National Westgate Bank plc

What
Loss of personal data

How much
8 records.

Why
Items of personal data were recovered from refuse bins outside branches in Manchester and Southampton, including fax copies of insurance forms, two cut up debit cards and a list of a customers standing orders and direct debits.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of personal data and that appropriate data protection training is given to all relevant employees.

Reason for action
The ICO had received complaints about Westgate Bank’s failure to adhere to the Seventh Data Protection Principle.

When
23 February 2007

Links
View PDF of the National Westgate Bank plc Undertaking (Breach Watch Archive)

HFC Bank Limited

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Newport Branch of the data controller, including a customer’s loan application form, a collections history printout and other miscellaneous papers.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff and they are to be required to complete an online refresher course and test on a regular basis of at least once every two years.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
21 February 2007

Links
View PDF of the HFC Bank Limited Undertaking (Breach Watch Archive)

Nationwide Building Society

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Oldham of Nationwide, including a personal financial review in respect of two individuals and a customer information document.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. A review program to monitor compliance must be devised and implemented by Nationwide. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
20 February 2007

Links
View PDF of the Nationwide Building Society Undertaking (Breach Watch Archive)

Alliance and Leicester plc

What
Loss of personal data

How much
Two records.

Why
Items of personal information were recovered from refuse bins used by the Nottingham of the data controller, including a premier current account application form, a life assurance letter and a credit card application form.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff, who are to be reminded of their obligations relating to customer confidentiality.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle. This was in breach of a policy the data controller had in place.

When
15 February 2007

Links
View PDF of the Alliance and Leicester plc Undertaking (Breach Watch Archive)

The Co-operative Bank plc

What
Loss of personal data

How much
Three records.

Why
Items of personal information were recovered from refuse bins used by the Watford of the data controller, including letter from a customer and a motor insurance quote.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that policies and procedures relating to the disposal of waste containing personal information are updated and strictly adhered. Adequate and relevant data protection training must be given to all staff, including any sub-contractors.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
14 February 2007

Links
View PDF of the Co-operative Bank plc Undertaking (Breach Watch Archive)

United National Bank Limited

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the Manchester branch of the data controller, including a copy of a fax showing business and personal account details, a remittance form, a copy of an internal email and other miscellaneous paperwork.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
13 February 2007

Links
View PDF of the United National Bank Limited Undertaking (Breach Watch Archive)

Immigration Advisory Service

What
Loss of personal data

How much
A number of records.

Why
Items of personal information relating to a case before the Asylum and Immigration Tribunal were recovered from refuse bins used by the Birmingham office the data controller.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. Adequate and relevant data protection training must be given to all staff. A review of the processing of personal information is to undertaken to ensure that it is carried out in line with the data protection principles.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
9 February 2007

Links
View PDF of the Immigration Advisory Service Undertaking (Breach Watch Archive)

Scarborough Building Society

What
Loss of personal data

How much
A number of records.

Why
Items of personal information were recovered from refuse bins used by the York branch of the data controller, including a customer’s mortgage application form and copies of supporting bank statements, customer account details, standing order details and other miscellaneous paperwork.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that clear policies and procedures are in place to cover the disposal of waste containing personal information. All paper waste generating in branches must be treated as confidential and be shredded. Adequate and relevant data protection training must be given to all staff.

Reason for action
The ICO had received a complaint about the data controller’s breach of the Seventh Data Protection Principle.

When
9 February 2007

Links
View PDF of the Scarborough Building Society (Breach Watch Archive)

Clydesdale Bank plc

What
Loss of personal data

How much
29 records.

Why
A telephone banking form containing a customers name and contact details, six cash deposit bags showing customer names and account numbers, 22 computerised print outs showing direct debits and bank giro credits to customer accounts and other miscellaneous papers were all recovered from refuse bins outside the bank’s Glasgow branch.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to relevant staff.

Reason for action
Policies for secure disposal of confidential waste were insufficient.

When
5 February 2007

Links
View PDF of the Clydesdale Bank plc Undertaking (Breach Watch Archive)

Barclays Bank plc

What
Loss of personal data

How much
6 records.

Why
A Barclaycard was found cut up into four pieces in a refuse bin outside the Park Gate Branch and four cut up debit/visa cards were found along with a deposit envelop in a refuse bin outside the Bristol branch.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all data protection procedures are updated and strictly adhered to, especially relating to the disposal of confidential waste. Appropriate data protection training must be given to relevant staff and all third parties and sub-contractors comply with the data controller’s data protection principles.

Reason for action
Policies for secure disposal of confidential waste were insufficient.

When
2 February 2007

Links
View PDF of the Barclays Bank PLC Undertaking (Breach Watch Archive)