Data protection guidance for buying or selling a database

Out-Law News | 07 Apr 2006 | 12:25 pm | 1 min. read

The Information Commissioner’s Office (ICO) has published a guidance note advising businesses on how to comply with the Data Protection Act when buying and selling databases containing customers’ confidential information.

Advert: Infosecurity Europe, 25-27 April 2006, Olympia, LondonThe guidance is intended for use only when a database is sold because a business is insolvent, closing down or being sold. In these circumstances the Data Protection Act does not prevent the sale of a database containing the details of individual customers, providing certain requirements are met.

The requirements:

  • The seller must make it clear that the buyer can only use the data for the purposes for which it was originally collected. The database should therefore only be sold to a business that will make the same or similar use of it.
  • The buyer must obtain the consent of the individuals referred to on the database if it wishes to use the data for a new purpose.
  • The buyer should tell the individuals referred to on the database about the change of ownership.
  • The buyer can only use the database for unsolicited marketing if the individuals referred to in it have agreed to receive such marketing, or receipt of such marketing is “likely to be within their reasonable expectations”.
  • Where this is the case the buyer can only market products and services similar to those that have been advertised through the database before.
  • The buyer must delete any unnecessary personal information held on the database.

“It is important that businesses buying or selling customer databases are aware of their data protection obligations,” said Dave Evans, Senior Guidance and Promotion Manager with the ICO. “This good practice note will help businesses understand what they need to do to ensure that personal information on the databases is sufficiently protected.”