GDPR and DPA breaches

[Nick Clarke 3Participant @nickclarke3]

I have just had a very difficult time trying to update my card details for my MEW subscription.

I was sent a letter asking me to provide card no, expiry date, valid from date and switch issue no.

Instead of filling these in and posting the letter back I decided to use the phone.

Bad move!

I gave my subscription number and was then asked for the card number and expiry date. Then for my full name – but that is not the name I took out the subscription in. I was asked for first line of address and then postcode. I was asked for my bank sort code – WHY – if I had sent the letter back it would not have been on there. I was reluctant to give it until the person on the other end said and also your email address – again WHY??

I asked to speak to a supervisor but they were unable to come to the phone as they were on another escalation. Why does this surprise me? I could not accept a ring back as there is no phone signal where I work and I had gone out to the car park to make this call.

A clear breach of both the GDPR and the UK Data Protection Act as excessive information as if it wasn’t needed on the paper copy it should not be necessary on the phone. I will report this in the morning.

The operator gave me the email address so I was able to repeat it back to him. He then asked me for the card number again – the third time – and he got it wrong. I doubt the mistake was mine as I was reading it from the card in my hand – it was rejected. I gave the card number for the fourth time and this time it was accepted.

22 minutes on the phone, two breaches in the law and I did not get chance to ask why this is the only account that does not automatically update when a new card is issued. Amazon, Paypal, Just Eat (I am weak and overweight as a result) etc etc all do

My advice to everyone is forget subscriptions but buy your magazines from your local newsagent in future.

Edited By Nick Clarke 3 on 23/11/2020 16:43:25

[Nick Clarke 3Participant @nickclarke3]

[DMBParticipant @dmb]

Hi Nick,

Not in Brigjton you won't. Smith's have not stocked any of them ME, MEW, EIM for many months. Be alright in you're a bus or tractor anorak or a boater. (Are you listening Neil?)

I've had all 3 on annual subs for years, no trouble.Recommend you give it another try, large savings to be had.

John

[Nick Clarke 3Participant @nickclarke3]

My local WHS does, and any will get them to order.

Used to work in Brighton, years ago up near Woollies on St. James St.

Nice town, but living in a hotel for six months is so boring, so not recommended!

[Frances IoMParticipant @francesiom58905]

the local WHS takes just a single issue of ME – it always used to have copies available for a week post publication – not seen EIM for some time – has this stopped publication – MEW hasn’t been seen for some weeks – luckily the computer press seems to be ok – is MTM still in operation as has all the signs of a company in difficulties ?

[Jeff DaymanParticipant @jeffdayman43397]

I get EIM by mail, here in Canada, and have received every issue all through the pandemic, right to Nov 2020. I believe they are very much still in business. The parent company changed hands last year, EIM is part of Warner Group publishing now I believe.

Through the pandemic my family and I have been quite isolated as millions of others have. Getting EIM through the mail has been a major mental health boost for me. The ME forums are not the same thing as printed mags as there are so few people posting any pics of model builds or tooling mod builds, and so much bickering and blather it often is a short unpleasant read. Digital mags for me are not an option technically (been stung before paying a LOT for content I can not view, years ago – no urge to repeat that experience) and I really have trouble nowadays reading a small phone screen or tablet.

As said before my local bookstore has not had ME or MEW since Feb 2020.

[JasonBModerator @jasonb]

In these times I can understand WH Smiths and any other news agent not wanting to stock many mags or for MTM to print them only to be returned. Foot fall to the highstreet and the local shops is way down so the number of casual walk in sales of mags are down and many will not consider it essential shopping.

If you follow the Forum you will also have read that the latest MEW will be delayed so that would explain why you may not have seen one for some weeks and interval had been extended before that. 

As for the Original post, I can understand them asking for full name (on card), first line and postcode will also be needed to enter into the card machine for telephone transactions and it may not be getting paid for by the recipient. Not sure why they would want sort code but e-mail may simply be to confirm transaction and save postage as OP does not seem to want to use the post either.

Edited By JasonB on 23/11/2020 17:45:58

[SillyOldDufferModerator @sillyoldduffer]

I don't know about GPDR, but there's nothing in the DPA to stop organisations collecting whatever information they like. The only requirement is that they protect whatever they've collected.

Personally, I believe the DPA to be yet another example of legislation that doesn't actually do much good! There is no requirement for organisations to tell the Information Commissioner how they intend to protect data, nor does the Commissioner set standards or inspect security arrangements to conform they exist, let alone that they actually work.

The Information Commissioner springs into action after a data breach, and whilst heavy fines can be imposed, there is no victim compensation.

Dave

[Martin ConnellyParticipant @martinconnelly55370]

I have had about 5 things to pay in the past 6 months where BACS was used. Ask them if they can accept payments that way and for the required details. Now that account names are checked and confirmation of acceptance required when it is set up it is easy and (so far) error free.

Martin C

[Nick Clarke 3Participant @nickclarke3]

Posted by JasonB on 23/11/2020 17:44:14:

As for the Original post, I can understand them asking for full name (on card), first line and postcode will also be needed to enter into the card machine for telephone transactions and it may not be getting paid for by the recipient. Not sure why they would want sort code but e-mail may simply be to confirm transaction and save postage as OP does not seem to want to use the post either.

Edited By JasonB on 23/11/2020 17:45:58

Fair enough Jason, and I have indeed had a confirmation via eMail, but the letter I was sent did not ask for email, full name, sort code and obviously had my address on it to get here. It merely asked for the updated card details, so why did I need to give so much additional info just because I mistakenly thought it would be quicker and easier to phone rather than sort an envelope and a stamp and trust it to the post?

[Nick Clarke 3Participant @nickclarke3]

Posted by SillyOldDuffer on 23/11/2020 18:10:30:

I don't know about GPDR, but there's nothing in the DPA to stop organisations collecting whatever information they like. The only requirement is that they protect whatever they've collected.

Dave

Sorry Dave but

The Data Protection Act 2018 PART 3 CHAPTER 2 Section 37 states:
The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

Not excessive being the appropriate part here and while my opinion in this case that it is excessive could well be questioned, The current Law does make provision for such an event.

While Article 5 of the GDPR states that Personal data shall be:

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’

So organisations can't collect what data they like unless they act outside these two bits of legislation.

Take care,

Nick

[Robert ButlerParticipant @robertbutler92161]

OP not sure GDPR is an issue and I doubt The Information Commissioners Office will be in the slightest bit bothered about this. The Data Protection Act concerns misuse of data once obtained. The information requested is not unusual when making card payments by telephone. What may be of concern is a subscription account name different to the card name. Money laundering or fraudulent use of a credit card are two potential issues.

Robert Butler

[Frances IoMParticipant @francesiom58905]

An account number would be required if they wanted to set up a direct debit – personally I avoid these as I’m happy to buy a subscription year by year and not have to argue when they attempt to run on the subscription without my noticing it.

MTM don’t seem to offer Bacs tho this is the setup by which I pay all my utility charges and can do repeat payments via the Nationwide ATM service

Edited By Frances IoM on 23/11/2020 19:04:00

Edited By Frances IoM on 23/11/2020 19:04:21

[Nick Clarke 3Participant @nickclarke3]

Posted by Robert Butler on 23/11/2020 18:51:54:

OP not sure GDPR is an issue and I doubt The Information Commissioners Office will be in the slightest bit bothered about this. The Data Protection Act concerns misuse of data once obtained. The information requested is not unusual when making card payments by telephone. What may be of concern is a subscription account name different to the card name. Money laundering or fraudulent use of a credit card are two potential issues.

Robert Butler

The DPA is also concerned by the collection of data – hence the reference above. While I could understand if I was making a card payment, I was not, I was only updating card details – Frances I was also not setting up an account – that existed already. Neither a direct debit – this was only a repeating debit card payment where the card needed updating.

[Nick Clarke 3Participant @nickclarke3]

I will leave this now as I have my new subscription and am only down a few quid for phone time.

I will pass this on to the authorities as teaching this forms part of my job and our rights with data are being snatched away through not asking the questions. I will allow those who have to to decide if it is an issue.

Thanks for your comments everyone, take care and stay safe.

Nick

[SillyOldDufferModerator @sillyoldduffer]

Posted by Nick Clarke 3 on 23/11/2020 19:13:57:

I will leave this now as I have my new subscription and am only down a few quid for phone time.

I will pass this on to the authorities as teaching this forms part of my job and our rights with data are being snatched away through not asking the questions. I will allow those who have to to decide if it is an issue.

Thanks for your comments everyone, take care and stay safe.

Nick

Good luck – you may do better than I did 5 years ago! My comment comes from personal experience of how the ICO handled a major complaint involving an organisation collecting unnecessary detail from millions of customers. The data was clearly not necessary to deliver the services offered.

The problem with the Data Protection Act and similar legislation, is what the "principle" means by "adequate, relevant and not excessive in relation to the purpose for which it is processed" has to be tested in court. Not for me, you, or even the ICO to decide.

In my experience, the organisation concerned simply said the information was needed to deliver future services. So far, they've not materialised, but hey. As there are a host of other reasons why data might legitimately be collected, for example to prove identity, it's hard to define what 'relevant and excessive' mean in practice. And because the ICO isn't proactive, there isn't much case law to build on, leaving the matter is wide open. The ICO is much tougher after a data breach and in my opinion that's too late.

It may be all our own fault! Voters tend to be keen on tough action against criminals AND deregulation AND low taxation. As these ideas are mutually exclusive, politicians pass laws that look good, but don't cost much or get in the way of commerce because they rarely have to be enforced. The idea isn't restricted to one party or country. It was a Conservative government who approved the similarly principled and woolly worded EU Data Protection Directive of 1995 and then developed the DPA in order to make it UK Law. After the 1997 election intervened, the DPA was actually passed by a Labour Government the following year, and the 2018 upgrade is Conservative. They've all had the chance to fix it and to fund the ICO to be proactive.

Dave

[mechman48Participant @mechman48]

So far the only gripe I have with MTM & subscriptions is.. They send me reminders to renew 4 months ahead of original subscription date, i.e Oct/Nov compared to orig' subs' date of Feb, why is this, do they need to pump up their business profit margin before the end of the year ?

George.

[Anonymous]

It seems to me that if MTM sends a personal letter which is filled out and returned, then MTM has a reasonable expectation that the recipient is who he claims to be.

If, instead, the recipient phones them to respond, they have less surety of his identity and may want to ask additional questions (that weren't in the letter) to establish that.

I don't see this as being unreasonable … at least in principle.

[Frances IoMParticipant @francesiom58905]

I went into the local WH Smiths this morning – found the only copy of December EiM – the woodworking section, being very noticeable as at start of shop area was basically empty of Magazines whereas normally stacked full of titles – my guess is that if the branch hadn’t taken over the functions of a Post office it would no longer be open.

To return to MTM I had a letter this morning stating I had only 1 more issue to come – the annual sub started with #290 – the last issue I received was #298 – I paid up front for 12 (?13) issues – is this just Marketing not aware of what they are selling?

Edited By Frances IoM on 25/11/2020 17:28:15

Edited By Frances IoM on 25/11/2020 17:29:25

[Nick Clarke 3Participant @nickclarke3]

Interestingly I had to contact the same number today to enquire where my copy of ME4652 had got to and was taken through the same questions except that when I questioned the need for my email they asked a different, non data intrusive, question.

Perhaps a positive development!

[Author]

Posts