The Bank of Scotland plc (BoS) has been landed with the largest Information Commissioners Office (ICO) fine levied against a financial institution for repeatedly faxing sensitive customer documents to the wrong recipients.

The imposition of this monetary penalty notice underlines the importance of ensuring the security of personal data and is a costly reminder of the powers possessed by the ICO where it uncovers a serious breach of the Data Protection Act 1998.

Human Error

In a three year period, during which BoS was warned various times about its "communicational blunders", numerous documents (including bank statements, payslips, mortgage applications and driving licenses) were sent to random third parties.

Although BoS attributed its failings to "human error" (one internal investigation revealed that an employee had been misdialling fax numbers by accidentally pressing "8" rather than "2") and intimated that only 32 customers were affected, the £75,000 fine issued is illustrative of the hard-line approach taken by the ICO when it comes safeguarding personal data.

According to Stephen Eckersley, the ICO's head of enforcement, "to send a person's financial records to the wrong fax number once is careless [but] to do so continually over a three year period, despite having being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act".


The ICO's rationale for serving a hefty monetary penalty notice on BoS was a combination of:

  • an absence of appropriate technical and organisational measures in relation to the risks of faxing documents containing personal data (e.g. staff training and implementing more secure means of transmission);
  • the persistent failure to introduce appropriate measures immediately following known data breaches; and
  • the potential for substantial distress to those whose personal data was compromised.

Even in respect of apparently simple tasks like sending a fax or an email, businesses handling and transferring personal data should be alert to their responsibilities and ensure sufficient protections are in place.