reasonably adopt the position that if you don’t provide it, or provide them with access to it, they can’t do business with you
- sometimes the person that you’re dealing with won’t know what that reason is. But you have every right to ask them to find out and tell you
- sometimes the request for personal data is incidental or accidental, e.g. where one business form is used for many different situations, and some of the data is only relevant in some of them. The person you’re dealing with may have to be encouraged to realise that that’s the case, i.e. that the item of data is essential in some circumstancs, but not this one
- sometimes the request for personal data is there because of insensitivity or insufficient understanding on the part of the person who designed the system or the form, and that may have been some person who’s long gone from the organisation
- the person you’re dealing with may, personally, be sympathetic with your concerns, but may feel that they have to represent their employer’s position when they’re talking to you
The Action Points
If you don’t want to provide particular personal data, or even any personal data at all, here’s what we suggest you should do:
The First Round – Negotiate
- Ask the organisation why it wants the information.
It’s possible that they will have an explanation that satisifies your concerns
- If the answer fails to convince you the information is necessary, then:
- leave the space blank, or
- put in that space something like ”not applicable”, or
- advise the person you’re talking to that the data is “not applicable”
For example, instead of revealing your birth date, it may suffice to declare that you are over the age of 18, or under the age of 65
- who uses it? You may be less concerned if it is used only by that particular organisation, for this particular decision; whereas you may be much more concerned if the data is used by other organisations in a corporate group, or combined with other data they have about you. (Unfortunately, it often is)
- who may have access to it? You may be comfortable with law enforcement agencies having access if they get a search warrant; but you may be more concerned if a regulator, an auditor, or an industry association also has access to the data
- how long is it stored? If it’s kept for a month, or until your application has been rejected, and is then destroyed, it’s less likely to do you harm than if it’s captured into the organisation’s computer system and no-one can tell you when or even if it will ever be deleted
- where is it stored? You may accept it being in the filing cabinet beside your local branch-manager; but you may not be comfortable with it appearing on call-centre screens in Bangalore and Manila
In many cases, organisations will accept forms that don’t disclose irrelevant data, and in some cases they will overlook the fact that the data hasn’t been provided (e.g. because they know that the form doesn’t work in all circumstances).
The Second Round – Negotiate Harder
If the organisation persists, here’s what you can do next:
- If the organisation insists that all sections must be completed, avoid unpleasant confrontation. (It doesn’t help anybody)
For example, in some circumstances you can ask for a form to take home and mail in. Or you can print out the web-form that refuses to let you leave an answer blank, write in the answers, and mail it in
- If the organisation still says that it won’t accept the document, tell them that “I want a formal internal review by a senior manager, before I complain officially to the regulator”.
Be vague about which regulator you will complain to. Let them imagine whichever regulator they’re most concerned about.
If they refuse to pass it up to a manager, write down the date and time, and the name of the person who did the refusing, and preferably the words they used. (They look bad in the eyes of a regulator if they had an opportunity to review the decision and failed to do so).
- If a manager conducts a review, patiently explain your concern – remember that it may be the first time that the manager has heard about the problem. You might want to mention identity theft, sensitivity of the data to you, or sensitivity of that kind of information in our culture. You do not have to expose yourself – that’s the point of privacy! – but the manager needs to be able to understand that you are both concerned and rational. Ask again why they need that personal data . If you still meet resistance, you can increase the pressure.
- you can ask whether you can go higher up the chain. It’s an educational process for the organisation as well as for you
- you can say that you will now have to go to the regulator. But say it late; and say it as an explanation, not as a threat
Many problems can be resolved in a reasonable manner at this stage.
The Third Round – Take it to a Regulator
If the organisation still unreasonably demands personal data, write down the reasons you are concerned about it.
If your reasons make sense once you see them on paper, consider sending a letter of complaint to the relevant regulator or oversight agency, such as a Privacy Commissioner.
There are resources on this web-site that can help you work out who to write to, and how to prepare the complaint
The Fourth Round – Take it to the Media
Some regulators are effective; but all regulators have limited powers, many have very limited resources, and some have very little real commitment to actually helping people. So sometimes the most effective approach is to get the media involved in the matter.