Data Protection - that can't be right?

yippeedoo

My DMP starts on Oct 1st and I received a call on my work mobile yesterday from Virgin MBNA (1 of my 5 creditors) with regards to that.

As it's a work mobile I answered 'Hello, "my first name" speaking'. She answered 'is that Mr xxxxxxxx' to which I answered yes. She then began to talk to me about the information she'd received from CCCS, my pro-rata DMP payment, my balance, my arrears, etc, etc.

After a few minutes I realised that she hadn't asked me any security questions at all before revealing all my financial data. When I asked her about this, she said she didn't need to as she rang me and I had said I was Mr xxxxxxxx. That just didn't sound right to me. As I wasn't comfortable with that answer, I said I would call her back on the MBNA number to ensure she was who she said she was.

I called MBNA, got through to the same lady and she then proceeded to ask me the various security questions (that I'd expected before) before she would discuss anything further with me! Having passed :mad:, she explained that because I had rung her, I had to qualify who I was but when she rang me, she didn't have go through the security procedure with me!

I have no doubt at all that she is who she said she is so that isn't the issue. I just can't believe she can discuss my personal matters without qualifying who I am first with the security questions - that's the rules they set isn't it relating to the Data Protection Act?

Am I right here as we ended up having a debate about the rights and wrongs of data protection. If I'm right, I have no intentions at this point of doing anything about it, but it would be nice to have something up my sleeve should they stop being as co-operative as they are at the moment.

If they have messed up, what can I do about it? If it makes any difference whatsoever, MBNA make up about 35% of my total owed so it's a fair proportion.

CCCS_Sarah

yippeedoo wrote: »

My DMP starts on Oct 1st and I received a call on my work mobile yesterday from Virgin MBNA (1 of my 5 creditors) with regards to that.

As it's a work mobile I answered 'Hello, "my first name" speaking'. She answered 'is that Mr xxxxxxxx' to which I answered yes. She then began to talk to me about the information she'd received from CCCS, my pro-rata DMP payment, my balance, my arrears, etc, etc.

After a few minutes I realised that she hadn't asked me any security questions at all before revealing all my financial data. When I asked her about this, she said she didn't need to as she rang me and I had said I was Mr xxxxxxxx. That just didn't sound right to me. As I wasn't comfortable with that answer, I said I would call her back on the MBNA number to ensure she was who she said she was.

I called MBNA, got through to the same lady and she then proceeded to ask me the various security questions (that I'd expected before) before she would discuss anything further with me! Having passed :mad:, she explained that because I had rung her, I had to qualify who I was but when she rang me, she didn't have go through the security procedure with me!

I have no doubt at all that she is who she said she is so that isn't the issue. I just can't believe she can discuss my personal matters without qualifying who I am first with the security questions - that's the rules they set isn't it relating to the Data Protection Act?

Am I right here as we ended up having a debate about the rights and wrongs of data protection. If I'm right, I have no intentions at this point of doing anything about it, but it would be nice to have something up my sleeve should they stop being as co-operative as they are at the moment.

If they have messed up, what can I do about it? If it makes any difference whatsoever, MBNA make up about 35% of my total owed so it's a fair proportion.

As long as they are confident that you are the person they want to speak to, they are fine. Generally when companies ask for name, date of birth etc this is company policies rather than official protocol.

If you ever feel that a company has breached the data protection act then you would need to make a complaint to the information commissioner’s office.

GeorgeUK

If this is correct then the regulations should be changed. Anyone could just pick up the phone and say yes to the question asked. I would have thought that security questions would need to be asked, but don't know if this required.

Aside from that, you could send them one of the template letters asking them not to call you and that all communication be in writing only.

Izzie_Wizzie

CCCS_Sarah wrote: »

As long as they are confident that you are the person they want to speak to, they are fine. Generally when companies ask for name, date of birth etc this is company policies rather than official protocol.

Sorry but I have to disagree with you on this one. MBNA are in clear breach of the Data Protection Act here - regardless of whether the call was an inbound call to them or an outbound call to you, sufficient security questions MUST be asked in order to establish the identity of the individual before any account specific information or personal details can be discussed. There may be a slight variation in the type of questions asked dependent on whether the call is inbound or outbound, but as GeorgeUK rightly points out, anyone could answer yes to the question "is that Mr So-and-So". They cannot assume that just because you answered the phone and said yes to one question that you were the account holder.

All banking staff need to complete DPA training on a regular basis (usually annually) and it is normal banking practice to record calls for call monitoring/training purposes which include DPA adherence. The call should therefore be available for monitoring should you decide to put in a formal complaint.

CCCS_Sarah wrote: »

If you ever feel that a company has breached the data protection act then you would need to make a complaint to the information commissioner’s office.

If you do decide to make a complaint, I would advise putting in writing to Virgin/MBNA in the 1st instance, including details of the time and date of the call, together with the name of the member of staff you spoke to so that the call may be listened to. If this results in an unsatisfactory outcome, then I would suggest contacting the ICO

This may be of some help - http://www.ico.gov.uk

Hope you get it sorted

Izzie

CCCS_Sarah

Sorry, my answer was not worded the best.

I have copied a link to the ICO website that explains about this in detail, if you want to have a read through (hard going for a Friday afternoon)

http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_3#pt2-l1g7

The section I was referring to was section 7,3


Sarah

yippeedoo

Thanks for the replies - looks like this is a grey area doesn't it!

Having announced my first name, MBNA then asked me if I was Mr xxxxx and then started quoting facts and figures at me. So if that is deemed as being an acceptable security check, then I do find that strange particularly when dealing with something as personal as a DMP which I do not want publicised. It wouldn't be the first time where me/one of my mates has picked each others phone up and pretended to be them as a joke. If this had happened here, my privacy would have been violated.

However, although I feel that I do have a case, as I have said, I am not looking to pursue this at this time. MBNA are playing ball with me in sorting out my debt and I do not want to jeopardise that.

But, if I was to raise a complaint and it was proven as a data protection violation, what would happen? What would I get? What would MBNA get?

I'm not asking this as a 'what's in it for me' question, more as something to keep in my file as leverage should they start being unfair in the way they are responding to my DMP through CCCS.

CCCS_Sarah

yippeedoo wrote: »

Thanks for the replies - looks like this is a grey area doesn't it!

Having announced my first name, MBNA then asked me if I was Mr xxxxx and then started quoting facts and figures at me. So if that is deemed as being an acceptable security check, then I do find that strange particularly when dealing with something as personal as a DMP which I do not want publicised. It wouldn't be the first time where me/one of my mates has picked each others phone up and pretended to be them as a joke. If this had happened here, my privacy would have been violated.

However, although I feel that I do have a case, as I have said, I am not looking to pursue this at this time. MBNA are playing ball with me in sorting out my debt and I do not want to jeopardise that.

But, if I was to raise a complaint and it was proven as a data protection violation, what would happen? What would I get? What would MBNA get?

I'm not asking this as a 'what's in it for me' question, more as something to keep in my file as leverage should they start being unfair in the way they are responding to my DMP through CCCS.

If it was the case that someone pretended to be you, it wouldn’t be the operator at fault it would be the person pretending to be you (as long as they believed they were speaking to the correct person). This is the reason why many companies choose to do a number of checks.

I have attached this link that explains what would happen if in breach… section 13

http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_3#pt2-l1g13

Let me know how you get on with this one.

yippeedoo

Thanks Sarah.

Well there's no 'damage' or 'distress' on my part so that would rule out taking this further I guess.

I'll just keep it up my sleeve as a wrist-slapper rather than a threat!