Resources to Support Service Delivery for ISO 22458 Consumer Vulnerability

ISO 22458 Clause 6

Clause 6 covers the resources behind the service - frontline staff capability, online systems, vulnerability data management, third-party representatives and service interruptions.

ISO 22458 Clause 6 - Resources to Support Service Delivery

Clause 6 is about everything that has to be in place behind the scenes for an inclusive service to actually work. The strategy in Clause 4 and the design in Clause 5 only deliver outcomes if the people on the front line have the right resources and training, the online systems support them, the data about vulnerable consumers is handled properly, third-party representatives are dealt with consistently, and the organisation can keep going when an essential service is interrupted.

Frontline Staff - ISO 22458 Clause 6.2

Frontline staff are the people who actually interact with consumers, in person or remotely - customer service advisors, sales advisors, tradespeople, and contracted third parties. Clause 6.2 sets out three requirements for them.

First, they need the resources to do the job - access to the right information, the right systems, escalation routes when a situation is beyond their authority, and time to handle vulnerable interactions properly rather than being measured purely on call handling time.

Second, they need empowerment. The standard is explicit that frontline staff need authority to take reasonable action in the consumer's interest without having to escalate every decision. Empowerment without training leads to inconsistent outcomes, and training without empowerment leads to staff who know what should happen but cannot make it happen.

Third, they need training in consumer vulnerability. The training needs to cover the principles of inclusive service, the risk factors and signs of vulnerability set out in Clause 7, the response options available under Clause 8, the data handling rules, and the third-party representative arrangements. The F-Q101 Consumer Vulnerability Staff Questionnaire provides a structured way to assess understanding after training has been delivered.

Consumer-facing Online Systems - ISO 22458 Clause 6.3

Where consumers interact with online systems directly - portals, self-service platforms, chatbots, automated decisioning - those systems also need to be designed inclusively. Clause 6.3 picks up where Clause 5.4.5 leaves off, focused specifically on the operational behaviour of online systems rather than the design of the website itself.

Practical considerations include keeping language simple, providing clear escape routes from automated journeys to a human, allowing enough time for slow or interrupted responses, avoiding repeated requests for information the system already holds, and being explicit about what data is being collected and why. Where artificial intelligence or automated decision-making is involved, the standard's privacy and transparency principles still apply - the consumer should understand what is happening and how to challenge it.

Management of Consumer Vulnerability Data - ISO 22458 Clause 6.4

Vulnerability data is among the most sensitive data an organisation holds. Clause 6.4 requires a data policy specifically covering vulnerability data, alongside the general data protection arrangements. The data policy needs to set out the purpose of collection, the categories of data, who has access, how long it is kept, how and when it is disposed of, and how the safeguards are communicated to consumers.

Privacy and security follow the principle of least privilege - frontline staff should only access what they need to do their job. IT systems need to be assessed for privacy risks and kept secure. Plans for responding to data breaches must be in place.

Knowledge and consent are central. At the time of collecting, recording or sharing personal vulnerability information, the consumer needs to be told why it is being collected, how it will be used, with whom, the positive and negative consequences of sharing, how to withdraw consent, and how to access and correct the records held.

Internal data sharing is encouraged where it improves the consumer's experience - the same vulnerability information should not need to be repeated every time the consumer contacts a different department. External sharing is allowed only for the purpose of providing specialist information, advice or support, and normally requires consent. The exception is where there is a severe and imminent risk of harm, in which case emergency services or other appropriate services may be contacted without consent.

Dealing with Third-party Representatives - ISO 22458 Clause 6.5

Clause 6.5 is one of the four areas where a specific policy is required. Third-party representatives include partners, family members, carers, social workers, health professionals, financial counsellors and community legal representatives - some with formal mandates, some acting informally. The policy needs to cover how to confirm relevant laws apply, how to deal with claimed mandates until the legitimacy is verified, how much can be shared with informal helpers, where to get specialist advice on the legality of mandates, how to handle interpreters and translators, how to recognise and protect against fraud or financial abuse by third parties, and how to remove third-party rights where circumstances change such as separation or domestic violence.

This is one of the harder areas in practice because the right answer often depends on the specific circumstances. A clear policy and well-trained staff are the operational controls.

Interruptions to Service - ISO 22458 Clause 6.6

Clause 6.6 splits into two parts. Clause 6.6.1 covers interruption due to external events - extreme weather, public health events, major IT outages - and requires a written plan for supporting consumers in vulnerable situations. The plan should cover changes to operations (hours, closures, customer service availability, delivery and collection, ordering options), the anticipated timeline for review, compliance with any government-imposed limits, and what the organisation has learned that could improve the service afterwards.

Clause 6.6.2 covers interruption to essential services specifically. Where the organisation considers any service to be essential, a process must be in place to support vulnerable consumers affected by planned and unplanned interruptions. When an interruption is known about, vulnerable consumers identified by the organisation should be contacted, told the likely period of unavailability, offered alternative arrangements (clean water, electricity generator, alternative heating or cooking facilities are the examples in the standard) and kept updated until the service is restored.

The data piece is what changes most when you actually do this. Before, vulnerability information lives in the head of whichever advisor took the call. After, it sits on the customer record with proper consent, flagged so the next person who picks up the call already knows.

That single change does more for the consumer experience than any policy document, because the consumer stops having to retell their story. The flag system is simple, the consent capture is simple, and the staff training to use it is short.

The third-party representatives policy is the one most organisations under-think. They write it for the obvious case, where someone holds a power of attorney and produces it on request. The harder cases are the family member who calls because their parent is overwhelmed, or the friend who is helping someone navigate a complaint, or the situation where a third party has been given access historically and circumstances have now changed and access needs to be removed.

The policy needs to address those grey areas and the training needs to walk staff through them. The standard is unusually specific in 6.5 about what the policy must cover, which is a useful checklist when drafting it, particularly the requirement to address fraud and financial abuse by third parties.

The other reason to keep that policy current is that case law and regulator guidance in this area is still developing.

Practical Compliance Guidance

Where IMS1 is in use, Clause 6 is reflected through Section 2.2 (responsibilities, including the Vulnerable Consumer Representative duties for staff training and data oversight), Section 4.2 (Control of Purchasing and Outsourced Services, where third-party suppliers including debt collection agencies need vulnerability arrangements), and the references to PP-1-17 in Section 4.3. Data protection arrangements integrate with the existing P-25 Data Protection Policy and P-26 Privacy Policy.

The alphaZ documents below cover the staff training, data registers, third-party policy elements and supporting forms that Clause 6 requires.

alphaZ document	How to use it
ISO 22458 Toolkit	Full document set for an ISO 22458 inclusive service management system, including staff training, data register and third-party representative arrangements.
PP-1-17 Vulnerable Consumer Procedure	Internal procedure that consolidates the operational arrangements for staff training, data handling, third-party representatives and service interruption.
ISO 22458 Awareness Training Course	Training presentation for delivering consumer vulnerability awareness training to frontline staff and managers.
GG-1-17 Consumer Vulnerability Guidance	Plain-language general guidance document for staff awareness, used alongside the formal training course.
F-Q101 Consumer Vulnerability Staff Questionnaire	Questionnaire for assessing staff understanding of consumer vulnerability after training has been delivered.
F-IMS24 Personal Data Register	Register for mapping personal data including consumer vulnerability data, used as the data inventory under the data policy.
CC-CV1 Code of Conduct - Vulnerable Consumers	Publicly shareable code of conduct that includes the third-party representatives policy and the interruptions to essential services policy.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often should frontline staff training be refreshed?

The standard does not set a frequency, but annual refresh is a reasonable benchmark with additional training when policies or procedures change, or when monitoring data shows knowledge gaps. The F-Q101 staff questionnaire can be used to identify whether refresher training is needed for specific topics or teams.

Do we need consent every time we share vulnerability data internally?

Internal data sharing for the purpose of providing a better service to the same consumer is encouraged by the standard and does not normally require fresh consent each time, provided the original consent and the privacy notice cover that internal sharing. The principles still apply - data should only be accessed by staff who need it for their role.

Are our third-party suppliers also expected to comply with ISO 22458?

Where suppliers act as frontline staff or interact with consumers on the organisation's behalf - debt collection agencies are an example specifically called out by the standard - their conduct in those interactions is part of the organisation's inclusive service. Supplier appraisal and approval processes should include consumer vulnerability arrangements as a check, and contractual requirements should reflect this.

When is sharing data with emergency services without consent justified?

The standard allows external sharing without consent where frontline staff consider an individual's safety or wellbeing to be at severe and imminent risk of harm. The threshold is high - severe and imminent - and the decision needs to be recorded with the rationale. Outside of that scenario, consent is required for external sharing.

UK Legislation

The following UK legislation is directly relevant to ISO 22458 Clause 6. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

Further Resources