Bank of Scotland fined £75k for fax blunder



The Bank of Scotland has been fined £75,000 after a series of fax number blunders that went on over four years.

The Information Commissioners Office (ICO) issued the penalty to the bank for repeatedly sending faxes containing customers' personal details to the wrong recipients.

Confidential documents that were put into the wrong hands included payslips, bank statements, bank account details, photocopies of IDs, pension plan details and mortgage applications. The ICO said the slipups were a severe breach of data protection laws, which broke the trust of customers and put those involved at risk of identity fraud.

The first incident of a misdirected fax was reported in February 2009 by a third party organisation.
This was meant to be sent to a data controller organisation called Nexus, which scans documents into its workflow system.

The error was the result of misdialling the Nexus number by one digit - an eight instead of a two.
In total there were 21 incidents where information was mistakenly sent to this organisation, sent from 20 different locations by 20 different staff members.

Meanwhile a member of the public, whose fax number was just one digit difference from an Edinburgh office which processes customer requests, was sent documents containing sensitive information on 11 occasions. To put an end to this severe data security breach the bank resorted to buying the fax number from this individual.

Thankfully for the 32 people whose details were involved - the majority of which were Halifax customers - none of the information was disseminated any further. The parties that received the data in error shredded the documents and reported the incidents to the ICO.

The ICO said that the Bank of Scotland was told on numerous occasions about the blunders and were told to take action. But the mistakes continued to happen even while the ICO investigation was going on. The most recent was recorded in February 2013.

In its verdict the ICO said that the bank had failed to take sufficient technical and organisational measures against unauthorised processing of personal data. For example it should have invested in better training for staff and finding more secure methods of sending personal material.

The ICO was especially surprised the reccurring error of misdialling the numbers eight and two was not alerted to staff given its prevalence.

Many of the fax machines involved could not be pre-programmed because of their age, which opened the process up to human error. In its defence the Bank of Scotland told the ICO that the Nexus fax number receives around 325,000 items of correspondence a week and the misdirected incidents made up only a small percentage of this total.

In a statement Lloyds Banking Group spokesperson said: "The security of our customers' data is always our key priority. We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected.

"This occurred over a period in which several million customer documents, using the same process, were correctly received. No customer suffered any harm or detriment as a result of this error. We are continually reviewing our processes to ensure our customers' information remains safe."

But as Stephen Eckersley, Head of Enforcement at the ICO said: "To send a person's financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act."

The £75,000 penalty is the biggest the ICO has issued. The ICO said that the Bank of Scotland had sufficient financial resources to pay the fine without it causing undue financial hardship. If the Bank of Scotland pays by 28th August it will receive a 20% discount bringing the penalty down to £60,000.
The funds will be added to the Government's general bank account at the Bank of England.

Fed up with your bank? From £100 for joining to 5% interest, see what other top accounts have to offer

10 things we hate about our banks

10 things we hate about our banks