Eleven banks found in breach of data protection legislation by ICO

28 June 2007

Ben Hughes

On 12 March 2007, the Information Commissioner’s Office (“ICO”) named 11 banks and other financial institutions that were in breach of the Data Protection Act after they had discarded personal information relating to customers in waste bins located outside their premises.

The ICO has not brought any enforcement proceedings against these organisations but has required them to sign formal undertakings that they will comply with data protection principles. Any failure to meet the conditions of these undertakings is likely to result in enforcement action. The undertakings name individual officer of the companies, and serve as a reminder of the public relations implications of a breach of the Data Protection Act.

Deputy Information Commissioner David Smith stated that the ICO considers it unacceptable for banks (or any other organisation) to carelessly discard customer information in this way. He emphasised how important it is for banks to take their data security obligations seriously and pointed out that failure to do so could risk both further ICO action and loss of customer trust.

The ICO’s actions and comments are a clear indication that it continues to treat breaches of data protection legislation very seriously, especially where they may put consumers at risk.

On 10 May 2007 and 17 May 2007 similar undertakings were signed by Cash Generator and Phones4U. These undertakings are publicly available. it was reported in May that the Information Commissioner has audited the Halifax Bank of Scotland (HBOS) as a result of another suspected data breach. HBOS was one of the 11 banks required to sign the undertaking described above; but another failure is suspected after torn bank statements were found in a bin.