Bank of Scotland

Breach details

What Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients.
How much An unknown number of records.
When February 2009 to February 2013.
Why During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised.

BW Comments

The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 75,000.
When 30 July 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
Known or should have known The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
Likely to cause damage or distress The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data.