When you make a booking you are making a contract. At that point the airline becomes the data controller for your personal data. (If booked via a third party website then the website and airline are joint data controllers)
The relevant law is principle 6 and 7 of the data protection act
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Principle 7 requires appropriate security measures to prevent unauthorised processing of personal data.
Of course there must be appropriate security to prevent bookings being changed by someone who shouldn’t – but there is nothing that requires the restrictions that BA require
Bizarrely BA will not let someone change the booking over the phone but will send a direct link to change the booking to the email address supplied (clicking the link takes you into the booking)… and email is a totally insecure method of transit in terms of data protection – it can be intercepted (personal data sent by email should always be encrypted)
So BA are being totally inconsistent as well as making life difficult for people…
Why not just make things simple ?
(btw data protection is my day job….yes… very very boring)