Office of the Privacy Commissioner | Case Note 255361 [2015] NZ PrivCmr 1 : Woman complains telecommunications company allowed a fraudulent account to be opened in her name
A woman complained to a telecommunications company after receiving a notice from a collections agency that a debt had been lodged against her name. She then discovered someone had opened a mobile telephone account using her name and date of birth. No bills had been paid on the account, and the telco sent the debt to the collections agency.
The telco told the collections agency to remove the debt from the woman’s name, and assisted her to make an identity fraud complaint to Police. The telco also helped the Police in their investigations.
The woman then wrote to the telco and asked about the process it used to confirm the identity of the person who opened the account.
The telco explained its process had been followed, but it would not share what that process was, because it considered the process confidential company information.
The woman was not satisfied with the explanation and some time later complained to us.
Rule 8 of the Telecommunications Information Privacy Code 2003 says:
Accuracy etc of Telecommunications Information to be checked before use
(1) A telecommunications agency that holds telecommunications information must not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
(2) This rule applies to telecommunications information obtained before or after the commencement of this code.
The telco explained the steps it took to verify new customer’s information:
-
- gather enough information from the new customer to conduct a credit check;
- conduct the credit check;
- request further information from the customer if the details did not ‘turn up a match’ on the credit check.
The telco advised it had updated the policy since the account had been wrongly opened in the woman’s name. The current practice was that it now required a driver’s licence number or other form of identification.
The telco said it was trying to balance getting enough information to ensure a person was who they said they were, with the obligation not to gather too much information (rule 1).
We believed the telco had breached rule 8 in the way it had initially checked the information. Under rule 8, agencies are required to take reasonable steps to test the accuracy of the information they hold before using that information.
We agreed that the telco’s process was reasonable in testing that the information was accurate, and that it was about an actual person. However, we did not think that the company had taken reasonable steps to ensure the information was being provided by the person to whom it was related.
We told the telco we believed the extra step it added to its verification process was appropriate, but that the process had not been adequate before.
The telco offered to pay the woman’s legal fees and make a further payment for stress and inconvenience. The woman accepted the offer and we closed the complaint file.
February 2015
Accuracy of information ─ identity dispute ─ failure by telecommunications company to check accuracy of information ─ Telecommunications Information Privacy Code 2003, rule 8