London music venue 93 Feet East has confirmed it has stopped a process of storing scans of payment cards, after attendees complained about the privacy aspects of it.
Someone who had visited the venue told IT Security Guru that upon entering, their credit card details and photographs were taken at the door by the security staff and when asked what they did with the information, they were told that they “hold on to it for around three weeks”.
The source told IT Security Guru that he was “at a complete loss as to why this is seen as acceptable”. He said: “I understand being searched and checking for drugs, weapons etc. This is, in my view, a complete breach of the Data Protection Act and I do not see why credit card details are required to secure entry and why, indeed, your photograph is taken?
“I have attended meetings in a number of Government buildings in Westminster including the Palace of Westminster where, I completely understand why my photo would be taken, but they didn’t take my credit card details.”
The source questioned the legality of requiring that piece of information. He said that when he asked what happens to the credit card details, he was told that they hold on to it for around three weeks.
“My friends were told that they had to give their credit card details if they had no photo ID in order to get in,” he said. “They were attending an arranged event but I suppose could have decided not to enter.”
Asked what the process was from a visitor point of view, he said that the identification was scanned, but it was not clear how securely this was stored, or whether there was consent to share the information with a third party. “Do the police have automatic access to any of this information and if so, under what law?”
Another person who had visited, said that he was advised that he would not be admitted without a credit card being photographed, and these were scanned into a purpose-built system. “They scanned it in and it uploaded onto the screen and I think it then uploaded to somewhere else (I was trying to look but the main bit of the system was obscured),” he said. “There was a small purpose-built scanning bed with single click for the scan, no opportunity to refuse and he said data was kept for two to three weeks but was not sure, it was very worrying.”
“We were also told that no details of the bank details could be obscured, and this was visible on the screen to the next person in the queue.”
In an email to IT Security Guru, a representative for 93 Feet East said that it has a policy of seeking photographic ID (which is scanned into its ID scanner) as a condition of entry at certain times. “This policy has flowed directly from police requirements and recommendations,” the representative said.
“In the past when a prospective customer did not have photographic ID with them, then such customer has (at the discretion of management) had the option of instead providing a bank card as an alternative means of confirming and recording his or her identity.”
However, they said that this policy has recently been reviewed by 93 Feet East, and bank cards are no longe
r scanned as an alternative to photographic ID and no bank card details are held now by the scanning system.
The venue declined to answer a second email asking how long the scanning process had gone on for and how many management members of the venue and its parent could access stored data.
The spokesperson said: “Scanning prospective customers’ personal data is only done with that person’s consent. Personal data on the ID Scanner is held securely and only authorised personnel are entitled to access it.
“While security personnel (all of whom are SIA accredited and are not employed but provided by a third part contractor) have the ability to scan into the ID Scanner, only management staff (not the security personnel) can thereafter access the data.”
A spokesperson for the Information Commissioner’s Office told IT Security Guru that it was unable to comment directly on a hypothetical situation that it had not directly investigated, but any organisation processing personal data needs to ensure they comply with the principles of the Data Protection Act.
“This includes processing the personal data in a fair and lawful manner, making sure the personal data is secure and not keeping it longer than necessary,” he said.
“The venue would be strongly recommended to undertake a privacy impact assessment to identify and reduce privacy risks. It would also be recommended to have a privacy notice detailing why it is collecting this information and how it will be processed. We would only investigate in a situation like this if someone brought a concern to us.”
One of the visitors confirmed that they had contacted 93 Feet East regarding data privacy, but had not heard back.
The ICO spokesperson said: “Privacy notices don’t always necessarily have to be actively communicated, but if they have one it should be available on request.”
A spokesperson for the Payment Card Industry Security Standards Council (PCI SSC) said that she was unfamiliar with this, but any time an organisation handles payment card info, it is subject to PCI DSS requirements.
“In this case, it sounds like it has stopped the practice and is no longer holding the payment card detail, so PCI wouldn’t apply,” the spokesperson said.
Our next webcast will take place on Thursday at 11am GMT, where CISOs Amar Singh and Craig Goodwin will talk about the impact of and fixing major threats such as Heartbleed, Shellshock and Poodle. https://www.brighttalk.com/webcast/11399/131731