Sale of personal data by call centre staff provides timely reminder of importance of data security

The report (paywall) in yesterday’s Sunday Times that financial and medical data of UK citizens is for sale in India from prices as low as 2 pence per record are shocking, but (sadly) not that surprising.

For those of you who missed it, the report described how “corrupt” IT consultants working call centres in India had offered undercover reporters sample credit card and financial details for UK customers. The information had apparently obtained whilst working in Indian contact centres providing services to a number of well known UK companies. Credit card details included names, addresses, telephone numbers, card numbers, start and end dates as well as the three digit security codes from the back of the cards.

According to the claims in the report, the information was thought to be only days old. Personal data relating to mortgages, loans, bank accounts and even subscription details for satellite TV were also said to be available. Even more worryingly “medical admissions data” was also on offer.

If these reports are true then we should be worried. If this information is available on the marketplace then it’s only a matter of time before it gets into the wrong hands – unscrupulous marketing companies who want to be able to build up marketing databases on the cheap but also fraudsters who will use the information to carry out bank account or credit card fraud.

What should be done?
For individuals, unfortunately there is no easy fix.

As a matter of good practice the company/organisation whose security arrangements have been compromised should contact you to let you know. Unfortunately, they won’t always know and (as the report suggests) they won’t always tell you even if they do know because they are worried that negative publicity might cause them reputational damage. In the meantime, the advice is to regularly check your bank and credit card statements and if you see any suspicious transactions then contact your bank or credit card company immediately.

For organisations that have outsourced operations that involve the processing of data – particularly personal data – then these reports are a timely reminder that data security should always be a priority. The dangers are all the more acute when the operations are being conducted far afield in places such as India, partly because of the different cultures but mainly because of the distances involved.

Nevertheless, challenging though the supervision of these functions might be, that’s what the law requires.

What does the law require data controllers to do?
Where personal data is involved, the Data Protection Act 1998 requires that organisations who engage others to process data on their behalf take reasonable steps to ensure that the processor safeguards that data to the same standards as would be incumbent on the organisation itself.

Furthermore, where financial institutions are concerned, the Financial Services Authority’s view is that the outsourcing of data processing functions should not weaken the organisations’ internal systems of control. To ensure that the systems of control remain strong, institutions are expected to exercise effective oversight over the outsourced function and to ensure that the outsourced function does not make the institution susceptible as a conduit for fraud.

Responsible organisations should audit and inspect the companies that process their data to check that they are living up to the promises that were given that customer data would be kept secure. This doesn’t just mean checking IT arrangements – it also extends to checking that the processing companies adopt and deploy good staff vetting procedures and background checks on third parties who might be on site or have access to data.

Ultimately, it is may be that the various organisations named in the report will be able to demonstrate that they have discharged these responsibilities but, even if they can, the the report amply demonstrates the very important point that outsourcing data processing operations to places like India is not without reputational risk, regardless of where blame lies.

The ICO has now become involved. I imagine this is not the last we’re going to hear of this.

0 Responses to “Sale of personal data by call centre staff provides timely reminder of importance of data security”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

March 2012
« Feb   Apr »

%d bloggers like this: