Reporting a bank that might have broken GDPR

[pinkcarpet]

Does anyone know what I should do as I think a bank might have broken GDPR but they are massively minimising the issue?

So as not to drip feed: applied for a bank account over the phone, then they send a completed form to sign by post. When I opened the envelopes there was someone else’s completed form tucked in behind. Not just a page or so, their entire form with all their personal details on it.

Would IBU to report this to the information commissioner? If it was my details someone else had been sent I’d be absolutely furious. All it needs is for me to sign the form using a fake signature

A serious break in confidentiality yes, but not a wilful abuse of your personal info which is what GDPR is meant to combat.
The form being sent to you was human error, which however much legislation there is and however careful employees are, you can never completely remove the risk of.
What do others think?

I would definitely report it.

They should have mechanisms i place to prevent that happening eg. sending out blank forms.

This is their profits versus data safety and they are making a poor choice!

You can report it, but I doubt they will do a lot as the ICO will have finite resource and cannot investigate every breach, particularly if it’s just a one off error. They won’t be dishing out the “4% of turnover” fine for something like this (sorry).

I would personally complain the to bank itself. The bank can use this information to put the situation right and put action in place to try and stop it happening again.

I have complained to the bank. They just asked me to shred the form. Weren’t very apologetic

Should I contact the person on the forms? I have his phone number and email address

This has happened to me a few times. I got an email from a solicitors office once with all these papers with details of somebodies divorce and custody arrangements I just emailed them to let them know and deleted it all. It is human error.

I have made a couple of small GDPR errors since it came in and both times my heart has sunk and I've felt physically sick. I think I might apply for a job at Lloyds so I can stop worrying

It makes me worry what they could send out about me by mistake. Needless to say I will be taking my business elsewhere and not returning my application unless they seriously apologise

No. Shred them, as the bank said.

Should I contact the person on the forms? I have his phone number and email address I would ask the bank to contact the person and to confirm to you in writing that they have done so. I don't think the person will feel any more comfortable knowing that you've hung on to their contact details and have contacted them directly. And you would then yourself be breaching GDPR because you are using their personal details which they have certainly not given their consent for, and none of the other reasons for holding data (eg "legitimate interests") would apply.

I would shred it and forget about it. It was human error and we all make mistakes. You seem very over invested in this and determined to make a huge deal out of it.

What apollo said.

I would report as it seems that the bank doesn't intend to.
they should report the breach to ico and inform the party whose data was breached.

it is human error

I got someone else's mortgage forms from a bank when I applied

I think their attitude is a bit crap, they should be more concerned but sadly I expect they are all like that.

What would you like them to do OP? These letters are often all done by machine, and sometimes the machine picks up another piece of paper (like your printer will do sometimes).

What do you think another bank will do differently?

If there is a data breach, the onus is on the company to address it and put plans in place to ensure that procedures are changed so the risk of it happening again are minimised. If the bank haven't done that then they should be reported.

Have you asked to speak to the bank's data protection officer? They might take it more seriously.

OP, don't contact the other person. That will just worry them unnecessarily. If you've raised a complaint with the bank, the can look into it.

I knew someone that worked in compliance for a bank years ago, they told me banks covered themselves in T&C'c about things like that. Apparently it was common for people to be sent someone else's statement in with their own. This was years ago and long before GDPR.

Don't contact them. What good would it do?

Just destroy the paperwork and move on!

The things with a lot of these examples others have raised is that there is no way to prevent the error entirely.

In the case the OP has raised the bank could cease sending out completed forms and entirely prevent this from occurring.

They don't do that because they think they will get more people buying their product if they pre-complete the forms. They are probably right about that...but they don;t need to do it and given they can't do it without screwing up...they should NOT do it.

That's why this is worth a complaint when many of the other examples cited aren;t.

GDPR relates to how people use and store data. Not to legislate against human error as is clearly the case here

GDPR would not cover this. Just shred the information as instructed by the bank. Do not contact the person, as it then shows you’ve held on to that information.

Actually GDPR would cover this. It is a minor breach with limited effect to the affected party but a breach nonetheless. The bank should notify the Data protection authority but it’s not necessary to notify the individual and therefore you should not either.

Surely it's just human error. Shred it and forget it.

The Prudential Regulation Authority and Financial Conduct Authority regulate banks. You could try them.

Definitely don't contact the individual yourself, that's really intrusive. I get that we all want to know our data is secure but I do think you're making a mountain out or a mole hill here. As PPs have said it's a mistake. All banks will have done this before so I dont think taking your custom elsewhere is proportionate. I work for the NHS and sadly all NHS trusts have made this mistake too. We don't want to and aim to maje systems as foolproof as possible but sometimes things go wrong. Im not even sure what they'd be apologising to you for. I know other's have said that the person whose data was breached shouldn't be informed but in the NHS we do notify individuals under duty of candour, but I'm not sure if only certain circumstances apply. But I do think that's between them and the bank. If you do want satisfaction you can perhaps write to the bank to ask for assurances as to what they a&e doing to minimise the risk if that happening again e.g. in the NHS there would need to be an incident report etc.