The Information Commissioners Office has fined the Bank of Scotland for repeatedly faxing customers’ personal details to the wrong place.
The Bank of Scotland has been fined £75,000 after a series of fax number blunders that went on over four years.
The Information Commissioners Office (ICO) issued the penalty to the bank for repeatedly sending faxes containing customers’ personal details to the wrong recipients.
Confidential documents that were put into the wrong hands included payslips, bank statements, bank account details, photocopies of IDs, pension plan details and mortgage applications.
The ICO said the slipups were a severe breach of data protection laws, which broke the trust of customers and put those involved at risk of identity fraud.
Misdialling
The first incident of a misdirected fax was reported in February 2009 by a third party organisation.
This was meant to be sent to a data controller organisation called Nexus, which scans documents into its workflow system.
The error was the result of misdialling the Nexus number by one digit - an eight instead of a two.
In total there were 21 incidents where information was mistakenly sent to this organisation, sent from 20 different locations by 20 different staff members.
Meanwhile a member of the public, whose fax number was just one digit difference from an Edinburgh office which processes customer requests, was sent documents containing sensitive information on 11 occasions.
To put an end to this severe data security breach the bank resorted to buying the fax number from this individual.
Thankfully for the 32 people whose details were involved - the majority of which were Halifax customers - none of the information was disseminated any further. The parties that received the data in error shredded the documents and reported the incidents to the ICO.
Repeated failings
The ICO said that the Bank of Scotland was told on numerous occasions about the blunders and were told to take action.
But the mistakes continued to happen even while the ICO investigation was going on. The most recent was recorded in February 2013.
In its verdict the ICO said that the bank had failed to take sufficient technical and organisational measures against unauthorised processing of personal data. For example it should have invested in better training for staff and finding more secure methods of sending personal material.
[SPOTLIGHT]The ICO was especially surprised the reccurring error of misdialling the numbers eight and two was not alerted to staff given its prevalence.
Human error
Many of the fax machines involved could not be pre-programmed because of their age, which opened the process up to human error.
In its defence the Bank of Scotland told the ICO that the Nexus fax number receives around 325,000 items of correspondence a week and the misdirected incidents made up only a small percentage of this total.
In a statement Lloyds Banking Group spokesperson said: "The security of our customers' data is always our key priority. We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected.
"This occurred over a period in which several million customer documents, using the same process, were correctly received. No customer suffered any harm or detriment as a result of this error. We are continually reviewing our processes to ensure our customers' information remains safe."
But as Stephen Eckersley, Head of Enforcement at the ICO said: “To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act.”
The fine
The £75,000 penalty is the biggest the ICO has issued.
The ICO said that the Bank of Scotland had sufficient financial resources to pay the fine without it causing undue financial hardship.
If the Bank of Scotland pays by 28th August it will receive a 20% discount bringing the penalty down to £60,000.
The funds will be added to the Government’s general bank account at the Bank of England.
More on fines:
TalkTalk fined £750,000 for nuisance calls
What you can be given an on-the-spot-fine for
SSE fined record £10.5 million for mis-selling energy
Why hogging the middle lane will land you a £100 fine
Gov't department fined for £217 million unauthorised overdraft