I work as a quality manager for a telecoms company and I’m looking into DPA when monitoring agent/advisor calls.
Is there certain information an agent has to confirm to ensure they are speaking to the customer? Does this differ on Inbound calls and outbound calls?
Is there certain information an agent cannot give out over the telephone i.e. customer telephone number, customers address?
I work as a Trainer for a contact centre in Financial Services. We avoid qs such as DOB, Add and Name as proof of identity as that information is now so readily available in the public domain. Once you get a name and do a google search you can obtain their address and DOB very quickly. We tend to stick to qs that are more personal about the account held with us. Does anyone else share this view?
We also wouldnt share any account information via email as email accounts can be created so easily and be fake its very hard to prove your interacting with the genuine client. I think some companies can but only through a secure password protected network addressed to a verified email address.
Answer thanks to Lucy
There are no set questions within the data protection act, it advises that a company must take reasonable steps to ensure they have checked and confirmed the identity of the person calling. Most companies I have called myself and worked for generally ask for a postcode and date of birth after taking the callers name and agreement/reference/account number.
As long as you have asked some relevant ‘security’ questions your responsibility has been covered and anyone calling and ‘pretending’ to by your customer is then the one breaking the law.
It is critical to have security questions confirmed to ensure the account related details are being shared with the subscriber only.However,the security check may not be needed for general queries like,what are the new offers etc, as they dont involve account details.
The mandate can be at least two good checks like:
a. Billing address
b. Landline telephone number
c. Last recharge done
d. Last bill paid
Our agents will always ask the caller to confirm 3 pieces of information on both inbound/outbound calls – usually the name address and date of birth.
With reference to the second question relating to what information cannot be given to a customer, in short an agent cannot give any personal infomation or personal data about the customer, to the customer, without first verifying the customer’s identity through the DPA check.
Some organisations allow their customers to set their own security password. This can be very effective as it can be something personal to the customer and something that is not as easy to guess such as post code, date of birth or Landline telephone number.
FCC Guidelines need to be followed. A caller needs to verify their name and last four of the primary acct holders social. If there is a password, then the password is the primary security method. If the caller is not the billing name, or listed as an authorized user, it doesn’t matter what info they verify. They get no access.
As far as acct info that is provided to a fully qualified caller, is also very limited. We will not release any acct info, but we can verify it. We will release information such as balance, payments, usage, rate plans, features, and so on. But absolutely no personal data will be provided. This includes specific phone numbers that were called or received, date and time of calls, and so on.
The very worse that can happen is someone might be able to slip in and change a plan or service. That can easily be fixed. But by releasing specific data, it could actually aid someone with bad intentions of locating a person to do possible harm.
If a customer calls in relation to their account, they give their account number then the operator can see their personal information and they start the conversation…”Ok am I speaking to Steve Jones?” customer answers “Yes”, then operator asks,”For data protection reasons can you confirm your postcode, first line of your adress and your postcode?”
Because you have used the name before asking data questions (maybe just the first name)is this a breach of data protection as it’s not a security type of question?
I have recently been given 2 DPA fails on my call quality due to not confirming the customers middle name. They confirmed their first and last name along side full address and date of birth. I was under the impression that asking all the necessary questions and you are confident you are speaking with the account holder that a middle name would not be such an issue. Can somebody help?