Data subject access request - getting data from Amazon

The Data Protection Act (DPA) is a topic I always cover in the ITGS databases and policies topics. The DPA provides legal rights for individuals in regard to the personal data companies hold about them. One of these rights is the right to access your data. To see how this process works and to examine the type of data modern companies store about us, I decided to request a copy of my data from Amazon UK, under the Data Protection Act legislation.

Databases

The databases topic is one of the most expansive in stand 3 of the ITGS syllabus. Databases are the underlying technology of many IT systems, from basic stock control systems in small businesses to advanced e-commerce systems, medical databases, and so many more. It is virtually guaranteed that a database question will arise in the ITGS exams in May and November.

Databases also present several significant ITGS social and ethical issues related to the collection, storage, and processing of data – particularly personal data.

Reliability and Integrity concerns arise when data is incorrect or incomplete, and the effects range from minor inconvenience to major problems.

Security problems – such as the accessing of data by unauthorised individuals – are relatively common and can cause significant impact to businesses and their customers.

Privacy concerns can occur when data is collected without permission, or when it is used in ways customers did not consent to. Computers allow companies to collect larger amounts of data and to store it for longer periods. Information about our behaviour (which adverts we clicked on, which searches we made) allows companies to interpret this data in new ways and, often, to make assumptions about us. Even anonymous data can be very revealing if there is enough of it – A Face is Exposed is an article I often use in ITGS lessons. The 2015 ITGS Case study, focused on supermarkets and Big Data, also looked at many issues related to data privacy.

Amazon recommended products page — Amazon’s assessment of my interests are very accurate (not sure about the water sports though)

Data Protection Act (DPA)

The UK’s Data Protection Act (DPA) is a good example of legislation and I always cover it when teaching the ITGS database unit and when discussing examples of policies. In the UK, the Data Protection Act provides legal rights for individuals to access the personal information that companies store about them. There are a few caveats to this, and some discussion over what is meant by the term ‘personal data’, which the Information Commissioner’s Office (ICO) does a good job of explaining. However, in general a data subject (that’s you or me) has the right to request this data from companies, who have to provide a copy of it within a reasonable time frame. The term for this process is a data subject access request or data access request. Individuals also have the right to have incorrect data corrected or removed, provided they can supply suitable evidence of it being wrong.

Making the Amazon Data Subject Access Request

Though companies in the UK are legally required to provide access to personal data, they are not required to make accessing it easy! A Google search for phrases such as ‘Amazon data access request’ returns vaguely relevant pages such as a Guardian story on a similar subject and Amazon’s own privacy page, but I could find no actual link that would enable me to start the process. Unperturbed, I headed to the Amazon support live chat (amusingly, the transcript of this chat session was one of the items of data returned when my CD of data eventually arrived in the post). The process was a bit of a merry-go-around, but not too obstructive:

The chat agent gave me the email address of the ‘Concern team’ that deals with data subject access requests.
The concern team responded requesting proof of ID (which makes sense)
The concern team responded again, weeks later, requesting proof of address. (This correspondence was not in the supplied data, so I assume at that point the data had been compiled already and was ready for shipping)
The CD arrived in the mail

The date on the CD was approximately three weeks after I made the original request, and the CD arrived in the mail about a week after that.

Access Request contents

The CD itself contains only three files, zipped, and totalling just 60 kb of data(!), which was a bit of a surprise. The three files were:

Stuart Gray – Account Information.doc
Stuart Gray – Order History.xlsx
Stuart Gray – Written Correspondence.docx

Each file was password protected (good – this is personal data), but the password was ‘gray2015’ (not so good), and was written on the cover letter accompanying the CD (hmmm….).

Account Information

This encrypted Word document contained ‘all’ of the information about my basic Amazon account, including all the addresses I have ever shipped to, past and present. Addresses I have removed from my address book (for example, when I moved house) are also stored. The date of creation, modification, and removal are stored for each address, as appropriate. I can also see that on Saturday 1 December 2012 at 16:45 GMT I overrode Amazon’s validation routine for my address (it didn’t like the Salvadorean style postcode).

Similarly, the payment cards section was divided into three sections: Active accounts with transactions, Active accounts without transactions, and Deactivated accounts. Although the data subject access request was made with Amazon UK, this section contained all of my credit cards, including those from my bank in El Salvador (which I have used with Amazon US, but never with Amazon UK).

Data subject access request from Amazon — Basic Amazon account information

Order History

This spreadsheet was obviously a database export, containing 12 fields and a record for every item I have ever bought from Amazon UK. Below is a small excerpt of this information. I didn’t find anything unusual (except the typo in the column A heading). Presumably the shipping address field acts as a foreign key to a separate table which lists my addresses.

Written Correspondence

The only items in this document were the transcripts of the customer support chats where I made the original data access request! I did notice the transcript actually redacted the name of the customer service representative, replacing it with a ‘XX’.

Is all the data present?

Initially I was surprised at the tiny amount of data handed over to me – given Amazon’s pervasiveness I expected a lot more information and a lot more of the privacy invading material we sometimes read about in the media. For example, I did not see any data regarding:

The specific items on my wish list (not even a product ID)
My preferences and interests, despite Amazon clearly providing targeted adverts on its front page
My textbook, which is sold through Amazon (who also supply sales data)
My use of the Kindle reader software
My use of the Amazon Affiliate program
My interaction with targeted advertising and other offers

Several of these absences can probably be explained by geographical causes: in general, I have used Amazon US more than Amazon UK, due to being based in El Salvador. Amazon has sites in the US, the UK, Canada, France, and Germany among others, and each likely stores its data separately (although they do share data – my Amazon US addresses show up on my Amazon UK address book). The data supplied to me generally only relates to Amazon UK. Equally, my textbook is sold primarily through Amazon US, with other countries being ‘extensions’ of that.

Interests and preferences could easily be inferred from my purchases, but I am surprised that there is no long-term storage of my Amazon search terms too (these seem to be handled by cookies, and thus removed when cookies are cleared).

I have no idea why there is no data related to my use of the Amazon Affiliate program, as this is a sub-division of Amazon UK (again, there are separate programmes for each country where Amazon operates).

I’m also interested by the lack of data about my interaction with targeted advertising. It makes sense for a company like Amazon to keep track of the offers and adverts they have shown me (such as those in the ‘New for You’ and ‘Recommended for You’ sections shown above), and particularly my response to them. Knowing whether I have clicked on an advert or not is very useful information that can be used to further refine the recommendations. I’m sure this data must be collected, but I suspect it is not included here as Amazon might not consider it ‘personal data’.

In The John Harris Files the author describes issues with various companies who did not elicit data because they do not consider it to be ‘personal data’, which is the only type of data covered by the Data Protection Act. I suspect this is one reason for the apparent lack of data provided by Amazon. Classifying data as ‘personal’ or not seems to be somewhat arbitrary however, particularly given that a large amount of anonymous data can actually reveal identities. Perhaps I need to follow up this CD with a few more data access requests…

ITGS Classroom Activities

What laws do other countries have relating to the protection of personal data? What rights are given to data subjects in these countries?
What other companies and organisations might store personal data about us? Could we make data access requests to them?
There are several exceptions to the rights granted under the UK Data Protection Act. Under these exceptions, an individual does not have the right to access certain data stored about them. See if you can find out what these exceptions are.