Reporting a bank that might have broken GDPR

[pinkcarpet]

Does anyone know what I should do as I think a bank might have broken GDPR but they are massively minimising the issue?

So as not to drip feed: applied for a bank account over the phone, then they send a completed form to sign by post. When I opened the envelopes there was someone else’s completed form tucked in behind. Not just a page or so, their entire form with all their personal details on it.

Would IBU to report this to the information commissioner? If it was my details someone else had been sent I’d be absolutely furious. All it needs is for me to sign the form using a fake signature

It’s human error. Destroy and move on. I don’t understand why you feel like you still need to do more.

Check the bank's website, their privacy policy should be available there with a complaints process.

I reported a case to the ICO after I had an unsatisfactory response from a retailer who misused my personal data. They confirmed I was correct and there had been a breach, and they'd be following up with the retailer to share their recommendations. The retailer then got in touch and I received a formal apology from a senior member of staff.

I don't really know how it would work in your case as it was someone else's data - not yours - which was mishandled, so I'm unsure which article that would refer to, but you could look on the ICO site and see if anything matches up with your complaint.

This happened to me, with Lloyd's, they followed the complaints procedure and offered me £100 compensation, wasn't my data but I felt they dealt with it seriously. It was a mailing sort issue their end. If you're not happy with their response then yes escalate it to ICO. I'd expect them to explain how it happened, how they plan on it not happening again and an apology.

Yes, you should report it to the ICO. The bank should inform the other party and report it to the ICO as a data breach within 72 hours of it happening, but since they haven’t, there’s nothing to stop you reporting it if you wish it to be investigated.

I would report it but it won't come under GDPR, thank goodness.
Companies are pretty shit hot on the new law, the fines are millions and staff can be personally responsible along with the company.

Sheesh if I email the wrong person (about anything) I have to report myself to the internal information security dept!
So if I email SueD about lunch instead of SueB - I have to report it!

romany a personal data breach does come under GDPR.

Of course it comes under GDPR....what do you think GDPR is?!

@Lovewineandchocs it would depend on the data on the form as to whether it is severe enough for the bank to need to report it themselves, I doubt it is a breach but an incident (the word breach gets thrown around a lot but GDPR addresses what a breach is and when it is an incident, still to be addressed but not as serious), either way if they don't handle it sufficiently the OP should report it herself.

It's human error, it's always going to happen.

You receiving this information has no detriment to the borrower?

So you know that Mr Smith that lives in Bolton has borrowed £50k, so what? If some random person knew my mortgage/loan details I couldn't care less?

GDPR is not going to stop human error, nor was it intended to.

There is so much terrible advice on here. This is a clear breach of GDPR and the bank are supposed to self report to the ICO in these circumstances.

@Bowchicawowow

"If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay."

Businesses do not need to report all breaches. It'll depend what was in the letter, if it is a name and an address just to another customer it is unlikely to "adversely" affect the data subject.

charlie the point of GDPR is not to stop human error - the point of GDPR is to stop human errors from causing private data to arrive in the wrong places.

It is absolutely the remit of GDPR for companies to put in place practices that prevent one persons information from being sent to another.

The bank could very VERY easily prevent this event from occurring again and should be forced to do so in my opinion.

Sorry didn't copy over the whole section

" • You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
• You must also keep a record of any personal data breaches, regardless of whether you are required to notify."

For example....If I have someones private data on a USB stick then there is small but non-zero chance I will lose the USB stick.

GDPR doesn't prevent me from making a mistake and losing the stick...it doesn't even ban me from using USB sticks...it makes me encrypt the USB stick so that if/when I lose it, nobody's data is made public.

In this case the bank has no need to be sending pre-completed forms to anyone. It doesn't stop them from doing their core business if they are not allowed to send precompleted forms out. Therefore they should stop doing that, given it apparently isn't possible to prevent people being sent the wrong forms.

Should I contact the person on the forms? I have his phone number and email address

No! Destroy the form and don't keep a record of anything from it.

I am not sure what point you are making alltheusernames. Someone having access to your personal details is something which would adversely affect your rights, that being the right to privacy

bowchicawowow what alltheusernames is saying is that it is a judgement call on organisations as to whether to report it to the ICO as a breach. Any unauthorised disclosure of personal data is termed a personal data breach under GDPR, however the organisation, before deciding to self-report, makes an assessment of whether there is a high risk to the rights and freedoms of the data subject, e.g disclosure of a person’s medical details to multiple recipients will pose a higher risk than one person’s name and contact details being mistakenly sent to one person. An individual can report the breach to the ICO regardless.

Where I work I have had to report mistakes like this to the relevant information handling department via a very specific form. If the bank do not have a procedure for this then they need reporting to the ombudsman for poor GDPR practice. This absolutely is a data breach (though not one that involves sensitive info like bank details) and should be followed up.

Lovewineandchocs In these circumstances the bank should self report given the information on the form.

bowchicawowow yes I work in the information rights area and do agree. My area of “expertise” is FOI/EIR but I have a working knowledge of GDPR and think the bank should self-report in this instance.

Should I contact the person on the forms? I have his phone number and email address

No, of course you shouldn't! You should do as the bank have said and shred it. The bank should self-report, as per the legislation, to let the ICO know there has been a small data breach. It should also investigate why this happened and put measures into place to try to prevent it happening again. They may or may not be fined but, with a small data breach that is clearly non-malicious human error, they are unlikely to be hauled over the coals.

You should do nothing with this data but destroy it forthwith. Whilst you as an individual are not governed by GDPR laws, it would be wrong for you to use that data in any way whatsoever.

I'm not sure why you think the bank should be apologetic towards you - it's not your data that was compromised.

The suggestion that this could be resolved by the bank only sending out blank forms is nonsense. The amount of people incapable of filling out a simple form is far higher than you might imagine, so it becomes a merry go round of sending and resending forms. The administrative burden would be far disproportionate to its aim of reducing data breaches.

(I used to process applications for credit cards before the internet was commonplace. The amount of errors and half completed forms was ridiculous.)

The suggestion that this could be resolved by the bank only sending out blank forms is nonsense.

it isn't.
if that's an issue the banks can avoid it by using online vaults or by only filling in forms together with people face to face.