Tutorial

Calling OVO with 'implied consent' - DIY tutorial series

  • 6 October 2020
  • 6 replies
  • 89 views
Calling OVO with 'implied consent' - DIY tutorial series
Userlevel 7

Implied consent and data protection - your guide

 

How does someone have implied consent?


If we receive a call from someone who is not named on the OVO account, for us to decide if the caller has 'implied consent' we'd expect them to be able to pass Data Protection by giving us detailed info about the account..

Questions they must answer:

  • Account holder full name
  • Account holder date of birth (DOB)
  • Full registered address


Plus one of the following:

  • Registered email address
  • Registered phone number
  • Account number


Once implied consent has been passed we can discuss:

  • Information available in Ecoes or Xoserve, the national database for electric and gas supplies.
  • Contract information:
  • Statement or Direct Debit date
  • Meter functionality:
    • Reconnection codes
    • Usage history
    • Messages to the meter (like vend codes)
  • Meter readings
  • Top up or pay a bill 
  • Book emergency appointments
  • Account specific information:
    • Meter bookings
    • Internal ‘cases’ - we can disclose dates of cases being raised; advise to which team; progress/timeline of the case; but not specific details that may not be covered by the implied consent process (reading out emails/memos from the case etc)
    • Complaints (relating to information they are allowed access to)


We can’t:

  • Discuss anything that isn't on the above list
  • Add a member to the Priority Services Register without the account holder's permission
  • Pair an IHD

 

That’s it for your guide on implies consent. Have we missed anything? Let us know via a comment below!


6 replies

Userlevel 7
Badge +1

Hey TIm,

This is just a really quick question about Implied Consent against Secondary Contact.

If I just wanted to allow someone to have some read-only access to my account i.e. Ask about a recent bill, check the account balance is in good shape and maybe put some cash into the account if they fancied topping it up manually, which one is most suitable? In particular, the only sort of “changes” on my account I’d want to allow are simply paying a bill or topping up

I like to work on the principle of least privilege - in other words, granting as little access as possible to get the job done and only to the bits that are required to make it work.

My gut feeling is that Implied Consent sounds like the safer option if the 3rd party is unlikely to call in very often. But I’d be interested in double checking to make sure!

Userlevel 7

Good question, @Blastoise186 

 

There’s a few different actions you’ve lumped together there. Let’s break this down:

 

If I just wanted to allow someone to have some read-only access to my account i.e. Ask about a recent bill, check the account balance is in good shape and maybe put some cash into the account if they fancied topping it up manually, which one is most suitable?

 

  • Ask about a bill: they need adding to the account as a non financially liable contact. 
  • Check account balance: they need adding to the account as a non financially liable contact. 
  • Make a payment: they only need to have implied consent to do this. 

 

We can provide some info with implied consent. Here’s the list for your reference:

 

Once implied consent has been passed we can discuss:

  • Information available in Ecoes or Xoserve, the national database for electric and gas supplies.
  • Contract information:
  • Statement or Direct Debit date
  • Meter functionality:
    • Reconnection codes
    • Usage history
    • Messages to the meter (like vend codes)
  • Meter readings
  • Top up or pay a bill 
  • Book emergency appointments
  • Account specific information:
    • Meter bookings
    • Internal ‘cases’ - we can disclose dates of cases being raised; advise to which team; progress/timeline of the case; but not specific details that may not be covered by the implied consent process (reading out emails/memos from the case etc)
    • Complaints (relating to information they are allowed access to)


We can’t:

  • Discuss anything that isn't on the above list
  • Add a member to the Priority Services Register without the account holder's permission
  • Pair an IHD
Userlevel 2

Hi @Tim_OVO 

My work involves data protection, so I have some knowledge of the issues and sympathy with Ovo trying to balance data law with customer service

That looks like a fair attempt to do so. I’ve just two comments:

  • Is that going to work for emergency appointments? You might need to give your contact handlers scripts for the very stressed, panicking caller – eg account holder is uncontactable or injured when there could not be implied consent.
  • Top up payments or paying a bill would have to come from an account over which the caller has control, and one which may not be known to Ovo. If I were a malign actor looking to phish for info, that’s the scenario I’d use – “oh I’m just trying to pay the bill for X, just let me know which account is used so I can send it from the right one”.
Userlevel 7
Badge +1

Hi there @hecate ,

As someone who works in cybersecurity, I can definitely understand you there. What would your thoughts be on a feature idea such as this one?

 

Based on your comments, I also wonder whether an additional layer of verification might be useful for Implied Consent i.e. something I can’t easily find out about someone just by looking them up?

Userlevel 2

Hi @Blastoise186 

The secondary contact idea would be useful for some customers with specific support needs short of requiring power of attorney.

In my view the trick is to avoid having too many specific use cases - hard to administer and each one may be applicable to only a small group. So extra permissions need to be useful to a wider range of customers, and may not fit each one precisely.

The idea you ourlined in the feature suggetion for non-financial access and the ability for the second contact to be able to do some things independently seem on the right lines. In my world we’d run up user stories and test them with customer groups.

Additional layer of verifcation might be developed and tested in that way too. But in any case the second contact needs some way of verification seprate from the primary.

Does that help at all.

Userlevel 7
Badge +1

Gotcha, that makes a lot of sense too @hecate . :)

I’ll ask Tim to flag this idea up internally as I think you’re definitely onto something here. It’s a really tricky balance to get right, but not impossible.

Reply