For a while, I was employed by a debt collection company (tracing people, not breaking fingers!) and my memory of the data protection legislation included something about personal data not being held any longer than needed for the immediate business at hand. This meant that once it has served its purpose, it had to be destroyed. If my memory is correct, then one has to wonder why BA feel it necessary to retain stuff such as the 3 digit security code from the rear of the cards.