Most web applications store an amount of personal data about its users such as email and post addresses, date of birth and so on. In the UK, the Data Protection Act lays out 8 principals which businesses and organisations storing such personal data must adhere to. There are exemptions (such as small clubs etc) but any company needing a decent sized web application developed is likely going to need to register. One of the principals states that data must be kept up-to-date, and another that you should only keep the information for as long as you need it. This is an obvious area where a web application should be able to help the company meet its legal obligations, but I should imagine that few take the opportunity. Here’s an idea of how user-centric web applications could take some simple steps to help the companies they serve to make sure data is both up-to-date and kept no longer than necessary – posted mainly for my own purposes so that I don’t forget.

First of all you would define two business rules. The first is the length of time data should be held after the user last used the site – it might be something like three or six months. Each time the user logs in you timestamp a ‘last login’ column against their record. Then all you need to do is schedule a script to run through the database periodically and flag users who have been inactive for longer than 3 months for deletion. Larger RDBMSs will often enable you to schedule a stored procedure to do this. Neat.

The second rule you need to define is the guessable life-span of the data you’re collecting. If it’s someone’s snailmail address, you might decide that it’s likely to be good for at least 12 months. In a ‘last updated’ column mark the date the record was created. Update this column each time the user visits their profile page and makes a change to the data (importantly – not when your application programmatically updates the row, so a trigger wouldn’t work). When the user logs in, check that the date in this column isn’t more than 12 months ago – if it is, redirect the user to their profile page and don’t let them into the site until they’ve confirmed the details are correct.

I’m not a lawyer (obviously) but I should imagine that if the company running the site were to be questioned on their compliance with the Data Protection Act, they could point to mechanisms such as those described here and it be deemed that they have taken reasonable steps to ensure that data is both up-to-date and kept no longer than necessary. Not exactly rocket science, but something that could easily be added to a web application that would bring an awful lot of value.