High Street Banks Flout Data Protection Rules

British banks are regularly breaching data protection rules, the consumer group Which? Money has warned.

It found that between August 2009 and August 2010, there had been 515 complaints lodged with the Information Commissioner’s Office (ICO) about data protection breaches by eight of the UK’s biggest banks and building societies.

These instances pertain to complaints where the ICO thought it was likely the banks had broken the rules set out by the Data Protection Act 1998.

Banking Shame

Which? used Freedom of Information Act (FoI) requests to the ICO to find out how many data protection breaches banks and building societies have made.

And it seems that some of the biggest are the worst offenders, with Barclays, Lloyds and Santander the leading culprits.

Barclays topped the table as the bank with the most breaches at 116 complaints. Second was Lloyds TSB, now owned by the tax payer, with 114 complaints. And Spanish-owned bank Santander brought up the third spot with 103.

According to Which? Money, over half of all complaints arose from banks failing to provide customers with copies of the data held about them properly.

“Other potential breaches included banks holding inaccurate data about customers, failing to follow security measures and the disclosure of data to third parties,” said Which? Money.

Getting Worse

The consumer group warned that financial companies are getting worse at looking after our data. It said that in 2009, there were 1,163 complaints about banks and other lenders – up from 1,060 in 2008. In contrast, data protection-related complaints about other organisations, such as local authorities and HM Revenue & Customs, went down over the same period.

Worryingly, it seems that the general public remain ignorant of the Information Commissioner Office (ICO) and what it does. Apparently just one in 10 people (13 percent) have heard of the ICO and knew that it was the organisation they needed to complain to.

Which? remains concerned that there are no legal obligation for organisations to report data protection breaches to their customers or the ICO.

“Banks and building societies hold incredibly sensitive information and the impact on customers can be serious if they mishandle it, from affecting credit ratings to leaving people open to fraud,” Richard Lloyd, executive director at Which? was quoted as saying in the Telegraph.

“Consumers who suffer financial loss or stress as a result of data mismanagement by firms should be entitled to compensation,” he added. “Regulators need to impose much tougher sanctions on firms who are lax with people’s data, as the message clearly isn’t getting through.”

ICO Criticisms

The Information Commissioner’s Office recently published a new statutory code of practice on data sharing, setting out guidelines on when data can be shared and how it should be protected.

And last year, the ICO was given the power to issue fines of up to £500,000 for any serious data breaches, and has even asked for the power to jail offenders.

However the ICO continues to face ongoing and persistent criticism for allegedly failing to act on the majority of breaches. Last month for example encryption specialist ViaSat UK used a FoI request to reveal that the ICO had acted on only one percent of the data breaches reported to it. The ICO disputes those findings.