Awareness of how to handle casual requests for information, about themselves, the business, or their customers. It is illegal to disclose personal information to a third party without a specific reason for doing so under relevant data protection law — so, no, you can’t confirm your boyfriend’s registered birthday so as to help someone plan a surprise treat.

Understanding of how to verify requests for information, and confirm that enquirers are who they say they are.

This final point can be actively tested and mystery shopped, and this is a good way to put theory into practice and identify remediation training needs.

For example, a caller says they are from the IT department and need to check your password, or your bank phones to confirm details of a recent transaction — how does the recipient respond?

They should be aware that no one will EVER ask them to share a password by phone or any other way, and that if someone says they are from your bank or other trusted third party, the only way to verify this is to call them back on a publicly available number. If a patient phones to request results of a sensitive health screening, then they should be asked to provide proof of identity via pre-established security questions (preferably ones they haven’t shared in a Facebook quiz), before the result is disclosed.

More info: process technician