Bank of Scotland receives £75K penalty after four year fax blunder
- GP surgery manager prosecuted for illegally accessing patients’ medical records
- ICO warns marketing rules must be kept to during lead up to Scottish referendum
- Temporary workers still require adequate data protection training, warns ICO
- Private investigators convicted of unlawfully obtaining personal information
- International enforcement agencies join forces to thwart caller identification spoofing
News release: 5 August 2013
The Information Commissioner’s Office (ICO) has served the Bank of Scotland with a monetary penalty of £75,000 after customers’ account details were repeatedly faxed to the wrong recipients.
The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. The documents were faxed over a four year period, with the first incident reported to the bank in February 2009 by a third party organisation.
In total, at least 21 documents were sent to the third party organisation during this time, with another member of the public receiving a further 10 misdirected faxes. Both parties had fax numbers that were one digit outside the intended recipient, which was a department within the bank that routinely uploaded documents onto the bank’s system.
Despite the company being informed of the problem on numerous occasions the errors continued. The matter was eventually referred to the ICO by the third party organisation, yet further mistakes were made even as the ICO was investigating the breaches.
Stephen Eckersley, Head of Enforcement at the ICO said:
“The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines. To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act.
“Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today’s penalty reflects the seriousness of this case.”
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO regulates the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004. In Scotland, freedom of information is a devolved matter and Scottish public authorities are subject to the Freedom of Information (Scotland) Act 2002 which is regulated by the Office of the Scottish Information Commissioner in St Andrews.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
5. If you need more information, please contact the ICO press office on 0303 123 9070.