The DeliveryDemon is becoming increasingly fed up with growing expectations of blind acquiescence. It may make it easier for an organisation to use ill-trained operatives and unintelligent processes if customers mindlessly comply with demands for vast amounts of sensitive personal information despite the absence of justification for the request. After all, if everyone provides every piece of information which might be required for every conceivable circumstance, the admin drone can just tick a load of boxes and the organisation doesn’t have to bother making the effort of deciding which information is actually required. And the DeliveryDemon is fully aware that many such demands for information are purely box ticking exercises, with no intelligent use being made of the information gathered. She is also fully aware that, when no thought is applied to deciding which information is needed, it is highly likely that an equal lack of intelligence and diligence is applied to the storage and management of information collected.
This rant was provoked by the need to go through a ‘proof of ID’ process, where the conversation with the call centre went something like this:
DD – You don’t need my marriage certificate since I never changed my name – why do you need my divorce documentation?
CC – It’s the regulations
DD – Which regulations?
CC – HMRC regulations
DD – Which HMRC regulations?
CC – I’ll check with my supervisor
CC calls back – It’s our own rules
DD – Why do you need it?
CC – It’s our rules
DD – If you need it you have a duty to explain why it’s needed
CC – I’ll get someone to call you back
CC2 calls back – We might be able to accept copies with a letter
DD – That wasn’t my question. You have already said you don’t need my marriage documentation since I have never changed my name. Why do you need my divorce documentation?
CC2 – We don’t need it.
Unfortunately, this sort of conversation is, in the DeliveryDemon’s experience, all too common. Far too many organisations feel entitled to pressurising customers into providing information well in excess of the organisation’s real need. Let’s look at what actually happened here.
- First there was a request for information without an adequate explanation of why it was required.
- Second there was the assumption that a reference to some unspecified regulations would make a customer stop asking questions.
- Third there was an assumption that a reference to HMRC would stop a persistent customer from asking questions.
- Fourth, there was an admission that it wasn’t valid to blame the law or the taxman, that this was an internal blocker.
- Fifth there was an attempt to avoid the issue by offering an alternative (certificate copies), in the hope that the customer would be fed up enough to comply.
- Sixth was the admission that the information was not required.
This was not an isolated incident. The DeliveryDemon frequently encounters organisations which behave as though Data Protection legislation didn’t apply to them. If there is a genuine need for a piece of information in one specific instance, they embed the requirement in their general process. They try to blame the law, or various bureaucratic bodies. Call centre operatives are trained to give woolly and misleading responses to questions about the need for information. They expect the customer to be acquiescent and unquestioning, in the interests of lazy process.
It is simply not good enough. The DeliveryDemon is familiar with data protection provisions, and has a good understanding of how a wide range of businesses operate. This puts her in a good position to challenge demands for excessive information. Not everyone is so lucky.
It’s not a matter of being awkward. Our personal data has value, and the cost to the individual of identity theft is massive. Both the law and business ethics demand that organisations only collect the data they need, and on the basis of explicit customer agreement and understanding. It is shocking how many organisations are prepared to ignore both the law and ethical considerations. Unfortunately, the UK’s enforcement of data protection legislation is weakly and tardily applied – enforced would be too strong a word. It’s down to the customer to resist the tsunami of demands. The DeliveryDemon recommends the following questions:
- Why do you need it?
- Which legislation requires it?
- No, I need to know exactly which legislation so I can check the requirement.
- Who will have access to it?
- How will it be kept secure?
- How long will it be held?