Category Archives: Financial Services

HFC Bank Limited

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Newport Branch of the data controller, including a customer’s loan application form, a collections history printout and other miscellaneous papers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff and they are to be required to complete an online refresher course and test on a regular basis of at least once every two years.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
21 February 2007

Links
View PDF of the HFC Bank Limited Undertaking (Breach Watch Archive)

Nationwide Building Society

Posted on by

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Oldham of Nationwide, including a personal financial review in respect of two individuals and a customer information document.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. A review program to monitor compliance must be devised and implemented by Nationwide. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
20 February 2007

Links
View PDF of the Nationwide Building Society Undertaking (Breach Watch Archive)

Alliance and Leicester plc

Posted on by

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Nottingham of the data controller, including a premier current account application form, a life assurance letter and a credit card application form.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff, who are to be reminded of their obligations relating to customer confidentiality.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle. This was in breach of a policy the data controller had in place.

When
15 February 2007

Links
View PDF of the Alliance and Leicester plc Undertaking (Breach Watch Archive)

Nationwide Building Society

Posted on by

What

Loss of personal data

How much

Not reported, potentially all customers (10+ million)

Why

Theft of unencrypted laptop from staff member’s home.

Regulator

FSA

Regulatory action

Monetary penalty – £980,000

Reason for action

  • Inadequate risk assessment
  • No incident response plan and slow response to theft (3 weeks)
  • Poor staff training and awareness
  • Poor controls

When

14 February 2007

Links

View the press release relating to Nationwide Building Society on the FSA website

View PDF of the Nationwide Building Society Final Notice (via FSA website)

View PDF of the Nationwide Building Society Final Notice (Breachwatch archive)

The Co-operative Bank plc

Posted on by

What
Loss of personal data

How much
Three records.

Why
Items of personal information were recovered from refuse bins used by the Watford of the data controller, including letter from a customer and a motor insurance quote.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies and procedures relating to the disposal of waste containing personal information are updated and strictly adhered. Adequate and relevant data protection training must be given to all staff, including any sub-contractors.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
14 February 2007

Links
View PDF of the Co-operative Bank plc Undertaking (Breach Watch Archive)

United National Bank Limited

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Manchester branch of the data controller, including a copy of a fax showing business and personal account details, a remittance form, a copy of an internal email and other miscellaneous paperwork.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
13 February 2007

Links
View PDF of the United National Bank Limited Undertaking (Breach Watch Archive)

Scarborough Building Society

Posted on by

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the York branch of the data controller, including a customer’s mortgage application form and copies of supporting bank statements, customer account details, standing order details and other miscellaneous paperwork.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. All paper waste generating in branches must be treated as confidential and be shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
9 February 2007

Links
View PDF of the Scarborough Building Society (Breach Watch Archive)

Clydesdale Bank plc

Posted on by

What
Loss of personal data

How much
29 records.

Why
A telephone banking form containing a customers name and contact details, six cash deposit bags showing customer names and account numbers, 22 computerised print outs showing direct debits and bank giro credits to customer accounts and other miscellaneous papers were all recovered from refuse bins outside the bank’s Glasgow branch.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to relevant staff.

Reason for action
Policies for secure disposal of confidential waste were insufficient.

When
5 February 2007

Links
View PDF of the Clydesdale Bank plc Undertaking (Breach Watch Archive)

Barclays Bank plc

Posted on by

What
Loss of personal data

How much
6 records.

Why
A Barclaycard was found cut up into four pieces in a refuse bin outside the Park Gate Branch and four cut up debit/visa cards were found along with a deposit envelop in a refuse bin outside the Bristol branch.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to relevant staff and all third parties and sub-contractors comply with the data controller’s data protection principles.

Reason for action
Policies for secure disposal of confidential waste were insufficient.

When
2 February 2007

Links
View PDF of the Barclays Bank PLC Undertaking (Breach Watch Archive)