CASE STUDY 6/00
Financial institution – Laser card – printing of home address on receipts – incompatible disclosure – adequate security
An individual wrote to me expressing his concern that when using his Laser card – a type of debit card that can be used in shops for cashless transactions – his home address was printed on the receipt slip. Since retailers keep a copy of the receipt slip, the individual felt that his private details were being disclosed unnecessarily by his financial institution, which was responsible for the Laser card.
My Office raised this matter with the financial institution, which responded promptly to the matter. The institution indicated that it had itself received a small number of complaints from customers about this matter. The institution explained that Laser cards issued after October 1999 included the customer's home address details in the magnetic stripe. However, these details were only supposed to be read by automated lodgement machines, arising from a legal requirement that a receipt – including the address – could be issued to customers using this service. The address details were not supposed to be readable by ordinary point-of-sale (POS) terminals found in shops.
Investigation by the institution revealed that some POS terminals had had their software upgraded to a new version, with the unintended result that the address details were read by the terminal and printed on the receipt. Having established the cause of the matter, the financial institution took the following steps:
- Address details were omitted from new Laser cards, in cases where the cardholder did not need to avail of the lodgement facility. In other cases, technical steps were taken to ensure that the address details on new Laser cards could not be printed by POS terminals.
- The Laser cardholders affected by this problem were identified, and a roll-out of replacement Laser cards was initiated.
- The institution took steps to ensure that, whenever the POS terminal software was upgraded in future, it was made aware of this, so that any possible impact on existing Laser cards could be considered.
I considered these steps to be an appropriate response by the financial institution. The important point to emerge from this case is that personal data, stored in debit cards, credit cards, and indeed in any type of card using a magnetic strip or similar storage mechanism, should be kept secure from inappropriate disclosure, in accordance with the requirements of section 2(1)(d) of the Data Protection Act.