Hiding Behind the Act

Last week I received the PIN for one of these new chip and bin credit cards, kindly sent to my home by Barclaycard. Which is slightly worrying since I don't have a Barclaycard. Being a good citizen, and slightly worried that they would somehow try to hold me responsible for their mistake, I telephoned Barclaycard. Shockingly, instead of taking prompt action to block the fairly obvious security hole, the customer service team refused to do anything. Their explanation? The Data Protection Act didn't let them.

I know how the mistake happened. A couple of years ago I did have a Barclaycard, until I realised I had access to too much credit, paid off the account, returned the card and cancelled the account. Despite confirming the account had been paid off, and despite me confirming the cancellation by telephone, Barclaycard clearly haven't closed the account. This is a fairly serious error on their part, if not exactly a surprise. Anecdotal evidence suggests that credit card companies fairly routinely don't close accounts when asked to. Possibly, the ability of the marketing department to claim an inflated number of customers trumps security concerns.

However, according to the contract I had, the account should be closed. I've informed them in writing and by telephone, returned the card, and paid off the balance. As a point of law, I have no account. When I telephone them to inform them of their mistake, I am asked for the name and the address (which I read off the letter) and then my date of birth. I refuse. It's very difficult to know exact figures for financial fraud, but there is much evidence to suggest that the majority of fraud involves staff at call centres. So when someone starts asking for personal information to confirm I have an account I know I don't have, I refuse. Providing security information to as few people as possible is simply good sense.

Around this point, Barclaycard dug their heels in. Since I couldn't be identified as the account holder, they refused to take any action. I pointed out that it didn't matter who I was - either I was the person named on the card, in which case they had failed to close the account. Or I was not the person named on the card, in which case I shouldn't have the PIN. Either way, the security hole was the same - since I wasn't expecting a card to be delivered, anyone could have gained access to the card, and no one would notice until far too late. Perhaps I shouldn't worry - it would be difficult for anyone to hold me personally responsible. But the credit card companies exist to make profits. Somewhere down the line, credit card fraud comes out of our pocket. Which makes security risks caused entirely by Barclaycard's incompetence particularly irritating.

Equally irritating is the excuse. Blame it on the Data Protection Act. In fact the Act only says that companies must correct mistakes, inform people of the records they hold and who they have provided information to, and register the kinds of data they hold. There is absolutely nothing in the Act that prevents a company from recording or acting on information obtained from third parties. Indeed, banks do so regularly - in the form of credit checks and fraud prevention schemes. So why lie? Because the staff are too lazy to do their job properly, and the Data Protection Act makes an important sounding excuse that most people won't challenge. (After the initial exchange, I contacted Barclaycard's press office to confirm what the correct procedure was. They informed me that in such a situation the "account would be suspended until the situation had been clarified" but declined to comment on to what extent Barclaycard considered this event to constitute a security problem.)

So, despite being shouted at; called paranoid, uncooperative, and unhelpful; and accused of playing games, I should have raised awareness of a security problem, which should have meant that the account was suspended. Given that a week later I received the card to go with the PIN, this clearly didn't happen. Back on the phone, this time armed with quotes of approved procedure. No joy. Talked to three people, before I got a grudged promise that the account was now not active. The current card runs out in 2007. I guess we'll find out then whether they've done what they say or not.

There's two issues here. First is the laziness or incompetence of a financial company that fails to close an account when asked, and then fails to take action when the results of that failure are spotted. This exposes them to fraud, the expense of which they will, of course, pass on to us, the customers. Secondly there's the disgraceful attempt to hide their incompetence behind the mask of the Data Protection Act. This card has been played too often, and slowly the public is starting to notice. Perhaps most obviously in the case of Humberside Police who initially blamed their failures with respect to Ian Huntley on the Act.

It is time to stop this nonsense. The public needs to be made familiar with the relatively simple provisions of the Act, both so that they can exercise the rights they gain from it, and to prevent the routine use of the Act as an excuse to avoid work or a cover for incompetence.

Graham Robinson. 30th June 2004.

Update. Since writing this, I have received a letter from Barclaycard. In it, they exercise their right under the original contract to end the agreement, require me to destroy the card, and repay a non-existent balance. Now, their policy is to suspend the account and investigate, so they're acting improperly again. It is, I suppose, consistent with my original instructions. Part of me wonders what would happen if I waited six months, then contacted them to ask where my new card is, denying all knowledge of the whole exchange. An experiment for someone else, I think.

archives :: links :: faq :: feedback

Find out how you can support Online Opinion

Online Opinion is a trademark owned by Graham Robinson. All rights reserved. The copyright on all articles, columns, and letters on this site is owned by the original author. The copyright on all other material is owned by Graham Robinson. Permission is granted to download and store these pages for personal or research purposes only, and only as is consistent with normal viewing of web pages. All other rights reserved. Permission is granted to freely link to any page within this site, as long as ownership of the material linked to is clear. No advertisements may be associated with this site, whether explicitly or implicitly, without prior written permission.