M&S at risk of breaking data law

MARKS and Spencer may be breaking the law over the way it shares personal information about its cardholders.

A spokeswoman for M&S said: 'We believe we are operating within the law, but if we are advised that we are not then we will change our practices.'

The Independent revealed last week that the stores group had declined to be bound by the new Code of Banking Practice. The sole reason given was that it disagreed with the code's data protection provisions.

M&S was invited to come under the code because of its in-house store card and its financial services. These include unit trusts and are being extended to life insurance and pensions.

The new code says: 'Banks and building societies will observe a strict duty of confidentiality about their customers' (and former customers') affairs and will not disclose details of customers' accounts or their names and addresses to any third party, including other companies in the same group.' The only exceptions are if there is a requirement to disclose, or if the customer agrees.

The M&S spokeswoman pointed out that applicants for the group's store card were told: 'We share information about customers' accounts with other lenders through credit reference agencies . . . Please remember that we never make your name and address available to others for mailing and marketing purposes, other than to those approved organisations providing goods or services on our behalf. Naturally, from time to time we will send you information about M&S and M&S Financial Services products or services that we think you may find of interest.'

Barry Hyman, director of communications at M&S, said the company did not consider this unacceptable, as cardholders would expect to receive information about M&S even though it was a different legal entity. That was why the group had not signed up to the code.

Applicants who do not wish to receive such information can tick a box. No such option is offered to those who do not want M&S to share information with credit reference agencies.

This directly contravenes a paper published last month by the Data Protection Registrar, which declares: 'In general, if a financial institution gives an individual notice of what it intends to do with personal data about that person, and s/he does not respond, the financial institution would not be entitled to assume that s/he had impliedly consented to the use of the information.'

M&S is discussing the issue with the Registrar and other companies and says it will go along with the general view.

John Lamidey, the assistant Registrar specialising in financial services, said: 'I am grateful to the Independent for pointing out Marks and Spencer's view. M&S may not be complying with the Registrar's understanding of the law. That remains to be tested in the courts.'

Mr Hyman said: 'We would never knowingly break the law.'

(Photograph omitted)