Reporting a bank that might have broken GDPR

[pinkcarpet]

Does anyone know what I should do as I think a bank might have broken GDPR but they are massively minimising the issue?

So as not to drip feed: applied for a bank account over the phone, then they send a completed form to sign by post. When I opened the envelopes there was someone else’s completed form tucked in behind. Not just a page or so, their entire form with all their personal details on it.

Would IBU to report this to the information commissioner? If it was my details someone else had been sent I’d be absolutely furious. All it needs is for me to sign the form using a fake signature

Just to be clear, i think the bank should be apologising to both me and the person whose forms i got by mistake.

And it is a lot of personal info they've sent by mistake. Not just name and address but also bank account, NI number, date of birth and business details. A malicious person could use it for identity theft and to commit fraud. Obviously i will be shredding it but I'm just very unimpressed with how casual the bank has been about this.

OP you sound incredibly over invested in this. Mistakes like this will unfortunately happen every day at whatever bank you opt for.

Why exactly do you think they should be apologising to you? What harm has this caused you?

That's still not sensitive information and I imagine wouldn't be automatic self reporting, but I'd imagine with bank details it's higher risk though (risk at the end of the day is subjective, the law is deliberately muddy) you should ask for their policy on how they deal with breaches and warn them you're going to approach ICO to see if that triggers the right person. (Just to be clear it's serious and should be dealt with officially, but I don't agree it's severe enough for the bank to self report)

'Just shred it'.
The person who filled in the form will wonder why the bank has never got back to them and the bank will say they never received the form. Wank service from bank.

It’s not a wilful or systematic process failure. It’s one person making a human error that affected two customers (you and the other person)

All they’re required to do is ask you to return or destroy the info and write to the other customer to let them know what’s happened. They will need to report it internally and depending on the scale and impact possibly to the ICO. The company I work for would offer to pay for the other person to sign up to a data protection register but I’m not sure if that’s a requirement regulatory wise. If you and/or they complained then we would deal with that and pay compensation to whoever was complaining.

But they’re not going to be horrified, stuff like that happens infrequently but it does happen. They should be apologetic and take it seriously though.

How anybody can claim that this is not sensitive personal information is absolutely beyond me.

Sensitive information is things like medical history religion political beliefs..that is the definition of sensitive data
.
This is personal data. The bank does not owe OP an apology as it is not her personal data that has been breached.

They will have internal processes to raise a legal incident. Data protection laws have been about for years since the data protection act. GDPR doesnt make it that much different from a banks operational point of view.
Get over it OP. Destroy the papers because if you ring the person then you become an illegal processor of that data..

blubberyboo exactly, what was sensitive personal data under DPA 1998 (physical and mental health, political opinion, sexual orientation etc has now become ‘special category data’ under GDPR and DPA 2018 and still doesn’t include the type of information disclosed by the bank in this case. It’s not a case of anyone claiming it isn’t sensitive personal data, it’s simply not defined as that by data protection legislation.

A breach of personal data is actionable and indeed people are claiming against organisations for exactly this kind of breach now the GDPR has come into effect.

Yes of course they are, but the information still isn’t special category data. The only thing the OP can do if she feels the bank aren’t taking it seriously is to report it to the ICO herself.

Of course GDPR covers this - it is a data protection breach. In fact, once aware of the breach, the bank has a duty to report it themselves and also contact the person’s whose data has been affected.

It sounds like you're compo chasing tbh. It's human error and it happens. The bank will have logged a breach when you reported it and they've asked you to shred the form. What is it you're looking for?

I believe that this is a situation where the bank should report themselves to the ICO. I find the idea that it’s OK for the bank to tell the OP to shred the form ridiculous because it puts the disposal of a third party’s personal date in the hands of a person (the OP) other then themselves. My view is that the ICO would not be happy with this. I think there is still a lot of work to do with people understanding the basics of GDPR.

The breach hasn’t been made against you so they won’t take it seriously. If the person who’s information you’ve received contacted them it will be taken seriously as they have disclosed information about them.

The bank should take it seriously whoever brings it to their attention.

OP have you shredded it yet? All else aside, if I was the other guy I would want you to shred it. Immediately. I would not want a call from a stranger to say they have my personal information.

Report it to the relevant regulator if you want, but by holding onto the document instead of shredding it immediately, you are compounding the initial error by the bank.

I think there is still a lot of work to do with people understanding the basics of GDPR

Oh there absolutely is, and we ourselves (my organisation) have been inundated with people asking, wanting to get it right. It’s kind of funny, because data protection isn’t a new thing, but a lot of people/organisations are freaking out about GDPR when they should always have been compliant with the principles under DPA 1998

I had someone else’s bank statement in with mine once (olden days when they came through the post).

I just rand the bank and told them, they didn’t seem bothered and told me to throw it away! I shredded it. They didn’t tell me to do that.

They will have their own internal processes for dealing with it. At my place we'd take details of what you'd received in error and ask you to shred it. Then contact the person who's data protection was breeched to let them know. Then we'd have to let the compliance team know who would self report the breech.

Shred it and move on. These things happen all the time.

Shred the form. Do not contact the persons whose details you received.
The bank may not contact that person as sometimes there's no need. This breach also doesn't sound reportable to the ICO. The bank will have internal procedures for reporting things and have a threshold they need to reach before they do.

If it were my data I would think you were very, very odd for contacting me.

What you want is the attention from having ‘saved’ them from having their data misused.

It was a mistake. Get over it.

a mistake that shouldn't happen and that the bank should take measures against it happening again.

@Bowchicawowow because it's not sensitive data, it's a bit ironic you're saying there's not enough understanding of GDPR and then claiming this is sensitive data (which doesn't even exist in GDPR). I very much doubt it is reportable their end as in the scheme of things this is a small breach with very limited impact, if they don't respond effectively though of course it should be reported, by the OP.

We deal with special category data and if it was a breach with that data we would of course report it. It's weighing up the risk.

I'd be creeper out if you contacted me under these circumstances and I'd think you were weird. Just rip it up and get on with your life.

It’s sensitive in the broadest sense and data doesn’t have to to be sensitive to be actionable.