By Brian Davidson, CIPP/E
The ICO has served a 75k GBP monetary penalty notice on the Bank of Scotland after customer account details were repeatedly faxed to the wrong recipients over a four-year period.
The information included payslips, bank statements, account details and mortgage applications along with customer names, addresses and contact details, with the initial incident being reported to the bank by a third-party organization back in February 2009.
At least 21 documents are understood to have been sent to the third-party organization during this period, with a separate member of the public receiving a further 10 misdirected faxes. Both parties had fax numbers that were one digit outside the intended recipient, which was a department within the bank that routinely uploaded documents onto the bank’s systems.
Despite the bank being informed of the problem on various occasions, the errors were said to have continued. The matter was eventually referred to the ICO by the third-party organization. It is understood that errors still continued to be made even as the ICO was investigating the breaches.
A copy of the Monetary Penalty Notice is available here.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.