Pipex & Data Protection

Perhaps my biggest problem with Pipex customer service has been this insistence that they have my personal information attached to every question I ask, or every problem I report, even when the communication has nothing to do with my account.

Here’s the latest email I have received from them about this:

Dear Mr. Gordon,

Thank you for your email, the contents of which have been noted. Firstly, I apologise for any inconvenience caused to you by the issues you have being experiencing.

I attempted to contact you by telephone earlier today but, unfortunately, there was no response.

I am glad to note that your connectivity issues are now resolved.

I apologise if you are unhappy with the level of customer service you have received; it is never our intention to cause frustration. Please note that, as per Data Protection procedures, each email thread must be Data Protection compliant.

We would have no reason not to deal with your issue. Your personal details are requested for no other reason that to verify that you are the account holder.
You can find our complaints procedure at the following link: http://www.pipexuk.com/terms/terms.html.

If you have any further questions, please do not hesitate to contact us.

Kind regards,

Ronan Moyles
Pipex Customer Relations

Our Customer Care Department is available on 0871 663 3300. Calls are charged at 5p/min from a Pipex line or at 10p/min from a BT line. Calls from mobiles and other providers may vary. Lines are open 8am-9pm Monday-Friday, 8am-5pm on Saturdays and 9am-6pm on Sundays.

The most interesting line in there is the statement that “as per Data Protection procedures, each email thread must be Data Protection compliant.” What does that mean exactly?

There are basically two types of reports that could arrive at an ISP’s help desk:

  • Those that pertain to the reporting user’s account;
  • Those that are general reports about the service, not related to a specific account.

When handling the former, I totally agree that being able to verify that the user reporting the issue or requesting a change is in fact the owner of the account is essential. For the second type of report though, it is irrelevant since there is no change to the user’s account information, or even a need to look at it. There is no need to require personal information from a user who is asking a general question (e.g. “Are there any service outages at the moment?”) or reporting a problem, such as a broken link on the company’s website.

Verifying Users

Going to back to a case where my account might need to be accessed, or modified, let’s look at how Pipex chooses to validate that I am indeed the owner of the account: they ask for three of the following:

  • My name
  • My address
  • My date of birth
  • My phone number or email address
  • My customer account number

And they believe this is secure? All but the last of those are basically public data these days.

Ironically, Pipex has a more secure option available to them since they issue user names and passwords for accessing their service. In fact, when submitting these support questions through their web portal, I was already signed in to that account. But still I am asked for more information. Even though the tickets I file are automatically associated with my account.

Privacy Policy

As is often the case, the company’s privacy policy shows a more likely reason why they are so keen to collect this data: they sell it, and not just in aggregated form either: “This information may be disclosed to other Pipex group companies and carefully selected third parties.

But wait, if Pipex is happy to share my name, address, telephone number, email address and date of birth with carefully selected companies (i.e. those that pay enough), surely that means that they’re already well aware that this information has little, if any, value as a way to validate that I am who I say I am. Given their current privacy policy, they’re essentially sharing the keys to my account with these other companies. Great! Wonder if they share the user names and passwords too?

Security or Value

Of course, asking me for that extra personal data makes the information they sell much more valuable. So, is the real motivation for asking just to improve the value of the data that they sell? Perhaps.

Oddly enough, they’ve been quite happy to answer my questions and update my account even when I use a fake d.o.b., so it seem unlikely that they’re checking these values against my account.

One thought on “Pipex & Data Protection

  1. big part of our customers cannot even answer to these questions, so why do we have to increase security..

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.