Breach details
| What | Personal information including national insurance numbers, bank details, and photocopies of passports and driving licenses was faxed to a number of incorrect recipients. |
| How much | An unknown number of records. |
| When | February 2009 to February 2013. |
| Why | During this four year period a number of faxes containing personal information were sent to incorrect recipients rather than the bank’s certal processing systems. These breaches occurred on different faxes in different locations, and were made by a large number of staff from different branches. This was due to misdialling and in particular the transposition of the numbers 2 and 8. Although the employees concerned were given training on this issue and a communication was sent alerting all members of staff to the issue of misdialling, this particular error was not raised. |
BW Comments
| The ICO has on many occasions indicated his dislike of faxing, especially if the errors occurred because of manual misdialling which could be rectified by only allowing pre-programmed numbers. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 75,000. |
| When | 30 July 2013. |
Why the regulator acted
| Breach of act | Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information. |
| Known or should have known | The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures. |
| Likely to cause damage or distress | The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss. |
BW Observations
| This is the third breach where a regulated firm where the FCA (FSA) has not taken action and has let the ICO take the lead in respect of a breach of personal data. |
Links
| View PDF of the Bank of Scotland Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Bank of Scotland Monetary Penalty Notice (Via ICO Website) |