On the caseApril 3rd 2006
Question: Our inbound customer service department may not be taking enough care on the phone to prevent disclosure of information to unauthorised persons. I want to write a set of procedures, can you give me some tips?
Answer: Without procedures and training, call centre staff - in a bid to helpful - risk exposing themselves and their companies by disclosing information when they shouldn't.
Your protocol for satisfying security should be based on common sense, as there is nothing in the Data Protection Act 1998 that defines what you should do when responding on the phone. But the UK's information commissioner has published some helpful guidelines which can be found on www.ico.gov.uk- click on best practice notes.
If your company is in the international arena, be aware the caller may be outside the EEA and the act requires measures to be in place for the export of data to countries that do not have adequate protection to safeguard the data.
Beyond the mischief-making individual who may, by repeat calling, try to build up a knowledge of the data available to unsuspecting operators, the most common requests you will get for disclosure of data to a third party is where there are sick parents or where there is a divorce, seperation or some other family or business trauma.
In the case of the former, your protocol should be sufficient that your operators are confident the person calling is acting on behalf of the data subject.
For the latter, you are on more dangerous ground because detailed information may have previously available to the caller.
I would advise that you find an easy way to request some form of evidence to identify your customer beyond name, address, account number - a password, or my favourite, a childhood pet's name.
Increase your security questions as the disclosure of informaiton becomes more sensitive, or the actions that may be taken by the caller have more implications on the account you are dealing with. For instance, changing an address without authorisation may deliver personal information and products into a third party's hands (particularly if payment is by contiuous credit card or direct debit). If your operators are not confident they should not be fightened of saying no and asking for more evidence, perhaps by fax or post, before they will proceed to discuss the individuals account.
My first pet's name would keep staff amused for weeks - but that's not something I am going to disclose to you!
Other recent items: