An elderly relative’s landline ceased working. As the account holder, I located: https://www.bt.com/help/home/faults/ and selected the “repair your landline”option.
I LOGGED INTO THE ACCOUNT.
I selected the account from the list of accounts I manage.
I initiated the fault-finding option which was inconclusive. I was invited to start a chat session.
Here’s the beginning of the session:
BT - 12:07
Hi,<customer name>, sorry to know that your <relative name>s line is not working, not to worry I will help you to rectify what is the problem with that phone by running few checks from my end , for me to do that could you please let me know her full name, account number or address with post code. Meanwhile do you mind confirming me that are you authorised by the account holder ?
You - 12:07
I manage the accounts online for <person 1>, <person 2> and, myself
BT - 12:07
As you stated that you are not the account holder could you please let me know your full name , phone number, email id , date of birth ,and your mother’s maiden name so that I can create a contact for you to access the account on behalf of the account holder . meanwhile confirm me if you are authorised by account holder?
You - 12:09
Due to MY data protection I will NOT be giving you my date of birth
and I'm, annoyed that BT would ask for such
As you can imagine, the rest of the chat session didn’t go too well and the fault was resolved by ‘phoning BT. When you call BT to report a fault, the personal information is not required.
To recap: I had logged onto the BT account and was verified by the system as being the account holder for that person’s phone. What should have happened is that the system should have passed those details to the web-chat operator, that I was the account manager, and I was logged-in and verified.
What shouldn’t have happened was that BT tried to harvest personal identity information, including my date of birth and mother’s maiden name. Date of birth is not required to provide telecoms services (more appropriate would be age-range). Asking for mother’s maiden name is simply unacceptable and not required and, in my view, goes against good data handling.
So, be warned. If you have a line fault, use a telephone and not the web fault-finder. Otherwise you will get your personal identity information harvested!
The GDPR is based on the core principles of data protection which exist under the current law. These principles require organisations and businesses to:
I report a fault and I'm asked for my date of birth and mother's maiden name. BT already know I'm the account manager for the number under investigation. The web-chat operation ONLY needs to know those facts and none other. Collection of personal information at that point is a breach of GDPR principles.
There was no notice of collection of personal data, and no explanation of how the data would be used.
BT needs to explain to me why they are not in breach of GDPR. Will they?
BT needs to explain to me why they are not in breach of GDPR. Will they?
BT certainly will not explain it to you via this forum which is a BT residential customer to customer forum.
If you want an answer from BT you will need to raise a complaint with BT and if you feel there is a breach of data protection laws you should report it to the Information Commissioner Office.
Not too sure what the problem is, when reporting a fault , given that there is a potential for charging for an unneccesary visit ( you report your line not working, OR engineer turns up and demonstrates the line is working and it's your own telephone instrument that is faulty , ergo a chargeable visit ) then I'm sure you would agree that there is potential for argument...for example , invoice for unnecessary visit turns up, account holder disputes charge saying they woukd never agree to a vist if there was the chance it was going to be chargeable, BT says the visit was requested 'MR X' not the account holder, account holder says MR X has no right to act on my behalf, and expects the charges to be dropped, sounds to me that BT were trying to register you as an authorised person on your relatives account....if the account is in your name, rather than your relatives name , then it does seem unneccesary.
Thank you for your reply. One issue may be with the roles that can be assigned to a BT ID. I am the account manager to the account holder, and at that time I was logged into the BT system and so was known by BT. At that point the account holder and I were interested in logging the fault so that extra tests could be carried out. There are differences in approach:
- online, the status of the customer appears to be unknown at start of the web-chat session, and I was asked to produce personal identity information. This shouldn't have happened as, as account manager I should have been allowed to notify the fault at least.
- via 'phone. with this method there wasn't an issue with identity. The fault checker was run and suggested a problem at the exchange. I provided an additional contact number for the account holder and the task was complete... easy.
I feel that the online process might encourage fraud by asking for personal identity information when it's not required. Further I suspect the chat session broke GDPR principles as it asked for more data than was necessary to notify a fault and there was no notice of the collection. Once I was logged in, all the web-chat operator need to know was the line number at fault, and that I was the account manager. If, at a later stage, an engineer visit was required then BT would have had to contact the relative, or redefine the account manager role with an option that they may act on the account holder's behalf at times such as when faults prevent BT from contacting the account holder.
Thank you, it was a sort of rhetorical question, and BT are aware of the issue.
Regarding the ICO. From 25 May 2018, organisations have one calendar month to respond to a request. I think (although not entirely sure) that I need to wait the month before contacting the ICO.
This is not something that the community can answer, nor will the community be aware of the processes BT have implemented to get customers passed security. The community is as @gg30340 said more customer to customer focused and not constantly monitored by BT.
If you are looking for a response from BT, then you are best to make contact with BT directly if you have not done so. You/The Account Holder can call and make an official complaint and read the "customer complaints code of practice" online.
The OP stated that BT are aware of the problem so presumably he has already complained.
Thanks for your comments everybody. It's unusual for me to open a thread, but in this case, I wanted to alert the community that BT had tried to harvest personal information from me.
You may have seen one of the Barclays scam adverts, for example the one where a call-centre operation asks for two pin digits and then asks the customer to repeat different pin digits.
Although this is different circumstance, the BT operator tried to obtain personal identity information from me including data items such as Date of Birth and Mother maiden name. I find this unacceptable given the task and have alerted the community to the mis-practice.
I think that’s it from me. Please continue to think about your data safety, and if you have time learn about GDPR principles and your new data rights.
I know I wasn't going to post any more comments. However,... BT had left a few voicemails and today I phoned their customer service. I thought would share as I seem to be getting nearer an epilogue (Humm… it may still be some way yet).
BT confirmed that although my account manager verification and details are held on one system, these are not passed to the web-chat system. They feel it’s within the law that they ask for personal identity information at that point. My view was that the information was already recorded and I was verified by BT, and that asking for personal identity information at that point was unacceptable.
In order to resolve my complaint, I asked that the system should be updated. I was informed that this was not possible. My reply was that it is possible and that BT should update their systems. I requested updates on progress.
Customer Service wanted to close the complaint. I requested that the topic be escalated and at the point the operator suggested that they locate a manager, I mentioned that my cordless phone battery was low, saving me from having to explain the complaint again.