Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Study 9

Details of other bank account holders of the same name, supplied in response to access request-inadequate response to customer-security procedures-lack of awareness at branch level of data protection


An individual complained to my Office in relation to her bank account as she was concerned about the accuracy and security of the information held and the potential disclosure of her details to other account holders, as there appeared to be confusion regarding her account and that of another account holder of the same name. She informed me that though she had complained to the institution concerned she had encountered difficulty in having the matter resolved. She was advised by my Office to make an access request, under section 4 of the Act, to this major banking group in order to establish what personal data was held about her on computer.

The bank's initial response to her access request comprised a copy of her data from the particular branch to which she had sent the request, and advised that if she wished to obtain personal details from other areas of the bank, she should write to the offices concerned, enclosing a separate fee with each request. It included a listing of the Bank's registrations relating to the Public Register of data controllers that is held in my Office.

It then transpired that her personal details as supplied by the Bank, contained a number of inaccuracies, viz. accounts at two other locations, neither of which related to her personally; the date of opening of the account, her marital status, her occupation and credit card details were incorrect; details showed her as having a mortgage which was not the case. She had obtained this information by supplying to her branch in Dublin her name, address and ATM card number only. She was justifiably concerned that her data and that of other customers was being inappropriately disclosed and not kept in a secure manner.

My Office contacted the bank but the investigation encountered considerable difficulty in obtaining an adequate response, as there did not appear to be anybody designated with responsibility to co-ordinate the provision of information in response to the access request. There also appeared to be then a distinct lack of awareness and appreciation of data protection requirements amongst management and staff. Eventually, my Office contacted the Group Compliance Officer. Later my Office was informed that

"Our processing system endeavours to match customers across branches to highlight their entire relationship with the Bank. An error occurred in our system, either human or technical, whereby the customer's account number was matched to an account in the name of (same customer name) in two other (named) branches, even though they did not meet the required matching criteria. The accounts in both these branches had different account numbers. This was an unfortunate error that should not have happened. We have amended the process with regard to matching customers' accounts whereby the criteria for matching has been expanded considerably".

I concluded that important bank account details were not maintained in an accurate and up-to-date fashion and this was highly unsatisfactory from a data protection perspective. It also raised questions about the security of customer's accounts and improper disclosure of data. I noted the bank's commitment to expand considerably the criteria for matching, which should ensure that a recurrence of this incident is avoided. I also noted that the Bank was now very much aware of its responsibilities regarding the protection of personal data.

I informed the bank also that many data subjects making access requests might not necessarily be familiar with the requirements of the Act.

Accordingly, I suggested that data subjects be advised in plain language of the procedures in operation for accessing their data in other branches of the organisation as I considered that improvements were necessary in the letter that issued to the complainant.

In general I receive great co-operation from the main financial institutions. While this was a very serious case I trust it was an isolated incident.