Data Protection Question
Hi everyone, I’m new here and hoping desperately that someone can help. On Monday I was called into a disciplinary meeting relating to a DPA FAIL. The company’s disciplinary procedure was not followed one bit, but this is besides the point at present and will be dealt with too.
I have been accused of a DPA breach, and as far as I can tell, this is not the case. I work for a small Mobile Phone Network Operator specialising in international calls.
Customers often call up and their SIM cards are NOT registered with their personal details (e.g name address etc). In such cases, we are required to get confirmation of 3 pieces of info relating to the activity on the SIM.
For example 3 common pieces of info we go by are:
- How much was the last top up ? (e.g. £5, £10)
- When was the last top up made ? (e.g. 7 days ago)
- Which countries do you call/provide phone number ? (e.g. Spain, Italy, 0012345678910)
Now a lot of the time we would ask 3 questions to get the 3 answers.
However, in my case and the specific call in question, The customer called in and gave me 2 of the above answers himself. That is, he called up and stated without me asking ‘My last top up was for £10 and it was made 6 days ago’.
I have then asked him where he calls, to which he responded ‘Spain’. All of the 3 pieces of information gathered from the customer matched what was on his file, and requests were processed by myself for him.
Management are claiming that I have breached DPA because I only asked 1 security question.
When I put it to them that the customer had already confirmed 2 other pieces of information for me himself, they said that I would still have needed to ask him the 2 questions.
That is, ask 2 questions that I already know the answers to/that the customer has already given me the answers to, and that have already been confirmed to be correct as far as what’s on the customer’s file.
Is this a DPA Breach ?
By this logic, if a customer’s SIM is registered, and he calls up and says ‘my name is John Smith, I live at XYZ, and my date of birth is 123’, I would have to ask him for his name, address, and DOB, for him to confirm all over again ! I suppose to show that I have asked 3 questions.
I’m really sorry for this being long winded.
I would appreciate more than words can describe if anyone with good knowledge of DPA could assist. I will be contacting management imminently and need to know where I stand.
Question asked by Buddy X
The onus in the DPA legislation is that you should be sure that you are speaking to person about whom you are discussing their personal information, or amending.
The above suggests a company policy designed to ensure this is achieved. Based on what you discuss, it would seem to me to be breach of the DPA, more not adhering to the company guidelines/policy on how to avoid breaching the DPA.
The DPA is an odd one because ultimately you are personally liable if you do breach it, but the reality is, in many cases the law doesn’t apply to most of the situations you are presented with.
A great example I used to use was this – if you can answer the callers queries with your screen turned off, you cannot breach the DPA.
With thanks to robtuck
The basic reason it has failed DPA is the essential rule, that some information can be picked up by the person imitating the real account holder.
It takes seconds to ask the questions and re confirm you are speaking to the account holder. this not only provides reassurance to the caller that the company values their account but also adheres to DPA legislation.
It is a win win situation. no caller will get angry if you clearly explain why you have had to re confirm the answers to the pre-empted questions. Hope this helps.
With thanks to beatrice51
Purpose of Call
I would have to ask,
Why was the caller calling about today.
Data Protection is only there if you were to give some information about the company.
If you call us today and raise a Fault Report we will do this but not tell you the email address we have without asking DPA. If you want pay us money to the account number you quoted but Failed DPA we would take the payment.
Reason we do this is we often have Family who call on behalf of Account Holder for which are at work or etc to make payment or etc.
Breaching DPA all depends of what the person was calling about. I get angry at Call Centers who ask for my personal information which they do not yet know what the call is about. Which doing that is against law as you are gathering my information with a real reason of gathering it.
With thanks to KrisUK
If a third party rings on behalf of a friend and you speak to the person whose account it is before taking the persons name and if he gives you permission have you broke data protection?
With thanks to buzzhouse
Have You Made Reasonable Precautions?
Data protection gets confused a lot with common sense.
The big question is really have you made reasonable precautions that
- The person acting on behalf of the friend had the authority to do that
- That you had gone through sufficient security procedures to check that they had correct access to the account.
If you have done this then legally you should be OK. But if your company mandates that you deal in a particular sequence then you may still have broken the company’s rules.
With thanks to Jonty