Hello

Interesting debate about use of data as identifiers, I will share some information I am due to meet with ICO office in May as there is great concern providers/LA's and Benefit agencies etc are using NINO's numbers as identifiers and the DWP (HMRC) have issued clear guidance that the purpose and use of a NINO is as follows:

A) Purpose of national insurance contributions 
B) Use solely own by DWP and the individual number is not their data to consent to sharing or supplying in remains the property of 
   DWP 

The debate starts, I am sure. This all came to light when we undertook a NFI - Illegal subletting (you may recall) we applied to the NINO board for permission to use Nino's within tenancies for identification, letting and tracing purposes. We were refused. We contacted again and we asked about the use of Nino's for the purpose of employee identification and again they referred me to point a and b. 

In relation to your question Simon is we would recommend the use of a payroll number, DOB, Next of Kin, plus their employee user name for their accounts. We would and do not currently ask for bank account data as a identifier. My response would be only certain staff have access to this so how can it be verified. But this is a question per organisation. 

Great debate, would love to hear anyone's comments on the use etc of Nino's and your experience. 

Regards
Paula 


-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth
Sent: 14 April 2011 20:53
To: [log in to unmask]
Subject: Re: [data-protection] Bank details and identity verification

I would have to think about this further but whilst it's not ideal it seems OK in this instance to use the information in this way. Could you perhaps think of using another piece of information, such as month and year started?

As for using NI, I think your complainant needs to learn a little more. Firstly I would much rather give my bank details than my NI number and the NI number is protected as to its use by law. NI number is a far more powerful piece of information than people tend to think.



-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 14 April 2011 18:06
To: [log in to unmask]
Subject: [data-protection] Bank details and identity verification

Hi

We all know that it is poor practice to use bank account numbers to verify identity on internet sites.

However is this really a problem with internal systems ?

We hold a bank account number for all staff as salary payment by BACS is compulsory. 

We are in the process of moving most of our employee processes from paper to online, as part of which staff have to register on our new system , after which they will have direct access to substantial amounts of their own personal data, held for HR purposes. 

As a one off, on first registering we have proposed a multipart verification before staff will be registered on the system, where staff have to supply (this is all internal and within firewall) four pieces of info which we already hold, and only if all match will they be given an account and access :

Name
Date of Birth
Employee Number
Bank Account Number we hold for payroll

An objection has been raised that "all credible advice states that you should not enter your bank account details into any system" although the objector said we should have used NI Number instead, which hardly seems logical - similar "risks" if any. The only real risk I can think of is we have two employees who share a bank account for pay purposes - but in that case I doubt if there is any information we hold which would avoid deliberate infiltration - which would be most unlikely and would be instantly detected when the 'real' partner tried to register and found someone had beat them to it .... 

I am struggling therefore to see any sensible basis for the objection. Once the initial verification is done the user will be given a unique account number and (changeable) password, and the bank account number will not be used again. we would certainly never use it as an identifier as it is too readily available. In essence objector seems to me to be confusing verification with identification, and mixing in irrelevant phishing scare tactics. 

Any thoughts on or off line. 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 
We aim to provide great services every time you contact us and we would value your views about the service you have received, good and not so good. Please mailto:[log in to unmask] to provide feedback.
In our drive to go green, we have put our email disclaimer on a web page so you don't waste paper when printing out emails. This email is confidential and intended solely for the person/organisation to whom it is addressed. Please refer to http://www.orbit.org.uk/main.cfm?type=EMAIL for full legal requirements of email transmissions.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^