back to article Info Commissioner audits HBOS

The Information Commissioner's Office (ICO) is conducting an audit of Halifax Bank of Scotland's (HBOS) data security procedures after it was revealed that the bank was putting customers' financial documents in ordinary bins. The act, uncovered by the BBC's Watchdog programme, is in breach of an undertaking to the ICO signed by …


This topic is closed for new posts.
Anonymous Coward


The ICO really is impotent, isn't it? I thought they could issue fines as soon as they proved a breach of the data protection act. How naive I was.

So when they find an organisation breaking the DPA on a massive scale they make them say "Sorry. It won't happen again".

When they find that breaches are continuing unabaited they tell them off with "You'd better not do that again".

What next? Send them to the headmaster's office?

Even the excuses are childish. "We process over 100,000,000 transactions". So what? We make over 4,000,000,000 products a year and many of them contain data that is sensitive to the banks! If we leaked any of that we'd be out of business.

The legislation is pointless without effective enforcement.

Anonymous Coward

If the banks can get away with it...

I need not worry about any data protection legislation if a major bank can get away with this kind of breach. Sure it might not be good for my business but I just need to sign an undertaking to the ICO not to be a naughty boy again. Now if I knew I would automatically be fined that would be another matter.



I wonder how much a story like this is worth. More than a wage for a starting data inputter or post room worker

"Hi, would you mind putting a couple of statements and a cheque in the waste bin instead of the confidential waste bin. We'll give you £12k."

Of course this isn't what happened


Just Say No...

Stage 1

ICO: "Mr Bank, it has become apparant that there may have been breaches of the DPA within your organisation. Is this going to happen again?

Mr Bank:"Of course not Mr IC."

Stage 2

ICO: "Mr Bank, in our last discussion you promised not to break the law anymore, but we have evidence that suggests you still are. Please stop."

Mr Bank: "Oh I am sorry Mr IC we are so busy counting our profits that we don't have the time to invest any of it into best practise training. But I promise it won't happen again."

Stage 3


ICO: "Mr Bank, we see you are still breaking the law, do you mind if we come in and have a look around?"

Mr. Bank: "Piss Off"


Stage 4

ICO: "Sorry you had your identity stolen and your life ruined Mr Customer of Mr Bank. As for the life savings you had stolen and all the credit that was taken out in your name, I can't do anything about that, that would be a different government department. However, I have visited Mr Bank to give him a stern telling off and investigate his company policies with regards to Data Protection, but he wouldn't let me in."



ICO: "Mr Customer of Mr Bank? ..."

Alternative Scenario:

Youth swears at a machine in the vicinity of a police officer and is immediately issued a fixed penalty notice.

Rather a long way to get to a point, but why is it normal members of the public going about their normal everyday lives, are more accountable to the law than the companies that exploit them?


Completely toothless

Yes, the ICO is a completely toothless organisation - I did Subject Access Request to both RBoS and NatWest last year and neither responded within the 40 day deadline as laid down in the rules (and I know for a fact they were doing, and continue to do, this to many other customers). Complaints to the ICO resulted in them simply continually requesting the data to be sent - no enforcement action at all. It took RBoS 4 months and NatWest 7 months to send the data requested.

Absolutely ridiculous, what's the point in having the law there if the "big boys" can flout it without punishment?


Makes you think...

Currently on the front page of El Reg there is a story about the new EU super biometric database and how it will not be freely available to the police. It states in the article that access will be monitored by each country's relevant data protection agency. In the UK that would be ICO. Does this mean that if the police decide to start abusing the system ICO will tell them off twice and then be able to do nothing?



ICO: useless

"The ICO can audit organisations to ensure their procedures are adequate to protect people's privacy, but must have the permission of the organisation first. "

Ah, rather long sentence to say "useless", then. I'm still hoping the same

applies to the revenue tax dept in France. No way, sadly ...

The day it does, however, guess how many people will pay their

revenue tax ?

This topic is closed for new posts.


Biting the hand that feeds IT © 1998–2018