I’ve just linked my account to Tail a new service which gives cashback when I shop. As part of the sign-up I had to give permissions for Tail to access my account data.
When I went to set this up I was presented with a request to give access to:
View your financial information and transactions:
Direct debit mandates
View your personal information:
Name, contact details
This was an all or nothing option and the amount of data I was being asked to give access to was excessive. When I asked Tail why this was they said it was because of how Starling groups these as part of Starlings tiers of access, which are defined by Starling.
Tail only need access to certain data elements which sits in two tiers of access but as a result I have to give access to more data than is wanted or needed.
I think that Starling need to change this urgently and allow customers to only give access to the specific data element required. It could be argued that offering access to more elements than is needed breaches data protection principles. It certainly carries a risk of misuse and appears to me to be bad practice.
I recognise that for programmers it may be simpler but please get your developers to change the API ASAP so permissions can be set to access individual data types only not tiers. https://developer.starlingbank.com/tiers