‘Can I talk to the account-holder?’ – Contacting organisations on behalf of someone else
18th October 2019
One issue which we come across regularly in the Data Protection Commission (DPC) is dissatisfaction from individuals regarding steps they are being asked to take when they contact an organisation on behalf of someone else. A common response they are encountering is that they are told the organisation will only deal directly with the account-holder, or they are asked to provide a very high standard of proof that they are acting on behalf of the account-holder. Whilst there can be many factors at play here, both data protection obligations (such as security and confidentiality) as well as other possible legal obligations, in this blog we’ll try to explain how organisations can take a reasonable, proportionate approach to these situations.
Organisations will normally ask callers to identify themselves in some way or other, for obvious reasons, such as allowing them to respond properly to whatever is being asked of them, but also potentially to ensure that the caller is who they say they are and that the account-holder’s personal data is not divulged to somebody else without good reason. Callers are often asked for their name and/or account number, in addition to information such as confirming their date of birth, address, phone number, or some detail about their latest transaction.
Asking for a friend
However, issues can arise when somebody phones an organisation on behalf of a family member, friend, patient, or someone else who is unable to do so or would prefer to have someone speak on their behalf. The representative phoning on the individual’s behalf is sometimes asked to provide a much higher level of proof that they have permission to speak on the account-holder’s behalf, than the actual account-holder would be asked to provide to prove their own identity if they just rang up themselves. In other cases, the representative is simply told that the organisation will not speak with them about someone else’s account.
This results in the strange situation that it may be easier to phone in and pretend you are the account-holder than it would be simply to honestly explain that the account-holder has given you permission to speak on their behalf. Similar issues can also be encountered when people are making contact through another medium, such as contact forms, emails, or letters.
Security, integrity, and confidentiality obligations
Of course, organisations do have an obligation to keep personal data safe and secure and not to divulge it to someone they shouldn’t – in line with the principle of ‘integrity and confidentiality’’ in Article 5 GDPR. That principle requires that personal data is only used “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Of particular importance is the term ‘appropriate’, meaning that controllers in these cases should consider what level of security is appropriate in different situations. They should take into account issues such as the nature and sensitivity of any personal data concerned, the potential harm if personal data is disclosed to the wrong person, and the likelihood that people may be legitimately speaking on behalf of the account-holder.
Organisations should also consider the action being requested by the caller – the proportionate security steps (if any) for a request such as re-issuing a bill to the address listed on the account, may be much less onerous than those which would be appropriate to require where account deletion or release of sensitive information is sought by the caller.
Recently, the DPC was asked for advice in a situation where an individual encountered difficulties whilst attempting to contact a service-provider through an interpreter. Even though the interpreter correctly provided the relevant account information and answered the security questions associated with the account, the organisation did not want to deal with the interpreter unless they submitted a signed document proving they had the account-holder’s permission to speak on their behalf.
The DPC in this case didn’t see any obvious data protection issue that would prevent the organisation from dealing with a customer through the interpreter. Given that the organisation would normally consider that correctly answering security questions was sufficient as a security measure to verify the identity of a caller, it would follow that correctly answering the security questions could also be sufficient to verify the identity and authority of an interpreter acting on the account-holder’s behalf.
It was not obvious that it was reasonable, or necessary from a security perspective, to add an extra security requirement for the users of an interpreter, as there did not appear to be any increased risk of unauthorised access to personal data. In any event, even if an extra security step was needed to verify the interpreter had the account-holder’s permission, a signed authorisation was probably a disproportionately high threshold, where answering further security questions or confirming account details may have sufficed.
There may, of course, be reasons why an organisation does not want to, or cannot deal with anyone other than the account holder – such as internal policies or other legal requirements around secrecy or confidentiality. However, the DPC’s position is that data protection law, as a rule, does not prevent organisations dealing with somebody representing the account holder, once they have taken reasonable and proportionate steps to ensure compliance with their security and confidentiality obligations.
The DPC’s advice to organisations, particularly service-providers and those with a busy customer-care role, when planning and implementing ‘appropriate technical or organisational measures’ to protect personal data, is to ensure a balanced and proportionate approach to their security and identity verification measures. They should implement measures which provide both a high level of protection to individuals, but which also do not disproportionately disadvantage those who cannot easily engage with those measures and who may need someone to make contact on their behalf.
Organisations who want to learn more about implementing appropriate security measures should consult our previous guidance notes ‘Guidance for Controllers on Data Security’ and ‘Data Security Guidance for Microenterprises’.