Question: What level of security questions need to be asked?
I work as a quality manager for a telecoms company and I’m looking into DPA when monitoring agent/advisor calls.
Is there certain information an agent has to confirm to ensure they are speaking to the customer? Does this differ on Inbound calls and outbound calls?
Is there certain information an agent cannot give out over the telephone i.e. customer telephone number, customers address?
There are no set questions within the data protection act, it advises that a company must take reasonable steps to ensure they have checked and confirmed the identity of the person calling. Most companies I have called myself and worked for generally ask for a postcode and date of birth after taking the callers name and agreement/reference/account number.
As long as you have asked some relevant ’security’ questions your responsibility has been covered and anyone calling and ‘pretending’ to by your customer is then the one breaking the law.
Comment by Carl Nightingale — 15 Jan 2009 @ 12:23 pm
It is critical to have security questions confirmed to ensure the account related details are being shared with the subscriber only.However,the security check may not be needed for general queries like,what are the new offers etc, as they dont involve account details.
The mandate can be at least two good checks like:
a. Billing address
b. Landline telephone number
c. Last recharge done
d. Last bill paid
Comment by Pinaz — 15 Jan 2009 @ 4:28 pm
Our agents will always ask the caller to confirm 3 pieces of information on both inbound/outbound calls – usually the name address and date of birth.
Comment by Mark Andrews — 15 Jan 2009 @ 6:39 pm
With reference to the second question relating to what information cannot be given to a customer, in short an agent cannot give any personal infomation or personal data about the customer, to the customer, without first verifying the customer’s identity through the DPA check.
Comment by Janette Coulthard — 16 Jan 2009 @ 3:07 pm
Some organisations allow their customers to set their own security password. This can be very effective as it can be something personal to the customer and something that is not as easy to guess such as post code, date of birth or Landline telephone number.
Comment by Neil Wilkins — 4 Feb 2009 @ 4:09 pm
FCC Guidelines need to be followed. A caller needs to verify their name and last four of the primary acct holders social. If there is a password, then the password is the primary security method. If the caller is not the billing name, or listed as an authorized user, it doesn’t matter what info they verify. They get no access.
As far as acct info that is provided to a fully qualified caller, is also very limited. We will not release any acct info, but we can verify it. We will release information such as balance, payments, usage, rate plans, features, and so on. But absolutely no personal data will be provided. This includes specific phone numbers that were called or received, date and time of calls, and so on.
The very worse that can happen is someone might be able to slip in and change a plan or service. That can easily be fixed. But by releasing specific data, it could actually aid someone with bad intentions of locating a person to do possible harm.
Comment by Jeff — 4 Mar 2009 @ 1:17 am
If a customer calls in relation to their account, they give their account number then the operator can see their personal information and they start the conversation…”Ok am I speaking to Steve Jones?” customer answers “Yes”, then operator asks,”For data protection reasons can you confirm your postcode, first line of your adress and your postcode?”
Because you have used the name before asking data questions (maybe just the first name)is this a breach of data protection as it’s not a security type of question?
Thanks
Comment by Luke — 11 Jun 2010 @ 9:19 pm