I got a call from Vodafone the other day wanting to discuss my account (in other words to sell me something). I have no doubt that the call was genuine but, shockingly, they commenced by asking me to 'answer some security questions' to conform with data protection act.
In my view, such security questions are to allow you to identify yourself when you make an outgoing call, but you should never - ever - answer such questions on an incoming call. The reason is that it's a tactic that can easily be used by malicious callers to gather the answers to common security questions such as date of birth, postcode, mother's maiden name or whatever etc. Once the answers are known, a villainous party can then call Vodafone (or whoever), and - with luck - be able to gain access to your account details. Even if you believe the caller to be genuine you should refuse, as it's a good way of pointing out to them that their security procedures are deeply flawed.
I had the same issue with one of the banks a while ago. I called them with a question, then they called me back with the answer, but refused to discuss unless I answered some 'security questions'. I refused of course, which led to some interesting dialogue.
I do despair sometimes at the big corporates total lack of comprehension of basic security.