Nigel
The great thing about this list is you end up focussing on bits of the DPA you might otherwise not!
No comment on the security aspect - your points are all correct / valid..
Re the automatic decision making. I am not sure you have entitlement under section 12 - as I'm sure they would argue that the condition in sub-section (7) is made out as they offer you the opportunity to comment/correct etc (I know you will say that this comes too late, you were embarrassed). Sub-section 12(6) clearly applies to you, I'd say. So if section 12(7) does apply also the decision is an "exempt decision" to which section 12 does not apply.
Of course, if this is wrong, and if sub-section 12(7) did NOT exempt them, they might just terminate your credit agreement! They can't - to state the obvious - set up processes to deal just with you and until enough people give notice to justify such changes, they can just terminate those few of us who complain about such things.
But you are - I agree - entitled under section 7(1)(d) to get the logic under an SAR.
Good luck, and let us know what happens:
Renzo
Renzo Marchini
Counsel
Dechert LLP
+44 (0) 20 7184 7563 direct
+44 (0) 20 7184 7001 fax
[log in to unmask]
www.dechert.com
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Nigel Roberts
Sent: 09 May 2008 14:09
To: [log in to unmask]
Subject: [data-protection] Automated decision making (refusal of credit)
Makes a change from spammers .. any thoughts?
----------------------------------------------------------------------
Dear Sirs
I understand from your customer service department that XYX Bank is now
the owner and operator of Ronnie Arbuckle Platinum MasterCard accounts.
Your website states "Cards are issued by XYZ Bank plc. Registered in
England No. 1820999"
I hold such a credit card account from you (4111 1111 1111 1111).
Yesterday I attempted to use my card to make a small purchase on a
website in the amount of approximately £53. You refused to pay the
merchant. I had to use my VISA card issued by another bank.
Today I received a call, purportedly from your bank, requesting security
details in an unsolicited call.
I refused to give my security details out to the caller the called was
unsolicited and unverified and this is is contrary to good Data
Protection practice. However I agreed to call your Card Service
department back which I did by calling the number on the card. As I work
in e-commerce I am fully aware and support security checks in e-commerce
systems.
Sadly, it is clear your security department (as shown above) seem to
disregard elementary security of the customer when making telephonic
security checks as your current policy of asking for security actively
encourages 'bad guys' to make similar unsolicited requests for security
sensitive material as these are to be expected as a matter of routine
from your bank!! (Another bank I use tells me "never give out your
security information to an unsolicited caller!").
After being put through to the Security Department and identifying
myself it was confirmed that you had refused me credit but that your
bank would now allow the charge if the retailer represented it.
I explained that I use my MasterCard for business expenses, when
travelling. Had I been trying to purchase an airline ticket from a
remote place I would have found myself in some considerable difficulty.
I spoke with several operatives, all of which would only tell me that
the card had been declined "until I passed security check" and that
"airline tickets were high risk".
No credit card is of any use to a business traveller unless it can be
relied upon. Your Platinum brand credit card account is certainly not
that when you refuse a request for credit on it for a mere £53 without
good reason. (This account is, and always has been, settled in full at
the end of each month, incidentally)
YOUR REFUSAL TO COMPLY WITH THE ACT
Your bank tells me that it will never disclose why you refused me credit
last night. I was categorically told by Richard Roe that you will never
reveal the process or procedure your computer used to decide to refuse
my request for £53 of credit. I told him that I has entitled under the
Data Protection Act to a full history of the transaction attempt,
including the data sent and received between Air France, Mastercard, and
yourselves. I also told him (relying on the ICO's advice at was also
entitled to the details of the algorithm used in the automated decision
making. She told me that under no circumstances would your bank disclose
the reasons used to decline my card.
I have been refused credit by your bank. This has caused inconvenience.
The decision was made by an automated process. I am thus entitled under
the Data Subject Access provisions to an explanation of the algorithm
used. Please supply the information requested within the statutory time
limit. I confirm that I am prepared to pay a fee (if any) up to the
statutory maximum.
Should you refuse to supply the information to which I am entitled
regarding the automated refusal of credit, I may without further notice
issue proceedings for an Order requiring you to do so. I will also make
a Formal Complaint and Request for Assessment to the Information
Commissioner's office regarding your refusal to comply with the Act in
respect of automated decision making.
Please note that I also have a right to prevent automated processing
under s.12 of the Act. I attach a notice in the form recommended by the
Information Commissioner's Office.
Notice under section 12(1) of the Data Protection Act 1998 to prevent
processing of personal data by automatic means.
I request that you (whether directly or via an agent) do not make a
decision about me, based solely on the processing by automatic means of
my personal data for the purpose of evaluating matters which
significantly affect me such as refusing credit.
Yours faithfully,
Nigel Roberts
--
Nigel Roberts, Director, Island Networks
4&5 St Anne's Walk, Alderney GY9 3JZ (via UK)
Tel. 0800 288 8978 (toll-free) or 0870 321 2281 (direct)
International: +44 1481 822800 Mobile +423 663 178200
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|