How far do you intend to take this?
As a Fellow of the British Computer Society I would readily give expert
evidence that the use of your account number as a password does not meet
adequate information security practices. I am sure there are many others
on this list who would do the same.
In fact, I am required by many places to present a utility bill
(landline phones not mobiles) as identification thereby giving out my BT
account number and access to this information.
It seems from their reply that your arrow has hit home, but that rather
like John Cleese (in MP&THG) the knight wants another leg or maybe an
arm chopped off.
Nigel
Tim Trent wrote:
> I now have received the following reply to my S10 notice:
>
> BEGINS
> Thank you for your email of 3rd February, in which- under s.10 of the Data
> Protection Act 1998- you asked us to stop processing your personal data in
> the context of the "last bill paid" BT SMS service. I have been asked to
> reply.
>
> As you may be aware, BT introduced this facility, on a trial basis only,
> some weeks ago. We took the view initially that it was not necessary for
> customers to have to identify themselves by giving their account numbers. We
> came to this view in good faith on the basis that it is not possible to
> determine from the date disclosed whether a bill was paid on time or what
> the size of the last bill was. We also considered that the information in
> question was perhaps unlikely to be capable of "having an adverse impact on
> the individual" (to quote the Information Commissioner guidance on the
> "Durant case") and might therefore not constitute personal data.
>
> However, we now appreciate that not all customers share this view- and
> accept that disclosure of the information (i.e. without customer consent) is
> capable of having an adverse impact. Accordingly, we amended the
> functionality at the beginning of last week, and, customers are now required
> to submit their account numbers before "date of last bill paid" information
> is disclosed to them. In introducing the original functionality, we were
> responding to the growing demand for customers to be able to access account
> information quickly (and often without having information about their
> account to hand). Whilst it is sometimes difficult to find the right balance
> between accessibility and security, I can assure you that the security of
> our customers' data is of great importance to us- and that is why we moved
> quickly to amend this service as soon as we were aware that some customers
> had concerns.
>
> In closing, the concern you expressed in your s.10 notice was that your
> personal data was being processed without your consent. We consider that the
> introduction of the requirement for account number effectively meets this
> concern- and that we have now complied with your notice. You may also wish
> to note that the Office of the Information Commissioner has also confirmed
> that it believes "the requirement for the account number as well as the
> telephone number provides an appropriate security measure".
>
> Thank you for drawing our attention to this matter.
> ENDS
>
> It comes from the very nice manager in Customer Service who has doubtless
> been instructed to reply in this manner.
>
> I have rejected this as follows:
>
> BEGINS
> I do not accept that the additional small safeguard is sufficient to
> meet my requirements for BT to cease processing my personal data in
> this manner.
>
> You have therefore not made an adequate reply. My Section 10 notice
> stands. I require you to stop processing my phone number in this
> manner. I absolutely prohibit you from transmitting details about my
> telephone account payment details by SMS message to me unless I give
> specific authorisation.
> ENDS
>
> Additionally I have passed the reply to the UKIC as evidence. But I do not
> expect to prevail here. What it looks like is that BT are choosing to win
> the battle, but have lost sight of their customers and our needs.
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Tim Trent
> Sent: 10 February 2006 18:01
> To: [log in to unmask]
> Subject: [data-protection] BT SMS Self Service
>
> Well, 5pm came. And went. 5:45 I had a call "Hello Mr Trent. I only just
> got this email".
>
> I explained that I was in process of printing off the complaint forms.
>
> It will be escalated to a manager on Monday.
>
> I have also spoken to a man in Bombay who insisted that I wanted to talk
> about a different service.
>
>
>
> Tim Trent - Consultant
> Direct: +44(0)1344 392644 Mobile:+44(0)7710 126618
> email: [log in to unmask]
> <blocked::mailto:[log in to unmask]>
> Marketing Improvement Limited, Abbey House, Grenville Place, Bracknell,
> United Kingdom, RG12 1BP <blocked::http://www.marketingimprovement.com/>
> http://www.marketingimprovement.com
>
>
>
>
>
> Important: This mail contains proprietary information some or all of which
> may be legally privileged. It is for the intended recipient only. If an
> addressing or transmission error has misdirected this email, please notify
> the author by replying to this email. if you are not the intended recipient
> you must not use, disclose, distribute, copy, print or rely on this email.
> If you are not the named recipient please notify us immediately. This email
> and any attachment(s) are believed to be virus-free, but it is the
> responsibility of the recipient to make all the necessary virus checks. This
> email and any attachments to it are copyright of Marketing Improvement
> Limited unless otherwise stated. Their copying, transmission, reproduction
> in whole or in part may only be undertaken with the express permission, in
> writing, of Marketing Improvement Limited.
>
>
>
>
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
> All archives of messages are stored permanently and are
>
>
>
> available to the world wide web community at large at
>
>
>
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
>
>
> If you wish to leave this list please send the command
>
>
>
> leave data-protection to [log in to unmask]
>
>
>
> All user commands can be found at : -
>
>
>
> http://www.jiscmail.ac.uk/help/commandref.htm
>
>
>
> Any queries about sending or receiving message please send to the list owner
>
>
>
> [log in to unmask]
>
>
>
> (all commands go to [log in to unmask] not the list please)
>
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
> All archives of messages are stored permanently and are
>
>
>
> available to the world wide web community at large at
>
>
>
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
>
>
> If you wish to leave this list please send the command
>
>
>
> leave data-protection to [log in to unmask]
>
>
>
> All user commands can be found at : -
>
>
>
> http://www.jiscmail.ac.uk/help/commandref.htm
>
>
>
> Any queries about sending or receiving message please send to the list owner
>
>
>
> [log in to unmask]
>
>
>
> (all commands go to [log in to unmask] not the list please)
>
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|