-
Hey folks
I’d love your thoughts over the processes observed over a telephone BA booking which seems to have gone awry. I’m concerned about possible data privacy-related breaches and trying to come up with the best way to proceed here.
In a nutshell, I called BA to do a redemption booking last week using a Barclays voucher – BA.com wouldn’t allow the routing throwing a very generic error, hence the phonecall.
Status line was closed so called the general bookings number. A very pleasant UK-based agent was quick to understand what was needed and proceeded to give me an accurate quote before payment. The agent could see a saved card under my profile, so I only had to punch in the CVV using the phone keypad to process payment. As that didn’t work the first time around, I was asked to key in the whole card number from the beginning, as well as the expiry date and CVV. This didn’t work either.
Just as I was offering to fetch another card, the agent advised that there was an issue from their end (and in fact you could hear other agents in the background saying the same thing to other callers). I was advised that a fresh card wouldn’t work, and therefore we were stuck without an obvious solution.
This is where it gets weird. The agent offered to process the payment manually by a) disconnecting the call and calling me back from a different phone number (can’t recall why), and b) manually take down the details of my card over the phone, so they can be written on a whiteboard and used when the system comes back up (!)
Now I will blame my fatigue at that point for agreeing to this, but I ended up complying – just before I noticed that two double charges had been pending by BA (clearly as a result of the two original attempted transactions). As I relayed that fact, the agent said that the booking would have to be sent to the back office who would resolve the double-charging and ensure that it’s ticketed.
A week later, the booking has yet to be ticketed, although there is a PNR. Avios have been deducted from my account, but the charging issue has not been resolved. I can follow up about this independently, I’m sure.
What I’m less sure about and would love some advice on is whether the process of asking someone for their card details to be jotted down on a team whiteboard constitutes a clear data handling breach, despite me following along with it.
How would you approach this? Would you follow up on it, or let it go?
The data handling breach is policed by the payment card industry (PCI DSS). I have no idea if they have a whistleblowing procedure. A whiteboard might actually form part of an agreed procedure, provided it is cleaned properly, no camera phones in the room, etc.
Writing down CC details on a white board in a shared office space is very poor operational risk management (I bet there’s a system password written in the corner of that very same whiteboard: “admin” no doubt!) but I think an indicator of (1) their IT and resilience of it and then (2) uncontrolled and ad-hoc workarounds like this which you had to go through.
They basically overrode two sets of controls and wrote down everything for everyone in the office to see, to return to later.
When it all goes through, give them another separate call / email to complain and you may get some Avios out of it but only if they recognise the shortcomings of this kind of practice.
When a firm I worked for was becoming FC regulated a few years back, one of the changes was removal of notepads to be replaced by individual whiteboards (tablet sized) the idea being they could be wiped throughout/at end of day, with no risk of paper with personal details being discarded.
I presume this is what the agent meant, rather than a classroom-style whiteboard that anyone could view.
When a firm I worked for was becoming FC regulated a few years back, one of the changes was removal of notepads to be replaced by individual whiteboards (tablet sized) the idea being they could be wiped throughout/at end of day, with no risk of paper with personal details being discarded.
I presume this is what the agent meant, rather than a classroom-style whiteboard that anyone could view.
This is pretty much what it hinges on. The data protection act requires orgs to take “appropriate technical and organisational measures” to protect personal data. Appropriate is not defined in absolute terms, but instead is appropriate to the data in question and the context in which the firm operates. If BA have satisfied themselves that an individual virtual white board is sufficient safeguarding, there’s not a lot of recourse for you unless and until a breach occurs. Even then, a regulator may still agree with BA that the white board method is appropriate, considering it is a fallback option rarely used.
Writing down CC details on a white board in a shared office space is very poor operational risk management
It’s not a shared whiteboard but an individual one at that agt’s desk that they keep control of; at hand, or wiped clean. It’s a temporary method of storing the CC details when the touch-tone system fails. Avoids the need to shred any paper. It’s a risk managed fall-back.
Yes, the new thread headline was a little misleading. BA calling back (so as not to be giving card numbers on a recorded line) and the whiteboards are both examples of good backup practices.
Thank you all – I did say I wasn’t sure whether this fell foul of data protection or not hence the request for advice (and question mark in headline). I might park this for now.
Unfortunately the booking has yet to be ticketed, and I just noticed that instead of one barclaycard voucher being redeemed, two have been drawn from my account for the same PNR. Have emailed the call handler – as I had their direct email – but no response yet.
- You must be logged in to reply to this topic.
Popular articles this week:
