Orange’s “full investigation” seems to have come to the wrong conclusion
Posted on May 9th by William in Customer service
Hurrah. A reply from the relatively efficient Orange executive office (which replies to emails and seems to work on Saturdays also):
Case Reference: 1590697
Account Number: 57542748Please respond to executive.office@orange.co.uk
Dear Mr Heath,
Thank you for your email received 5 May 2009 regarding an additional Orange account.
Whilst I acknowledge the comments raised in your email, I confirm a full investigation has been carried out and unfortunately, you are liable for the charges incurred on the above Orange account.
For any further action you would need to speak to the relevant Police Officer dealing with your enquiry and they can contact the Police Liaison Department within Orange to try and obtain any video footage that the Orange Retail Store may have.
Whilst I appreciate this may not be entirely to your satisfaction, I am unable to assist you any further at this point.
Yours sincerely
Jaime Peart
Executive Office
Great. So although this is Orange’s problem not mine, they transfer the entire burden of time, cost and hassle onto me to deal with this via the police. I’m not sure they’ve taken any extra trouble other than to go back to the original confirmation by the fraud department that in their view I’m liable. What do we do next?
You have them on the horns of a splendid dilemma. Put in a DPA subject access request for any CCTV footage. If they want to assert that the person it shows is you, they will have to give it to you. If they refuse to give it to you because the person it shows might not be you, then that doubt must taint the transaction as well. Since it’s pretty unlikely that phone fraudsters seek to draw attention to themselves by walking around on stilts, the absence of quite basic physical resemblance should be pretty striking.
Top tip.
I wonder whether the DPA subject acces request goes to Orange, or to the retailer at 156 Oxford Street? I guess they both have it by now…
Excellent idea – why not even state in the SAR letter that you are asking for information about someone else that they claim is you? That should lock them into some sort of logic loop that might actually cause a corporate lawyer to overheat and explode.
Have you already submitted a SAR? Because if you articulate this is a fraud issues in the SAR request than the default action is for Orange to refer you to police.
Alternatively, if you have yet to submit a SAR request and they think you are the person that is liable this is what I would suggest doing.
Initially, I suggest not telling Orange (in the SAR request) that the person in the store is not you and in fact committing fraud. This just gives them an excuse to drag this out and get you to work with the police instead of them, resulting in unnecessary bureaucracy.
The SAR Request Logic:
First,
I suggest putting in a SAR request specifically for the date December 5 2008, starting with a request for the transaction record for that day which should be time stamped.
Second,
(in same SAR request) I would request video footage corresponding to the time stamp of the transaction on December 5th.
Third,
I would request a complete history of transactions, time stamps, and locations that you can use to compare to your own records due to possible inconsistencies. (This would be useful for further investigation in a subsequent SAR request.)
Fourth,
Request a copy of the personal identification (eg debit card, drivers license, signature on contract) that may have been used for the completion of the transaction on Dec 5, along with the procedure of authentication/verification used on Dec 5 for the transaction that occurred.
When the SAR response is received I would look at the video to see if your recognize the perpetrator, then logically take steps to pick apart Orange authentication, verification, and sales process which is enabling the fraud to take place.
Recording the time, cost, each correspondence, and a detailed account of stress caused to you in case further action is desired at a later date.
The Actual SAR Request I would change a little from the letter u showed me earlier. Something like:
Dear Sir/Madam,
I write in connection with Orange account number (insert number).
I wish, under section 7(1) of the 1998 Data Protection Act, to make a Subject Access Request. This means I require a paper copy of all information that your organisation holds about me. This needs to include a detailed explanation of the automated decisions involved in the transactions on Dec 5, 2008 specifically with any process that references me or this transaction.
This SAR request includes:
1. A copy of transaction on Dec 5, 2008, including the time stamp
2. The video from that store which corresponds to that time stamp
3. Copies of all transactions that occurred on my account from November 2008 to Feb 2009, including timestamp and location
4. The identification documents, numbers, and processes which was referenced in order to carry out the transaction process on Dec 8, 2008 to verify my identity, and authenticate me
***
This should get something more concrete from them.
So – there’s something I dont quite get here. If one puts in an SAR, does one not get ALL the personal information linked to one’s name? That’ll be a lot – I’ve had a legitimate account for 12 years.
Is it best therefore to ask for everything but to add a schedule (”specifically including but not limited to…”)
Also, would for example location data count as personally identifiable data? It is, after all, if the police want to track someone. And bills?
If this process worked I’d be getting a fat file…