What does BA define as a "sensitive customer"?
Sep 17, 2019, 9:33 am
#31
Join Date: Dec 2012
Location: MAN, PSP
Programs: BAEC
Posts: 208
I wondered if it was a marker to indicate you needed to be treated more diligently - for example, if your data had leaked during one of the episodes and to ensure "you" were "you" they had to require a higher level of authentication during interactions
Sep 17, 2019, 11:30 am
#34
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,618
I used to work on the benefit IT systems (Income Support, Job Seekers Allowance) etc., and they had a concept of 'sensitivity'.
Locally Sensitive - a value of 0 or 1. 1 would mean that the person was only sensitive in that particular office. It might mean something like the person was related to a member of staff at the office.
Nationally Sensitive - 1 = Transexual, 2 = something else, and 3 = VIP (Politician, celebrity etc.)
During a migration onto a new system, we managed to mess up the Nationally Sensitive settings so that everybody that was not 0 got changed to 1....
Locally Sensitive - a value of 0 or 1. 1 would mean that the person was only sensitive in that particular office. It might mean something like the person was related to a member of staff at the office.
Nationally Sensitive - 1 = Transexual, 2 = something else, and 3 = VIP (Politician, celebrity etc.)
During a migration onto a new system, we managed to mess up the Nationally Sensitive settings so that everybody that was not 0 got changed to 1....
Sep 17, 2019, 12:09 pm
#35
Join Date: Jun 2013
Location: UK
Programs: BA GGL, BA Amex Prem, Amex Plat, Hilton Diamond, Sir Crazy8534 de l'ordres des aides de Pucci
Posts: 4,466
Sep 17, 2019, 1:48 pm
#36
Join Date: Jan 2002
Location: Sussex, UK
Programs: BA:Gold Amex:Green :IC Platinum Elite Amb
Posts: 660
On the other hand I don't see the relevance to storing this attribute and quite how it would be used unless IAG are planning Pride Flights?
Sep 17, 2019, 1:57 pm
#37
Join Date: Sep 2010
Location: Las Vegas
Programs: BA Gold; Hilton Honors Diamond
Posts: 3,228
Not exactly BA, but I do remember checking in to the Jury's Hotel in Glasgow many years ago and on the counter in plain sight was a list of guests still to check in. One of them had a large asterisk next to the name and a comment "Has complained before" scrawled next to it. Clearly some sensitivity required there!
Sep 17, 2019, 3:44 pm
#38
Join Date: Aug 2014
Posts: 2,660
Another possibility is that ir is a market to alert staff that there is sensitive information in existence which is not generally available. This might include information about medical conditions and the like which have been provided to BA for the express purpose of demonstrating "fit to fly" but which should not be reviewed by staff in the ordinary course. Having the flag alerts staff to the possibility that a given file may require a different channel review.
Sep 17, 2019, 3:50 pm
#39
Join Date: Aug 2014
Posts: 2,660
While the conspiracy theories are entertaining, there is no remark in PNRS that goes into bookings that says sensitive. I’ve never seen this in a PNR after many years at BA. So this would be customer relations terminology that has been added to the request rather than something seen in bookings.
Last edited by Anonba; Sep 17, 2019 at 3:58 pm
Sep 17, 2019, 7:46 pm
#42
Original Poster
Join Date: Sep 2019
Posts: 7
So if you're considering a SAR, be prepared for a bit of a fight to get the extended marketing data.
The CCV and a bunch of other info was in the standard report but to get the extended marketing (which had the troubling sensitive data in) I had to push very hard and make a complaint to the ICO to get the extended report.
I knew they had certain other bits of data thanks to my experian SAR where I saw them sell certain household data to BA (that itself was purchased from Acxiom - a great one if you want to know how old marketeers think your boiler is or your % chance of buying the Daily Mail) and it wasn't until I sent them the proof of the data I knew they had on me (they tried to play the "we're a processor" multiple times despite Experian saying they were the processor and BA the controller) that I got the extended report (which also includes various social media nuggets and more details from their support team notes).
Sensitive customer was on the basic report for everyone though.
One thing I've learnt in submitting over 180 SARs so far is that you'll send one off and get a response that looks reasonable. It's only once you've submitted a lot of them (which conveniently enough had the line "Please provide all instances where any item of personal data or metadata/inferred data/modelled data about my data has been transferred or sold to any third party indicating the date of transfer, the grounds of the transfer and the controller or processor it was transferred to" in.
Thanks to that one line I was able to start drawing a map of who had sold/sent what where and thus found out that in over 50% of my SAR responses there was some missing data.
So it's an uphill battle then with every company involved trying to force them to provide either the data you know they have (which always reveals a load more data you didn't know they had - like modelled sexuality) or if they say they don't have it asking for proof of deletion.
I never used to really care too much about data privacy until I did my first SAR from a bank as part of a lending complaint. That's when I saw what else they held on me and the can of worms was opened.
Now I'm terrified. I know what data has been sent to the police/security services and god knows what other organisations so now rather than being concerned I've just accepted there is no way for me to put that genie back in the bottle!
I'm working with a colleague to see if we can build a DSARaaS type platform to help out people submit these in an automated way.
But yeah; if you wan't your CIV/CCV value a standard "I want all data you hold on me" to [email protected] attaching your passport, recent utility bill and frequent flyer number should do.
The CCV and a bunch of other info was in the standard report but to get the extended marketing (which had the troubling sensitive data in) I had to push very hard and make a complaint to the ICO to get the extended report.
I knew they had certain other bits of data thanks to my experian SAR where I saw them sell certain household data to BA (that itself was purchased from Acxiom - a great one if you want to know how old marketeers think your boiler is or your % chance of buying the Daily Mail) and it wasn't until I sent them the proof of the data I knew they had on me (they tried to play the "we're a processor" multiple times despite Experian saying they were the processor and BA the controller) that I got the extended report (which also includes various social media nuggets and more details from their support team notes).
Sensitive customer was on the basic report for everyone though.
One thing I've learnt in submitting over 180 SARs so far is that you'll send one off and get a response that looks reasonable. It's only once you've submitted a lot of them (which conveniently enough had the line "Please provide all instances where any item of personal data or metadata/inferred data/modelled data about my data has been transferred or sold to any third party indicating the date of transfer, the grounds of the transfer and the controller or processor it was transferred to" in.
Thanks to that one line I was able to start drawing a map of who had sold/sent what where and thus found out that in over 50% of my SAR responses there was some missing data.
So it's an uphill battle then with every company involved trying to force them to provide either the data you know they have (which always reveals a load more data you didn't know they had - like modelled sexuality) or if they say they don't have it asking for proof of deletion.
I never used to really care too much about data privacy until I did my first SAR from a bank as part of a lending complaint. That's when I saw what else they held on me and the can of worms was opened.
Now I'm terrified. I know what data has been sent to the police/security services and god knows what other organisations so now rather than being concerned I've just accepted there is no way for me to put that genie back in the bottle!
I'm working with a colleague to see if we can build a DSARaaS type platform to help out people submit these in an automated way.
But yeah; if you wan't your CIV/CCV value a standard "I want all data you hold on me" to [email protected] attaching your passport, recent utility bill and frequent flyer number should do.
Sep 17, 2019, 8:01 pm
#43
Original Poster
Join Date: Sep 2019
Posts: 7
I suspect there might be a bulk edit to remove such comments but as it's only an assessment not fact/actual data I suspect it's outside of GDPR much like '% LIKELIHOOD OF DROPPING LAST LEG 98%' would be.
On the other hand I don't see the relevance to storing this attribute and quite how it would be used unless IAG are planning Pride Flights?
On the other hand I don't see the relevance to storing this attribute and quite how it would be used unless IAG are planning Pride Flights?
The data came from Experian/Acxiom. They compile all sorts of modelled data based on purchasing habits and browsing history etc,
I've gotten so used to seeing my modeled data in a lot of SARs (Royal Mail is one of the worst!) that I didn't really bother me (unlike the sensitive field!) as it's so common to be out there. It's not a log of me actually being gay but the % chance of me being gay based on modelling and therefore I imagine not subject to the "sensitive data" types under GDPR.
When I get to the right post links/photos here I'll screenshot parts of the PDFs and Spreadsheets and blur out some bits if I get time at work tomorrow.
I also saw the FT article just now! - Nice one! - One of the reasons I'm doing these SARs that'll be accompanied with some blog posts and sessions at a couple of conferences is to raise awareness. I'd hate to think what it's like for people in the US!
Another good example is Tesco linking up purchases made on credit cards that you haven't got a clubcard associated with. The second you use that clubcard just once they'll go back and associate everything against you. Which is why I can look and see I brought too much Red Bull when I was 14!!
I can also look and see how long I watched Holby City for on iPlayer back in 2014. Because the BBC needs that data in 2019, right?
Don't even get me started on what Grindr sent back....
Sep 17, 2019, 8:06 pm
#44
Original Poster
Join Date: Sep 2019
Posts: 7
Yay 5 approved posts I can share a couple screenshots before I head to bed (approximate bedtime was one of Three UK's metadata lines based on my phone usage data btw. They got it pretty close!)
Here's a small portion of the "standard" report the other one is more complex to screenshot due to the positioning of the data and it's 3am so I'll deal with that tomorrow. Anyone can get this by asking for all data held on them and attaching a passport + recent utility bill (plus all known names, addresses and email accounts so you can loop in any non-exec club bookings as well).
CCV profile is the one you're looking for. I imagine mines dropped right down overnight!
Here's a small portion of the "standard" report the other one is more complex to screenshot due to the positioning of the data and it's 3am so I'll deal with that tomorrow. Anyone can get this by asking for all data held on them and attaching a passport + recent utility bill (plus all known names, addresses and email accounts so you can loop in any non-exec club bookings as well).
CCV profile is the one you're looking for. I imagine mines dropped right down overnight!
Sep 17, 2019, 11:01 pm
#45
Moderator, Iberia Airlines, Airport Lounges, and Ambassador, British Airways Executive Club
Join Date: Feb 2010
Programs: BA Lifetime Gold; Flying Blue Life Platinum; LH Sen.; Hilton Diamond; Kemal Kebabs Prized Customer
Posts: 63,821
It is a bit of an eye opener, I write as someone involved on the periphery of the GDPR development on the political side. What I've found out is that some organisations are getting so nervous about compliance issues that while keeping their customer data within the parameters of GDPR, they are adopting internal automatic deletion processes - after say 3 years - of data, emails and so on, that hasn't been identified as a key record, such as information that contributes to the financial accounts. This is because it's infeasible to manage vast amounts of company data for compliance purposes, while their customer data can be legally held within GDPR's boundaries.
What that effectively means is that many organisations are taking a stricter line on internal preservation than on their own customers' data. GDPR - an important protection that benefits Europeans - hasn't gone far enough. Why is the BBC holding information on your Holby City habits from 5 years ago, or Tesco knows what your teenage drinking habits were - when they are careful to delete internal data well before that. And is it appropriate that a credit scoring agency should be speculating about your sexual behaviour and sending it to an airline?
What that effectively means is that many organisations are taking a stricter line on internal preservation than on their own customers' data. GDPR - an important protection that benefits Europeans - hasn't gone far enough. Why is the BBC holding information on your Holby City habits from 5 years ago, or Tesco knows what your teenage drinking habits were - when they are careful to delete internal data well before that. And is it appropriate that a credit scoring agency should be speculating about your sexual behaviour and sending it to an airline?