Answers: What Level of Security Questions Need to be Asked?

I work as a quality manager for a telecoms company and I’m looking into DPA when monitoring agent/advisor calls.

Is there certain information an agent has to confirm to ensure they are speaking to the customer? Does this differ on Inbound calls and outbound calls?

Is there certain information an agent cannot give out over the telephone i.e. customer telephone number, customers address?


I work as a Trainer for a contact centre in Financial Services. We avoid qs such as DOB, Add and Name as proof of identity as that information is now so readily available in the public domain. Once you get a name and do a google search you can obtain their address and DOB very quickly. We tend to stick to qs that are more personal about the account held with us. Does anyone else share this view?
We also wouldnt share any account information via email as email accounts can be created so easily and be fake its very hard to prove your interacting with the genuine client. I think some companies can but only through a secure password protected network addressed to a verified email address.

Answer thanks to Lucy


Published On: 20th Jan 2009 - Last modified: 19th Sep 2019
Read more about - Customer Service Strategy, , ,

  1. There are no set questions within the data protection act, it advises that a company must take reasonable steps to ensure they have checked and confirmed the identity of the person calling. Most companies I have called myself and worked for generally ask for a postcode and date of birth after taking the callers name and agreement/reference/account number.

    As long as you have asked some relevant ‘security’ questions your responsibility has been covered and anyone calling and ‘pretending’ to by your customer is then the one breaking the law.

    Carl Nightingale 15 Jan at 12:23 pm
  2. It is critical to have security questions confirmed to ensure the account related details are being shared with the subscriber only.However,the security check may not be needed for general queries like,what are the new offers etc, as they dont involve account details.

    The mandate can be at least two good checks like:

    a. Billing address
    b. Landline telephone number
    c. Last recharge done
    d. Last bill paid

    Pinaz 15 Jan at 4:28 pm
  3. Our agents will always ask the caller to confirm 3 pieces of information on both inbound/outbound calls – usually the name address and date of birth.

    Mark Andrews 15 Jan at 6:39 pm
  4. With reference to the second question relating to what information cannot be given to a customer, in short an agent cannot give any personal infomation or personal data about the customer, to the customer, without first verifying the customer’s identity through the DPA check.

    Janette Coulthard 16 Jan at 3:07 pm
  5. Some organisations allow their customers to set their own security password. This can be very effective as it can be something personal to the customer and something that is not as easy to guess such as post code, date of birth or Landline telephone number.

    Neil Wilkins 4 Feb at 4:09 pm
  6. FCC Guidelines need to be followed. A caller needs to verify their name and last four of the primary acct holders social. If there is a password, then the password is the primary security method. If the caller is not the billing name, or listed as an authorized user, it doesn’t matter what info they verify. They get no access.

    As far as acct info that is provided to a fully qualified caller, is also very limited. We will not release any acct info, but we can verify it. We will release information such as balance, payments, usage, rate plans, features, and so on. But absolutely no personal data will be provided. This includes specific phone numbers that were called or received, date and time of calls, and so on.

    The very worse that can happen is someone might be able to slip in and change a plan or service. That can easily be fixed. But by releasing specific data, it could actually aid someone with bad intentions of locating a person to do possible harm.

    Jeff 4 Mar at 1:17 am
  7. If a customer calls in relation to their account, they give their account number then the operator can see their personal information and they start the conversation…”Ok am I speaking to Steve Jones?” customer answers “Yes”, then operator asks,”For data protection reasons can you confirm your postcode, first line of your adress and your postcode?”
    Because you have used the name before asking data questions (maybe just the first name)is this a breach of data protection as it’s not a security type of question?


    Luke 11 Jun at 9:19 pm
  8. I have recently been given 2 DPA fails on my call quality due to not confirming the customers middle name. They confirmed their first and last name along side full address and date of birth. I was under the impression that asking all the necessary questions and you are confident you are speaking with the account holder that a middle name would not be such an issue. Can somebody help?

    Tania 4 Aug at 4:22 pm
  9. I called EE on saturday an agent I called completed DPA with me. I then went on to ask for manager. The manager then asked the agent was security complete and the agent informed him that it was, which was correct. I then asked the manager to call me back on different number that was not on my account. When the manager called me he didnt ask security… Was DPA breached?

    padraig 24 Apr at 4:45 pm
Get the latest exciting call centre reports, specialist whitepapers, interesting case-studies and industry events straight to your inbox.