Bank of Scotland fined £75,000 for repeated fax blunder

Rights, Scams and Politics

Updated on 07 August 2013 | 0 Comments

The Information Commissioners Office has fined the Bank of Scotland for repeatedly faxing customers’ personal details to the wrong place.

The Bank of Scotland has been fined £75,000 after a series of fax number blunders that went on over four years.

The Information Commissioners Office (ICO) issued the penalty to the bank for repeatedly sending faxes containing customers’ personal details to the wrong recipients.

Confidential documents that were put into the wrong hands included payslips, bank statements, bank account details, photocopies of IDs, pension plan details and mortgage applications.

The ICO said the slipups were a severe breach of data protection laws, which broke the trust of customers and put those involved at risk of identity fraud.

Misdialling

The first incident of a misdirected fax was reported in February 2009 by a third party organisation.

This was meant to be sent to a data controller organisation called Nexus, which scans documents into its workflow system.

The error was the result of misdialling the Nexus number by one digit - an eight instead of a two.

In total there were 21 incidents where information was mistakenly sent to this organisation, sent from 20 different locations by 20 different staff members.

Meanwhile a member of the public, whose fax number was just one digit difference from an Edinburgh office which processes customer requests, was sent documents containing sensitive information on 11 occasions.

To put an end to this severe data security breach the bank resorted to buying the fax number from this individual.

Thankfully for the 32 people whose details were involved - the majority of which were Halifax customers - none of the information was disseminated any further. The parties that received the data in error shredded the documents and reported the incidents to the ICO.

Repeated failings

The ICO said that the Bank of Scotland was told on numerous occasions about the blunders and were told to take action.

But the mistakes continued to happen even while the ICO investigation was going on. The most recent was recorded in February 2013.

In its verdict the ICO said that the bank had failed to take sufficient technical and organisational measures against unauthorised processing of personal data. For example it should have invested in better training for staff and finding more secure methods of sending personal material.

The ICO was especially surprised the reccurring error of misdialling the numbers eight and two was not alerted to staff given its prevalence.

Human error

Many of the fax machines involved could not be pre-programmed because of their age, which opened the process up to human error.

In its defence the Bank of Scotland told the ICO that the Nexus fax number receives around 325,000 items of correspondence a week and the misdirected incidents made up only a small percentage of this total.

In a statement Lloyds Banking Group spokesperson said: "The security of our customers' data is always our key priority. We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected.

"This occurred over a period in which several million customer documents, using the same process, were correctly received. No customer suffered any harm or detriment as a result of this error. We are continually reviewing our processes to ensure our customers' information remains safe."

But as Stephen Eckersley, Head of Enforcement at the ICO said: “To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act.”

The fine

The £75,000 penalty is the biggest the ICO has issued.

The ICO said that the Bank of Scotland had sufficient financial resources to pay the fine without it causing undue financial hardship.

If the Bank of Scotland pays by 28th August it will receive a 20% discount bringing the penalty down to £60,000.

The funds will be added to the Government’s general bank account at the Bank of England.

More on fines:

TalkTalk fined £750,000 for nuisance calls

What you can be given an on-the-spot-fine for

SSE fined record £10.5 million for mis-selling energy

Why hogging the middle lane will land you a £100 fine

Gov't department fined for £217 million unauthorised overdraft

Comments

Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © lovemoney.com All rights reserved.

 

loveMONEY.com Financial Services Limited is authorised and regulated by the Financial Conduct Authority (FCA) with Firm Reference Number (FRN): 479153.

loveMONEY.com is a company registered in England & Wales (Company Number: 7406028) with its registered address at First Floor Ridgeland House, 15 Carfax, Horsham, West Sussex, RH12 1DY, United Kingdom. loveMONEY.com Limited operates under the trading name of loveMONEY.com Financial Services Limited. We operate as a credit broker for consumer credit and do not lend directly. Our company maintains relationships with various affiliates and lenders, which we may promote within our editorial content in emails and on featured partner pages through affiliate links. Please note, that we may receive commission payments from some of the product and service providers featured on our website. In line with Consumer Duty regulations, we assess our partners to ensure they offer fair value, are transparent, and cater to the needs of all customers, including vulnerable groups. We continuously review our practices to ensure compliance with these standards. While we make every effort to ensure the accuracy and currency of our editorial content, users should independently verify information with their chosen product or service provider. This can be done by reviewing the product landing page information and the terms and conditions associated with the product. If you are uncertain whether a product is suitable, we strongly recommend seeking advice from a regulated independent financial advisor before applying for the products.