On the case - April 2006April 2006
Without procedures and training, call centre staff – in a bid to be helpful – risk exposing themselves and their companies by disclosing information when they shouldn’t.
Your protocol for satisfying security should be based on common sense, as there is nothing specifically in the Data Protection Act 1998 that defines precisely what you should do when responding on the telephone. However the Information Commissioner has published some helpful guidelines which can be found on www.ico.gov.uk and by clicking on Best Practice Notes.
If your company is in the international arena be aware additionally that the caller may be outside the EEA and that Principle 8 of the Act requires measures to be in place for the export of data to countries that do not have adequate protection to safeguard the data.
In my experience, beyond the silver-tongued mischief-making individual who may, by repeat calling, try to build up a knowledge of the data available to unsuspecting operators, the most common requests you will get for disclosure of data to a third party is where there are sick parents or where there is a divorce, separation or some other family or business trauma.
In the case of the former your protocol should be sufficient that your operators are confident that the person on the phone is acting on behalf of the data subject.
For the latter you are on more dangerous ground because detailed information may have been previously available to the caller.
I would advise that you find an easy way to request some form of evidence that will identify your customer beyond name, address and account number – a password, of course, or my personal favourite, a childhood pet’s name.
Increase your security questions as the disclosure of information becomes more sensitive, or the actions that may be taken by the caller have more implications on the account you are dealing with. For instance, changing an address without authorisation may deliver personal information and products into a third party’s hands (particularly if payment is by continuous credit card or direct debit).
If at the end of the questions your operators are not confident they should not be frightened of saying no and asking for further evidence, perhaps even by fax or post, before they will proceed to discuss the individual’s account.
My first pet’s name would keep your staff amused for weeks – but that’s something I am not going to disclose to a third party.
Other recent items: