APPENDIXES APPENDIX 1.-CITICORP POS INFORMATION SERVICES RESPONSES TOADDITIONAL QUESTIONS I wish to thank you for the invitation to appear before your Subcommittee at its May Subsequent to the meeting, you asked that Citicorp POS respond to certain Question 1: Answer: Does Citicorp have concerns that data protection restrictions Data protection proposals in Europe, Japan and other countries sector currently plays an important role in providing expertise on U.S. data protection developments. We have established good working relations with data protection authorities in Europe and elsewhere which should help in formulating provisions that are fair to all parties. There are a variety of U.S. Government agencies, departments and Some examples of potential problems are: Question 2: The European Commission has made it clear that nations may impose restrictions on use and interconnection of telecommunications services and facilities if those restrictions legitimately flow from bona fide data privacy concerns. This allowance is tolerated even under EC market opening initiatives. The Council of Europe has promulgated a data protection Convention which allows the COE member states to "prohibit or subject to special authorization transborder flows of personal data" going to another country if the regulations of that country fail to provide "equivalent" data protection. Similar rights are accorded if the data would transmit a country with regulation failing to provide "equivalent" data protection. Denmark, France, Germany, Luxembourg, Spain and the UK have so far ratified into law the COE Convention. However, Italy, Greece and Portugal have no data protection laws. Could you clarify the respective rights of Citicorp and participating supermarkets over possession and use of identifiable consumer information generated by "frequent buyer" programs? What information can the supermarkets maintain and use and what information can Citicorp maintain and use? Answer: Question 3: Answer: Question 4: Answer: Under our existing agreements with retailers, Citicorp POS is the You testified that Citicorp will not release purchase information that might be detrimental to consumers. Could you provide some examples of what type of purchase information would be withheld under this standard? When we say that Citicorp POS will not release purchase information that might be detrimental to consumers we mean that we carefully consider the potential impact on consumers of a proposed use to the data before we authorize the use. By way of example, Citicorp POS would not make its database available to a life insurance company for the purpose of excluding smokers from an offer nor would we make our database available to a cigarette manufacturer for the purpose of distributing discount coupons to non-smokers. You testified that Citicorp does not respond to requests for information about specific individuals without their consent or a court order. 4a: Do the supermarkets that collect the information operate under the same policy? Information on consumer purchases, while collected electronically through the supermarket cash register, is transferred nightly over phone lines to Citicorp POS where it is entered into Citicorp's main frame computers. The supermarket does not have the information to provide. It can only obtain the information from Citicorp POS for use in marketing to, or otherwise communicating with, its own customers. If a supermarket were to request that Citicorp POS provide information so that the supermarket could provide it to a third party we would not supply it since it would run counter to our policy not to provide such information absent the consumer's consent or a court order. Question 4b: Answer: Question 4c: Answer: Question 5: Answer: How would you advise a supermarket to respond in the As mentioned in response to the previous question, the Also, Citicorp POS might well not have in its database information as to who bought those items on the day in question. We are continually assessing our database to determine the precise level at which we should maintain data. We are considering compressing the data to a level other than individual transactions. Were we to so compress our data we may not, for example, be able to identify the specific day of the week on which any individual bought the items in question or the specific form (e.g. a can) of the item which the consumer bought. If a court order is received for a copy of the identifiable records of a specific consumer, will Citicorp and/or participating supermarkets notify the consumer of the court order in order to allow the consumer to contest the order? As a general rule, Citicorp POS would notify the consumer that a The Video Privacy Protection Act (Public Law 100-618) provides 5a: Does Citicorp have a policy about the destruction of personally identifiable records generated through the supermarket program? At present, Citicorp POS does not have a set policy which calls for destruction of data after a given date. We are interested in storing only the data we need. As we gain greater knowledge of the depth of information needed by our customers to make informed marketing decisions, we will be in a better position to establish a data destruction policy. During the question and answer period following the formal presentation, you asked that I supply the Subcommittee with a sample of the form of program application currently being used by Citicorp POS. I am enclosing for the Subcommittee's use a dozen copies of the type of application being used in connection with our Reward America program. You will note that on the inside page of the application consumers are advised that their purchases will be automatically recorded and that they will be receiving offers and information from the retailer and third parties based on their purchases. Consumer's are also given the option not to have their purchase information disclosed by merely checking the box at the bottom of the application. I hope the foregoing will be of assistance to the Subcommittee. Should you have any further questions, please feel free to contact us. Sincerely yours, Gerald (Saltzgaber |