Is it really you?
July 6th 2022 / in News / by Sippe van der Tas
Is it really you?
Who doesn’t do it: regularly calling a company or institution with which you have a (customer) relationship, such as an insurance company, your child’s school or the pharmacy. Often you have a question about your personal situation that results in the provision of (special) personal data by that company or agency. Examples are: “is my car still properly insured” (insurance company) or “can I use this medicine in combination with the medicines I already use and are already registered with you?” (pharmacy)
It strikes me that when I call, I often get this information quite easily. On the one hand, that’s nice, but on the other hand, someone who has malicious intent can impersonate me and in that way collect personal information from me and cause me harm. Think, for example, of collecting personal information and, on the basis of that information, in an extreme case, committing identity fraud with all its adverse (financial) consequences.
The above suggests that, if you call with a request about your personal situation, there is no check to determine whether the person calling is also the person for whom they are impersonating. However, this is usually not the case. Before the requested information is given, a number of verification questions are asked. However, the type of verification questions vary quite a bit and range from “what is your zip code” to “what is your unique customer number.” Often there is a second question, such as “date of birth” or “initials”.
It will be clear that with regard to verification questions, the more easily the answer to such a question is known or can be found out (such as for example a postal code, date of birth or initials) after asking and answering those questions correctly, the more likely it is that (special) personal data will be provided to a person other than the one for whom he has issued himself. On the other hand, there is less chance of this happening when a verification question concerns information that is available to the company or institution approached and is normally only known to the person asking the question. Think of a unique policy number or a unique customer number.
How should the above now be viewed in light of the GDPR?
Article 5 (Principles relating to the processing of personal data) paragraph 1, opening words and under (f) states the following:
Personal data must be processed processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical
or organisational measures (‘integrity and confidentiality’).
The provision of personal data by a company at the request of a caller is “processing” of personal data within the meaning of Article 4, opening words and paragraph 2 of the GDPR. Based on the aforementioned part of Article 5 of the AVG, this must be done in such a way that the personal data is not processed in an unauthorized or unlawful manner. This requires that ”appropriate technical or organizational measures” be taken’.
Applied to the situation described, this means that verification questions must be asked in such a way that the likelihood of personal data being provided to a person posing as another is virtually excluded. Easily retrievable and knowable data such as zip code and date of birth and providing personal data on that basis to the wrong person could result in insufficient organizational measures having been taken to prevent unauthorized or unlawful disclosure. In addition, there will then be a data breach. Both situations can lead to enforcing actions by the regulator, the Authority for the Protection of Personal Data.
This is easy to prevent. My advice in that regard is that, if a company or organization wishes to provide personal information to customers by telephone, they should first work with verification questions based on data that are only known to the company or organization and the customer, such as a policy number or a unique file number. Incidentally, the more personal data that is provided, or the more sensitive it is, the greater the requirements placed on the verification questions (proportionality) will be.
Do you have any questions about the above, or would you like practical advice regarding the application of the GDPR? Then please contact me (06-28610416 / sippe.vandertas@lexdigitalis.nl) or one of my fellow privacy experts at Lex Digitalis, who can be found at www.lexdigitalis.nl.