ICO fines Bank of Scotland for 'unforgivable' breach of Data Protection Act

Bank continually sent faxes containing customer details to the wrong address

The Bank of Scotland has been fined by the Information Commissioner's Office (ICO) for breaching the Data Protection Act, following repeated instances of customer details being sent to the wrong recipients.

Documents featuring customer information, including payslips, bank statements, account details and mortgage applications, along with names, addresses and contact details were repeatedly faxed to the wrong addressed. The first instance of this was reported in February 2009 by a third party organisation which had received the fax in error.

The same organisation has since reported receiving a further 21 faxes from the Bank of Scotland, while one member of the public also received ten faxes containing sensitive customer information. Both of the wrong recipients had fax numbers which were only one digit different from the department of the bank they were intended for.

Faxes kept being sent to the wrong number despite repeated warnings, with mistakes continuing to be made even as the ICO was investigating the Bank of Scotland - part of the Lloyds Banking Group - for breaching the Data Protection Act.

"The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines," said Stephen Eckersley, Head of Enforcement for the ICO.

"To send a person's financial records to the wrong fax number once is careless. To do so continually over a three year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act.

"Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today's penalty reflects the seriousness of this case," he added.