JISCMail - DATA-PROTECTION Archives

I have not decided how far.  I think a lot depends on the UKIC's response to
me.  There is a point (which I am probably far beyond) that this becomes
farcical.

Part of my truculence is to do with the fact that I do not perceive the UKIC
as an effective enforcer of the law of the land.  We have a fine law, but it
appears that even the regulator allows people to ignore it.  That does not
augur well for respecting it.

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Nigel Roberts
Sent: 13 February 2006 14:24
To: [log in to unmask]
Subject: Re: [data-protection] BT SMS Self Service

How far do you intend to take this?

As a Fellow of the British Computer Society I would readily give expert
evidence that the use of your account number as a password does not meet
adequate information security practices. I am sure there are many others on
this list who would do the same.

In fact, I am required by many places to present a utility bill (landline
phones not mobiles) as identification thereby giving out my BT account
number and access to this information.

It seems from their reply that your arrow has hit home, but that rather like
John Cleese (in MP&THG) the knight wants another leg or maybe an arm chopped
off.


Nigel


Tim Trent wrote:
> I now have received the following reply to my S10 notice:
> 
> BEGINS
> Thank you for your email of 3rd February, in which- under s.10 of the 
> Data Protection Act 1998- you asked us to stop processing your 
> personal data in the context of the "last bill paid" BT SMS service. I 
> have been asked to reply.
> 
> As you may be aware, BT introduced this facility, on a trial basis 
> only, some weeks ago. We took the view initially that it was not 
> necessary for customers to have to identify themselves by giving their 
> account numbers. We came to this view in good faith on the basis that 
> it is not possible to determine from the date disclosed whether a bill 
> was paid on time or what the size of the last bill was. We also 
> considered that the information in question was perhaps unlikely to be 
> capable of "having an adverse impact on the individual" (to quote the 
> Information Commissioner guidance on the "Durant case") and might
therefore not constitute personal data.
> 
> However, we now appreciate that not all customers share this view- and 
> accept that disclosure of the information (i.e. without customer 
> consent) is capable of having an adverse impact. Accordingly, we 
> amended the functionality at the beginning of last week, and, 
> customers are now required to submit their account numbers before 
> "date of last bill paid" information is disclosed to them. In 
> introducing the original functionality, we were responding to the 
> growing demand for customers to be able to access account information 
> quickly (and often without having information about their account to 
> hand). Whilst it is sometimes difficult to find the right balance 
> between accessibility and security, I can assure you that the security 
> of our customers' data is of great importance to us- and that is why 
> we moved quickly to amend this service as soon as we were aware that some
customers had concerns.
> 
> In closing, the concern you expressed in your s.10 notice was that 
> your personal data was being processed without your consent. We 
> consider that the introduction of the requirement for account number 
> effectively meets this
> concern- and that we have now complied with your notice. You may also 
> wish to note that the Office of the Information Commissioner has also 
> confirmed that it believes "the requirement for the account number as 
> well as the telephone number provides an appropriate security measure".
> 
> Thank you for drawing our attention to this matter. 
> ENDS
> 
> It comes from the very nice manager in Customer Service who has 
> doubtless been instructed to reply in this manner.
> 
> I have rejected this as follows:
> 
> BEGINS
> I do not accept that the additional small safeguard is sufficient to 
> meet my requirements for BT to cease processing my personal data in 
> this manner.
> 
> You have therefore not made an adequate reply.  My Section 10 notice 
> stands.  I require you to stop processing my phone number in this 
> manner.  I absolutely prohibit you from transmitting details about my 
> telephone account payment details by SMS message to me unless I give 
> specific authorisation.
> ENDS
> 
> Additionally I have passed the reply to the UKIC as evidence.  But I 
> do not expect to prevail here.  What it looks like is that BT are 
> choosing to win the battle, but have lost sight of their customers and our
needs.
> 
> -----Original Message-----
> From: This list is for those interested in Data Protection issues 
> [mailto:[log in to unmask]] On Behalf Of Tim Trent
> Sent: 10 February 2006 18:01
> To: [log in to unmask]
> Subject: [data-protection] BT SMS Self Service
> 
> Well, 5pm came.  And went.  5:45 I had a call "Hello Mr Trent.  I only 
> just got this email".
>  
> I explained that I was in process of printing off the complaint forms.
>  
> It will be escalated to a manager on Monday.
>  
> I have also spoken to a man in Bombay who insisted that I wanted to 
> talk about a different service.
>  
> 
> 
> Tim Trent - Consultant
> Direct: +44(0)1344 392644 Mobile:+44(0)7710 126618
> email: [log in to unmask]
> <blocked::mailto:[log in to unmask]>
> Marketing Improvement Limited, Abbey House, Grenville Place, 
> Bracknell, United Kingdom, RG12 1BP 
> <blocked::http://www.marketingimprovement.com/>
> http://www.marketingimprovement.com
> 
>  
>   
> 
> 
> Important: This mail contains proprietary information some or all of 
> which may be legally privileged. It is for the intended recipient 
> only. If an addressing or transmission error has misdirected this 
> email, please notify the author by replying to this email. if you are 
> not the intended recipient you must not use, disclose, distribute, copy,
print or rely on this email.
> If you are not the named recipient please notify us immediately.  This 
> email and any attachment(s) are believed to be virus-free, but it is 
> the responsibility of the recipient to make all the necessary virus 
> checks. This email and any attachments to it are copyright of 
> Marketing Improvement Limited unless otherwise stated. Their copying, 
> transmission, reproduction in whole or in part may only be undertaken 
> with the express permission, in writing, of Marketing Improvement Limited.
> 
>  
> 
> 
> 
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 
> 
>        All archives of messages are stored permanently and are
> 
> 
> 
>       available to the world wide web community at large at
> 
> 
> 
>       http://www.jiscmail.ac.uk/lists/data-protection.html
> 
> 
> 
>       If you wish to leave this list please send the command
> 
> 
> 
>        leave data-protection to [log in to unmask]
> 
> 
> 
>             All user commands can be found at : -
> 
> 
> 
>         http://www.jiscmail.ac.uk/help/commandref.htm
> 
> 
> 
> Any queries about sending or receiving message please send to the list 
> owner
> 
> 
> 
>               [log in to unmask]
> 
> 
> 
>   (all commands go to [log in to unmask] not the list please)
> 
> 
> 
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 
> 
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 
> 
>        All archives of messages are stored permanently and are
> 
> 
> 
>       available to the world wide web community at large at
> 
> 
> 
>       http://www.jiscmail.ac.uk/lists/data-protection.html
> 
> 
> 
>       If you wish to leave this list please send the command
> 
> 
> 
>        leave data-protection to [log in to unmask]
> 
> 
> 
>             All user commands can be found at : -
> 
> 
> 
>         http://www.jiscmail.ac.uk/help/commandref.htm
> 
> 
> 
> Any queries about sending or receiving message please send to the list 
> owner
> 
> 
> 
>               [log in to unmask]
> 
> 
> 
>   (all commands go to [log in to unmask] not the list please)
> 
> 
> 
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



       All archives of messages are stored permanently and are



      available to the world wide web community at large at



      http://www.jiscmail.ac.uk/lists/data-protection.html



      If you wish to leave this list please send the command



       leave data-protection to [log in to unmask]



            All user commands can be found at : -



        http://www.jiscmail.ac.uk/help/commandref.htm



Any queries about sending or receiving message please send to the list owner



              [log in to unmask]



  (all commands go to [log in to unmask] not the list please)



   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



       All archives of messages are stored permanently and are



      available to the world wide web community at large at



      http://www.jiscmail.ac.uk/lists/data-protection.html



      If you wish to leave this list please send the command



       leave data-protection to [log in to unmask]



            All user commands can be found at : -



        http://www.jiscmail.ac.uk/help/commandref.htm



Any queries about sending or receiving message please send to the list owner



              [log in to unmask]



  (all commands go to [log in to unmask] not the list please)



   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^