Watchdog warns over sale of customer databases

New data protection guidelines have been issued covering the buying and selling of customer databases that contain personal information.

The Information Commissioner's Office has issued the compliance guidance to cover databases being sold when a business closes down, goes bust or gets bought.

The advice covers when a database can be sold, what the personal information on it can be used for, whether those individuals whose information is on the database have to be informed about the change of ownership and how long the information can be kept for.

When a database is sold the buyer can only use the personal information on it in line with the purposes for which it was originally collected. For example, if the database contains information obtained for insurance, the database should only be sold to another insurance-based business providing similar insurance products.

If the buyer wants to use the personal information for a new purpose, they will have to get consent for this from the individuals whose information is on the database. These individuals should also be informed about the change of ownership.

Dave Evans, senior guidance manager at the ICO, said in a statement: "It is important that businesses buying or selling customer databases are aware of their data protection obligations."

To comply with data protection laws the buyer should also delete any unnecessary personal information from the database as it cannot be stored on the basis that it might become useful in the future.

A full copy of the guidance can be found here.