On Tuesday 13 March the financial services industry received another warning to take data protection compliance seriously – 11 banks and other financial institutions were publicly named and shamed for failures to adequately protect the personal data of their customers.
In Autumn of 2006 consumer group ScamsDirect and the BBC Watchdog programme collected personal data from bins outside high street branches of 11 major banks and building societies. The personal data consisted of cut-up credit cards, letters containing customers' names, addresses and account details and PIN details. The BBC contacted the Information Commissioner's Office ("ICO"), which launched an immediate investigation. When the BBC Watchdog programme was broadcast in October 2006, the customers that were interviewed were said to be "horrified to learn that their details were not disposed of securely".
Following its investigation, the ICO found that the organisations had breached their obligations as data controllers in respect of these data under the Data Protection Act 1998 ("DPA") and the Seventh Principle in particular. In a departure from its usual enforcement practice, the ICO took the unusual and bold move of obtaining written undertakings from each of the organisations, requiring them to improve certain aspects of their DPA compliance, and published copies of the undertakings on its website as public documents.
The undertakings are available to download and describe precisely what materials were found and where. Although the volumes of information were not substantial, the types of personal data that were found meant they were significant as examples of compliance breaches.