Security level to provide account information on website

Currently, there are 0 users and 1 guest visiting this topic.
Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #20849
    Anonymous
    Guest

    This is my first posting so pardon me if I am not following the protocols of this board.

    This posting is about the website feature for the customers to check their account details online – like Council Tax/Business Rates bill balance, HB/CTB claim recieve status, Award date/amount, payment details etc.

    The question is – what level of security and user authentication is considered necessary to prevent misuse and to comply with Data protection.

    A few website that I have seen require only the Account Nos (like for Council Tax balance enquiry) to be input to display the balance. There are few websites that ask for Surname and/or Postcode and/or first line of address.

    The implication is that if somebody’s Council Tax Bill lands up with a second person, this second person can easily access the original customers information.

    Even if this basic input of information is considered as sufficient check to display the balance because it is only the balance of the bill and not sensitive data (although most customers would not prefer anybody to know their balances) – would this or such an approach be sufficient to justify providing much more information on the website like HB/CTB claim status, award, payment etc under such basic checks (security level).

    Your expriences and comments will be much appreciated on how to address this issue to balance the the need of security and practicality.

    Thanks

    #3733
    Anonymous
    Guest

    This is something we are currently at. The authentication process is the most critical aspect of any e-gov interaction, because you have to ensure that the person accessing the information is the person who is [i:329426f5b0]entitled[/i:329426f5b0] to access that information.

    I believe that in order to prevent multiple user ID’s and passwords across Authority wide or Government wide services, that local authorities can latch onto the Government Gateway project (http://www.gateway.gov.uk) which provides user authentication for all e-gov services.

    My understanding of this (which may be wrong!) is…..If you used this, your customer would register with the government gateway, indicate what services thay would require access to. Yopur Authority would be contacted and you would grant that user access on your system. The user would then log on via the government gateway site and be able to access all their e-gov services through one portal.

    If Authorities do not adopt this approach, they may adopt a similar approach, but just for their authority – ie the customer logs on one and has access to all their services.

    I think the overriding point of authentication, is that it needs to be more secure than the methods proposed in your post. Put yourself on the other side of the fence – perhaps as a vulnerable HB claimant, or indeed your own council tax bill. You need to do everything reasonable to ensure that the information is only viewed by the appropiate person.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.