The Bank of Scotland has received a £75,000 monetary penalty from the Information Commissioner's Office (ICO) after customers' account details were repeatedly faxed to the wrong recipients.
The incident was first revealed by a member of the public who reported that they had been sent another person's mortgage information in 2009. Their account number was one digit different from the intended recipient. A second fax was sent in the same year to the wrong recipient with a two-digit difference in number. The member of staff was subsequently trained, but in 2011 the same member of the public complained to the data controller that they had continued to receive faxes, amounting to 60 in total.
The information included payslips, bank statements, account details and mortgage applications, along with customers' names, addresses and contact details. In total, at least 21 documents were sent in error during this time, with another member of the public receiving a further ten misdirected faxes.
Despite the knowledge of the mistakes and a warning from the Information Commissioner to the data controller, four further mistakes were made in 2012, with items including a death certificate sent to the wrong address.
The ICO said that the data controller had “failed to take sufficient appropriate technical and organisational measures against unauthorised processing of personal data so as to effectively prevent such unauthorised processing occurring”.
Its undertaking said that “given the consistent and widespread nature of this error, it appears reasonable to the commissioner that the data controller should also have taken steps to alert its staff, not only to the general issue of misdialling, but also the prevalence of this particular error”.
In issuing the £75,000 fine, the ICO said that it was satisfied that the contravention is of a kind likely to cause substantial damage and distress. One of the recipients said that they had shredded the faxes upon receiving them.
Stephen Eckersley, head of enforcement at the ICO, said: “The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines. To send a person's financial records to the wrong fax number once is careless. To do so continually over a three-year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act.
“Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today's penalty reflects the seriousness of this case.”