Permissions


#1

I’ve just linked my account to Tail a new service which gives cashback when I shop. As part of the sign-up I had to give permissions for Tail to access my account data.

When I went to set this up I was presented with a request to give access to:

View your financial information and transactions:
Balances
Direct debit mandates
Payees
Transactions

View your personal information:
Accounts
Addresses
Cards
Name, contact details

This was an all or nothing option and the amount of data I was being asked to give access to was excessive. When I asked Tail why this was they said it was because of how Starling groups these as part of Starlings tiers of access, which are defined by Starling.

Tail only need access to certain data elements which sits in two tiers of access but as a result I have to give access to more data than is wanted or needed.

I think that Starling need to change this urgently and allow customers to only give access to the specific data element required. It could be argued that offering access to more elements than is needed breaches data protection principles. It certainly carries a risk of misuse and appears to me to be bad practice.

I recognise that for programmers it may be simpler but please get your developers to change the API ASAP so permissions can be set to access individual data types only not tiers. https://developer.starlingbank.com/tiers

Thanks


#2

@sarah.gilbert Should we be concerned by this?


#3

This is the reason I didn’t link up Money
Box. To much was being requested.


#4

@sarah.gilbert are you able to advise?


#5

Hi @Cecilia_Highley perhaps you can explain more. Cecilia is product manager for partner integrations.


#6

Hi @ninepine, hope you’re enjoying using Tail!

So yes, as Tail explained to you, the way our permissions currently work is that they are grouped into one of 5 “Tiers” depending on what the data is. So for example Tail needs to access your transactions and your account details, so needs to access both of these Tiers which is why you see them accessing everything contained within these groups like you posted.

We definitely are planning to move away from this All of Nothing approach and make it on an API basis, we created it in Tiers to start because it was simpler and obviously no integrations were actually live at the time other than for testing purposes! I added this issue into our Trello board in the short-term pile so you can see how we are getting on with this.

Also, just to reassure you, our compliance and security teams do (and will continue to do!) extensive checks on every potential parter who applies for access to any Tier of customer data, including checks on their Privacy Policy and Information Security Policy.

I’ll keep you posted on when we get this done :grinning:


#7

Thanks @Cecilia_Highley it’s great that you have already recognised the issue and are working on an alternative. I’ll subscribe to the Trello Board.
:+1: