freshidea - stock.adobe.com

ICO ends its involvement in dispute between NatWest Bank and data breach whistleblower

The Information Commissioner’s Office has ended its involvement in a dispute between a data breach whistleblower and NatWest bank

The Information Commissioner’s Office (ICO) has ended its involvement in a dispute between NatWest and a former branch worker over confidential customer files stored at the ex-employee’s home.

The customer information, in paper format, was part of a work-from-home agreement with the former worker’s branch manager, which ran from 2006 to 2009.

But around 1,600 paper files containing confidential customer details remain in the home of the ex-member of staff, who has been trying to return them for more than 10 years. These include documents with customer names, addresses and contact details as well as account summary/history information.

In 2012, after an investigation, the ICO slapped the bank’s wrists over the arrangement and has been advising the former employee on the safe return of the customer files since.

According to the former worker, who wished to remain anonymous, the ICO informed her in July 2021 – nearly a decade after it became involved – that it could do nothing about it because only electronic information was covered by the Data Protection Act 1998 and not paper-based information, the format that she had it.  

Computer Weekly asked the ICO why it had not told the former worker that it could not do anything earlier, but it refused to comment.

The ICO confirmed to Computer Weekly it had ended its involvement in the dispute. “The ICO has provided advice on data protection issues to parties involved in an employment dispute dating back to 2009.

“We are satisfied that the potential risk posed to individuals does not warrant further action, despite there being a change in the law [General Data Protection Regulation] since that time.”

GDPR, which was introduced in 2018, means that banks have to inform customers of potential breaches of their data.

The former employee had worked at a NatWest branch from 1998, selling mortgages and loans, and she was offered the opportunity to work from home for personal reasons from 2006. On the bank’s instructions, she used customer banking information to help her to generate mortgage and loans business.

As part of the working setup, which continued until 2009, she received paper documents with customer information from her manager. These were either collected at the branch on a weekly basis or posted through her letterbox at various times.

When the former worker realised that the HR department was not aware of her working arrangement, she contacted an advice line within the bank and explained her concerns about the information stored in her home. She was asked to put everything in writing to her manager, which she did, inadvertently blowing the whistle on the lax data security practices.

Following going through the bank’s grievances procedure, she was dismissed in May 2009 for not returning the documentation. The official reason for her dismissal was gross misconduct, and “flagrant disobedience following a reasonable instruction from a more senior employee”.

An employment tribunal later upheld the decision.

The former employee said she was advised by the FSA to get a receipt from the bank before handing back the information to protect her own position against future possible litigation.

In 2009, the ICO told RBS: “It is not unreasonable for both parties to sign an undertaking/receipt which would acknowledge that [the former employee] has handed over all the customer data in her possession, and the bank acknowledging what she has handed over is what she had in her possession, especially as the bank has no record of what information was given to [her].”

Eleven years later, NatWest eventually agreed to give a receipt for the documents, but the former worker asked the bank to indemnify her against future claims related to the storing of the information in her home and the work she was asked to do, which it refused to do.

In its 2012 investigation, the ICO found the bank had failed to comply with data protection rules when permitting home working to the branch worker, but no further action was taken.

The ICO said at the time: “While this incident was a ‘local’ issue at branch level, RBS did not maintain compliance with the seventh data protection principle during the period in question. Both parties were made aware of this decision. No further action was taken by this office and the case was closed and remains closed.” 

As part of that investigation, the former worker handed over thousands of files to the ICO, which were subsequently returned to NatWest. However, she retained a box containing 1,600 customer files to give her evidence for any legal proceedings, of which the ICO is aware.

The former employee is eager to hand the files back but wants to be indemnified against future claims from former and current NatWest customers. The negotiations have hit a stalemate and the ICO has withdrawn its advisory support.

A spokesperson at NatWest Group said: “This former employee was dismissed in 2009 for gross misconduct as a result of her repeated refusal to return customer information.

“The bank understood that all of the documentation had been returned, via the ICO, in 2012. It subsequently transpired that this was untrue. In 2019, the former employee alleged that she had, in fact, retained additional documentation.

“The bank continues its attempts to recover this information. As with the documentation received in 2012, there has been no customer detriment and there are no concerns that it has been shared with any other parties.”

IT lawyer Dai Davis asked why the bank doesn’t get a court order to have the documents returned. “The bank has probably made a decision that, on the balance of things, it is not worth it. The data is stale and it is not really a risk,” he said.

Read more about data protection

Read more on IT for financial services