The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Ulster Bank: Excessive information sought from new customers

In September of last year, it was brought to my attention that a branch of Ulster Bank was requiring new customers to provide, for the purpose of opening new current accounts, a copy of their P60 from the previous year, three recent payslips and bank statements for the previous three months. These documents were sought in addition to identity documents, such as passports and driving licences, which credit institutions are obliged by law to require from new customers for the purpose of preventing money laundering.

My Office contacted Ulster Bank on this matter and engaged in lengthy correspondence with it which continued into the beginning of this year. Section 2(1)(c) of the Data Protection Acts provides that data 'shall be adequate, relevant and not excessive' in relation to the purpose for which it is kept. In my Annual Report 2005, I reported in Case Study 7 on a complaint against another financial institution which had obtained from a customer unnecessary personal data relating to employment and salary on the opening of a savings deposit account. In that case, following the intervention of my Office, the financial institution concerned accepted that the information sought by it was excessive and it immediately introduced revised procedures. The current case concerning Ulster Bank differed somewhat as it involved opening a current account with a laser card facility and not a savings account.

Ulster Bank accepted at an early stage of my Office's investigation that the requesting of P60 information should not have happened. It said that this had occurred in an isolated case and it conveyed its apologies for any misunderstanding and inconvenience. It went on to state that it had spoken to the branch concerned to reiterate standard procedures and it had communicated out to all branches to ensure that any documentation requested from customers remains adequate, relevant and not excessive. It also informed my Office that, as a response, it had introduced an 'appointment card' to be given out to new customers at the appointment enquiry stage so that the customer would know exactly what information/ID to bring with them to their interview. It also changed its policy in relation to income confirmation and it issued guidance to its branches in relation to current accounts with no lending functionality (i.e. ATM card facility only) clarifying that no additional income confirmation or bank statements are req uired in such cases.

My Office continued to press Ulster Bank on the matter of requesting and then retaining payslips and bank statements for other current accounts. Ulster Bank stated that, for address verification purposes under the Criminal Justice Act 1994, it was obliged to request utility bills or bank statements, in addition to identity documents, and to retain them for five years after the customer relationship ends. It also considered that a current account with either a Laser Card and/or overdraft facility entailed a degree of credit risk and that, in the circumstances, it was appropriate and not inconsistent with the requirements of the Data Protection Acts to request additional documentation such as bank statements and payslips. 

My Office was satisfied that Ulster Bank distinguished between current account holders who required nothing more than an ATM card facility and those current account customers who required a credit facility such as a Laser card or overdraft on their account. This allowed Ulster Bank to satisfactorily clarify that those customers who do not require a credit facility will not be asked for additional documentation apart from that needed by law for identity and address verification purposes. In accepting the clarification given on this matter, my Office requested Ulster Bank to make comprehensive information available to potential customers on the different requirements for different situations. We stated that this information should be communicated on the Bank's website and, in particular, on the 'appointment card' given to new customers.

However, my Office did not accept Ulster Bank's interpretation of its obligations to retain identification and address verification documentation for a period of five years after the customer relationship ends. The factual position is that credit institutions are obliged by the Criminal Justice Act, 1994 to retain documentation obtained for identification purposes only for that period of time. The Guidance Notes for Credit Institutions issued with the approval of the Money Laundering Steering Committee in May 2003 supports this position. In addition, Section 45(iii) of the Guidance Notes pointedly refers to 'requesting sight of original copies' of utility bills, bank statements, etc. for address verification purposes and it makes no provision for 'obtaining,' 'copying' or 'retaining' such documents.

My Office informed Ulster Bank that there is no basis in law for the collection and retention of any documents apart from those required for identification purposes. In the absence of a statutory provision to allow for the obtaining and retaining of personal data such as utility bills, bank statements, social insurance or tax documents, etc. in particular circumstances, organisations who do so are, in effect, breaching Section 2 of the Data Protection Acts. 

This case highlights again that all institutions need to satisfy themselves on an ongoing basis that information sought from customers is not excessive for the purpose. In addition, where information is sought, even under a legislative requirement, caution should be exercised as to whether there is an appropriate basis for its continued retention.