Today I was having problems with the home internet connection. Not only am I a member of the over-privileged web generation, I’m also a freelancer who works from home a lot. So this was a big deal. I rang O2 to find out what was going on.
I’m impressed with how quickly I got through to their British-based call centre. Yes, there was the usual automated phone-answering system, but this one wasn’t too bad, and I got through to the correct human within minutes.
But one thing struck me as odd, and it’s something that strikes me as odd over and over again when I deal with call centres. The friendly, Scottish-accented employee asked me for the name of the account holder (my husband), then paused and asked for my own name. Presumably he’d already worked out that the male-looking name on the account didn’t tally with the female-sounding voice on the phone, but when I said my own name he sounded flummoxed and said he wasn’t sure how to proceed, given that I’m not the account holder. He brought up the Data Protection Act and said I would have to answer a security question before he could give me any details about the account.
“Would you be able to answer the security question?” he asked. I told him I wouldn’t know until he asked it. If it’s “What is your husband’s date of birth?” I’m pretty confident I could get an A-grade on that, but if it’s “What 20-digit alphanumeric code did we give your husband when he opened the account?” I probably wouldn’t do so well.
He decided not to test me by asking the question. He found a way to sort out the connection from their end which didn’t require giving me any account information. I was happy, but he warned me that in future, if the problem involved account information, I would have to know the answer to that security question or they wouldn’t be able to help, because of the Data Protection Act.
“But you can see I’m ringing you from the landline we’re talking about, right?” “No. We don’t have caller recognition here.”
I’m not a lawyer, but I can’t see anything in the Data Protection Act that prevents a broadband company from giving out information to a third party when that information will be used solely for the purposes of fixing the customer’s broken broadband connection. Information about someone’s broadband connection surely doesn’t carry the same duty of confidence as information about something sensitive (such as their medical records, for example).
There are two things I find really interesting about this corporate citing of the DPA: the security theatre and the irony surrounding the concept of consent.
If I had a male (or plausibly male-sounding) voice and phoned up claiming to actually be my husband, there would probably have been no security checks. Call centres are more likely to bust out the “data protection” routine when you’re honest about not being the person named on the account. My dad was once refused help by a call centre because the account was in my mum’s name, and he asked “What would you do if I just pretended to be her?” They said they would proceed with the call as if it was her – yes, even if his impression was really unconvincing.
The key thing is that the caller says they are the account holder. If that’s not security theatre, I don’t know what is. It doesn’t make the account any more secure; it just means that if anything does go wrong, companies can blame the caller for masquerading as the account holder. It penalises honest callers.
The irony of “implicit consent”
The Data Protection Act covers the concept of “implicit consent” or “passive consent”, which basically means “The absence of a ‘no’ must be a ‘yes’.” In the data protection world, it means “If you haven’t bothered to tell us otherwise, we’ll send you lots of marketing crap and pretend you said you wanted it.” Implicit consent is what spawned the ticky-boxes saying “If you do NOT wish to receive further marketing communications from us, please tick the box”.
Implicit consent is what allowed Travelodge to store my personal information, because I once booked a stay in a Travelodge hotel and I didn’t afterwards inform them in writing that I objected to their keeping my details on file. (That information is now in the hands of spammers, since Travelodge’s database was hacked, but hey, I took that risk when I gave my “implicit consent”, right?)
What’s interesting here is that “implicit consent” in the Data Protection Act is about organisational use of data. There’s no presumption in the DPA of implicit consent for your life-partner to handle routine customer service queries on your behalf. There’s also little organisational understanding that a human being will often share their life with another human being, no grasp of the idea that two or more adults could share a house, share the bills and make joint decisions. This lack of understanding can lead to some ridiculous situations, especially when combined with “implicit consent” in the “let our company spam you” sense. I’ll give an example in my next post.
Maybe corporate culture needs the equivalent of the birds-and-the-bees talk. “When two people love each other very much, sometimes they don’t care whose name goes on the water bill.”