Does the Bank of Scotland ICO fine signal a harder line approach to DPA policing for the Private Sector?
Date: Aug 12, 2013
Guest post: Tony Pepper, Egress.
Bank of Scotland (part of Lloyds Banking Group) hit the headlines last week having received a £75,000 fine from the Information Commissioner’s Office (ICO) for repeatedly sending customer details to incorrect fax numbers over a three year period – despite repeated warnings.
While trying to fax documentation internally, highly confidential customer information – including account and contact details, payslips, bank statements, and mortgage applications – was sent to two third party organisations. Although the first mistake was reported back in 2009, the errors continued until the ICO launched an investigation in April 2012.
While £75,000 is the largest fine levied by the ICO against a financial company, it is a drop in the ocean compared to Lloyds Banking Group’s £1.6bn net profit for the first six months of 2013.
However, the ICO fine is indicative of the wider ramifications that breaches to the Data Protection Act (DPA) will have for Private Sector organisations.
ICO Head of Enforcement Stephen Eckersley labelled the Bank of Scotland’s behaviour as “unforgivable”, demonstrating an uncompromising position on those organisations that treat highly sensitive information recklessly. Although currently there is no legal obligation for data controllers to report data breaches, proposed changes to EU data protection legislation could alter this, in addition to which the ICO is pressing for powers to imprison those guilty of serious DPA breaches.
The tide is turning in the private sector: pressure to comply with the DPA is increasing, and implications for those who continue to flout it will only get more severe. The investigation into Bank of Scotland and the subsequent fine reveal the ICO’s unswerving commitment to upholding the DPA, as well as their ability to levy punishments against even the largest Private Sector organisations.