• United States




How businesses address death, privacy and data quality

Oct 18, 20165 mins
Big DataInternet of ThingsPrivacy

How we as, a business community, should consider treating personal information when we learn someone has passed on.

data privacy ts
Credit: Thinkstock

I recently received a reminder from a social network to reach out to one of my friends. I’d love to do that, but the friend has been dead for many years, making the task very difficult. The reminder did get me to thinking about how we, as a business community, should consider treating personal information when we learn someone has passed on.

The data quality principle

The Organization for Economic Cooperation and Development, OECD, established 8 basic principles for the processing of personal information. The Data Quality Principle states that “Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.”

For me, this raises the question as to when, from an economic standpoint, is maintaining personal information about someone who is no longer with us “relevant.” Granted, there are many situations where the information is necessary for record keeping and legal purposes; I see no concerns in these areas. However, there are other areas where there may be less clarity.

Personal information collected for marketing purposes

Much of the personal information we collect as businesses is used to personalize marketing messages or, more generally, to drive sales. Someone who has passed on cannot make any purchases nor can they receive personalized messages from an organization. Is the personal information collected for marketing and sales purposes relevant any longer? I suggest it is not.

In fact, if the personal information is used, it may well irritate the family members or friends of the deceased. It may also make for an uncomfortable situation for anyone in the organization using the information.

For example, although my sons have moved out of our home many years ago, my wife and I still receive calls from telemarketers for them as well as direct mail. My response to telemarketers asking for one of my sons is usually “they are no longer with us.” This phrase implies that the person being called is deceased, but in fact, they are just no longer living with my wife and me. These words were chosen in the hopes that the caller will make the incorrect assumption, which I make no attempt to correct, and that my son will be taken off the callers list. (This has backfired on me once or twice, but that story is for another time.)

The reactions I get from telemarketers is predictable. The compassionate ones offer their condolences and we usually do not receive a call again. The gruffer ones hang up with a call recurring sometime within the next few weeks.

It is not just telemarketing where this situation applies. My father died several years ago. Direct marketing materials and other correspondence for him continues to be received by my mother.

If the target of the marketing effort has passed on, making the call or sending direct mail (and any follow-up) is a waste of organizational resources. The contact is potentially detrimental to the image of the organization in the eyes of the family receiving the contact and any friends the experience is shared with. All because the data is no longer relevant.

I suggest that organizations should put processes in place to recognize that an individual whose personal information has been collected is no longer with us requiring irrelevant information to be forgotten.

As an aside, I do not see a company needing to actively follow death notices — just to provide a process where notification can be received by a family member or friend.

Death and social networks

I started this entry by pointing out that a social network suggested I reconnect with a deceased friend. Social networks capture a tremendous amount of information about us. What should happen to that information after we pass on?

Some people would prefer it is deleted. Others would like it kept as a memorial. I suggest that the next of kin should make the determination. The challenge is how to identify the next of kin and their wishes for disposition of the personal information.

An impediment to this process is that laws (like the U.S. Stored Communications Act) makes it unlawful for someone who is not authorized to alter or prevent authorized access to electronic communications in storage.

Facebook, Twitter and LinkedIn all have forms to allow loved ones to request the deletion or memorialization of an account.

Google is more proactive. Google allows you to identify an individual who may access your account and determine its disposition if/when Google detects your account has become inactive. This approach provides authorization allowing someone to alter or delete the personal information.

Social networks are the tip of the iceberg

In the 21st century it is virtually impossible to survive without sharing personal information with many organizations. As the Internet of Things expands, as smart devices continue to grow in ubiquity, as organizations continue to thirst for more information about consumers, the collection of personal information, either actively or passively from individuals or from digital exhaust, will continue to grow.

Web-based services exist to delete a person’s accounts if they do not check in periodically, but these do not seem to be widely adopted. National and state laws are being implemented/discussed to address how your digital presence should be addressed after death; however statutes are slow to be instituted.

In the short term, to protect an organization against potential brand damage and/or financial liability, a privacy professional needs to work within their organizations to establish policies, standards, guidelines and procedures to determine how to address the disposition of personal information of the deceased.


Bob Siegel has extensive professional experience in the development of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He has extensive experience with PCI DSS and Safe Harbor and has deep subject matter knowledge surrounding key laws and regulations regarding consumer privacy and information security.

Throughout his career Bob has worked with computer applications and business practices that guard personal information. In addition to developing these systems, he trained employees to use them properly and efficiently. As the collection of personal information has increased, he has developed new approaches to help his organizations protect their sensitive data (both electronic and paper-based).

Bob is a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in US Law (CIPP/US), European Law (CIPP/E), and Canadian Law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Technologist (CIPT). He is a member of the IAPP faculty and has served on the Certification Advisory Board for its Certified Information Privacy Manager (CIPM) program as well as the Publications Advisory Board. He was also recently awarded as a “Fellow of Information Privacy” by the IAPP.

Most recently, Bob served as senior manager of Worldwide Privacy and Compliance for Staples, Inc., where his responsibilities included development, awareness, and compliance of global privacy-related policies and procedures for more than 60 business units in 26 countries.

A seasoned program management expert, Bob has a long record of accomplishments in business planning, information privacy, sales support, customer support, application development, and product management. He has helped executive teams convert strategic plans into programs with well defined, measurable outcomes. He also has created realistic program schedules and budgets, resolved critical path issues, managed risks and delivered results consistently on time and within budget.

Bob can be reached at

The opinions expressed in this blog are those of Bob Siegel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.