Nigel

The great thing about this list is you end up focussing on bits of the DPA you might otherwise not! 

No comment on the security aspect - your points are all correct / valid..

Re the automatic decision making.  I am not sure you have entitlement under section 12 - as I'm sure they would argue that the condition in sub-section (7) is made out as they offer you the opportunity to comment/correct etc (I know you will say that this comes too late, you were embarrassed).  Sub-section 12(6) clearly applies to you, I'd say.  So if section 12(7) does apply also the decision is an "exempt decision" to which section 12 does not apply. 

Of course, if this is wrong, and if sub-section 12(7) did NOT exempt them, they might just terminate your credit agreement!   They can't - to state the obvious - set up processes to deal just with you and until enough people give notice to justify such changes, they can just terminate those few of us who complain about such things.  

But you are - I agree - entitled under section 7(1)(d) to get the logic under an SAR.

Good luck, and let us know what happens:

Renzo 


Renzo Marchini 
Counsel
Dechert LLP 
+44 (0) 20 7184 7563 direct 
+44 (0) 20 7184 7001 fax 
[log in to unmask]
www.dechert.com

-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Nigel Roberts
Sent: 09 May 2008 14:09
To: [log in to unmask]
Subject: [data-protection] Automated decision making (refusal of credit)

Makes a change from spammers .. any thoughts?

----------------------------------------------------------------------
Dear Sirs

I understand from your customer service department that XYX Bank is now 
the owner and operator of Ronnie Arbuckle Platinum MasterCard accounts. 
Your website states "Cards are issued by XYZ Bank plc. Registered in 
England No. 1820999"

I hold such a  credit card account from you (4111 1111 1111 1111). 
Yesterday I attempted to use my card to make a small purchase on a 
website in the amount of approximately £53.  You refused to pay the 
merchant.   I had to use my VISA card issued by another bank.

Today I received a call, purportedly from your bank, requesting security 
details in an unsolicited call.

I refused  to give my security details out to the caller the called was 
unsolicited and unverified and this is is contrary to good Data 
Protection practice. However I agreed to call your Card Service 
department back which I did by calling the number on the card. As I work 
in e-commerce I am fully aware and support security checks in e-commerce 
systems.

Sadly, it is clear your security department (as shown above) seem to 
disregard elementary security of the customer  when making telephonic 
security checks as your current policy of asking for security actively 
encourages 'bad guys' to make similar unsolicited requests for security 
sensitive material as these are to be expected as a matter of routine 
from your bank!! (Another bank I use tells me "never give out your 
security information to an unsolicited caller!").

After being put through to the Security Department and identifying 
myself it was confirmed that you had refused me credit but that your 
bank would now allow the charge if the retailer represented it.

I explained that I use my MasterCard for business expenses, when 
travelling. Had I been trying to purchase an airline ticket from a 
remote place  I would have found myself in some considerable difficulty.

I spoke with several operatives, all of  which would only tell me that 
the card had been declined "until I passed security check" and that 
"airline tickets were high risk".

No credit card is of any use to a business traveller unless it can be 
relied upon.  Your Platinum brand credit card account is certainly not 
that when you refuse a request for credit on it for a mere £53 without 
good reason. (This account is, and always has been, settled in full at 
the end of each month, incidentally)


YOUR REFUSAL TO COMPLY WITH THE ACT

Your bank tells me that it will never disclose why you refused me credit 
last night. I was categorically told by Richard Roe that you will never 
reveal the process or procedure your computer used to decide to refuse 
my request for £53 of credit. I told him that I has entitled under the 
Data Protection Act to a full history of the transaction attempt, 
including the data sent and received between Air France, Mastercard, and 
yourselves. I also told him (relying on the ICO's advice at was also 
entitled to the details of the algorithm used in the automated decision 
making. She told me that under no circumstances would your bank disclose 
the reasons used to decline my card.

I have been refused credit by your bank. This has caused inconvenience. 
The decision was made by an automated process. I am thus entitled under 
the Data Subject Access provisions to an explanation of the algorithm 
used. Please supply the information requested within the statutory time 
limit. I confirm that I am prepared to pay a fee (if any) up to the 
statutory maximum.

Should you refuse to supply the information to which I am entitled 
regarding the automated refusal of credit, I may without further notice 
issue proceedings for an Order requiring you to do so. I will also make 
a Formal Complaint and Request for Assessment to the Information 
Commissioner's office regarding your refusal to comply with the Act in 
respect of automated decision making.

Please note that I also have a right to prevent automated processing 
under s.12 of the Act. I attach a notice in the form recommended by the 
Information Commissioner's Office.

Notice under section 12(1) of the Data Protection Act 1998 to prevent 
processing of personal data by automatic means.

I request that you (whether directly or via an agent) do not make a 
decision about me, based solely on the processing by automatic means of 
my personal data for the purpose of evaluating matters which 
significantly affect me such as refusing credit.

Yours faithfully,



Nigel Roberts

-- 
Nigel Roberts, Director, Island Networks
4&5 St Anne's Walk, Alderney GY9 3JZ (via UK)
Tel. 0800 288 8978 (toll-free) or 0870 321 2281 (direct)
International: +44 1481 822800  Mobile +423 663 178200

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


  
 This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^