Here’s another privacy complaint recently disclosed by the New Zealand Privacy Commissioner’s Office.
The gist is that a customer complained to a telecom after she received a collection notice and discovered that someone had opened an account in her name using her name and date of birth. The telecom told the collections agency it was a fraudulent account and assisted the customer in clearing her record, but….
The customer asked how the telecom went about verifying the identity of people opening a new account, and the telecom, while telling her that they had now strengthened their process, wouldn’t answer her question with specifics (saying they were trade secrets).
Accuracy etc of Telecommunications Information to be checked before use
(1) A telecommunications agency that holds telecommunications information must not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
(2) This rule applies to telecommunications information obtained before or after the commencement of this code.
According to their case note:
We believed the telco had breached rule 8 in the way it had initially checked the information. Under rule 8, agencies are required to take reasonable steps to test the accuracy of the information they hold before using that information.
We agreed that the telco’s process was reasonable in testing that the information was accurate, and that it was about an actual person. However, we did not think that the company had taken reasonable steps to ensure the information was being provided by the person to whom it was related.
We told the telco we believed the extra step it added to its verification process was appropriate, but that the process had not been adequate before.
The telco offered to pay the woman’s legal fees and make a further payment for stress and inconvenience. The woman accepted the offer and we closed the complaint file.
These case notes from other countries’ privacy commissioners, provide some useful examples of how things are handled elsewhere.
Of course, we don’t have one federal privacy commissioner to complain to when we have consumer complaints, and we’re still dealing with a patchwork of agencies and regulations. It would be nice to see our government agencies post/share more about how they handle cases.