NatWest data breach whistleblower demands bank pay data controller fee to ICO

Whistleblower calls for NatWest to pay the Information Commissioner’s Office annual data controller fee, as the personal details of 1,600 current and former NatWest customers remain under her bed

A former Royal Bank of Scotland (RBS) worker who blew the whistle on the bank’s lax data protection practices – and to this day has thousands of sensitive customer data files under her bed – is demanding that RBS parent NatWest Group pay for her data controller fee.

The whistleblower and the NatWest Group are yet to reach an agreement on the return of the 1,600 paper-based customer files to the bank, some of which contain the sensitive data of current customers. She must pay the Information Commissioner’s Office (ICO) fee of £40 by 26 October, or will face a potential fine.

The whistleblower, who has the data as a result of a work-from-home agreement with the bank from over a decade ago, became a data controller when it became clear that the data, which includes the sensitive information of current NatWest customers, would be in her home indefinitely.

She wants NatWest to take the documents, but they have not been returned because she wants guarantees that no future action by the customers involved will be taken against her. She was advised to obtain a receipt from the bank for all the files before handing back the information to protect herself from possible future litigation.

The ICO letter demanding payment of the fee said: “If you don’t pay the (correct) fee, you could be fined up to £4,350. We will begin this process 21 days after your registration expires if we don’t hear from you first. We publish details of the fines we issue on our website.”

In an email to  NatWest CEO Alison Rose, the former RBS worker wrote: “I should bring to your attention the fact that I have recently received a notification from the ICO to renew my registration as a data controller. I am required to pay a data protection fee for the renewal by 26 October 2022.

“As I am still doing the bank’s job of protecting this confidential customer data – as I have been doing for so many years now – I don’t think it would be unreasonable for me to ask you to confirm, on behalf of the bank, that the bank will be reimbursing me the registration fee.” 

NatWest has not replied to the former worker, who said she is frustrated and wants closure. She told Computer Weekly: “I left the bank 14 years ago – I should not be acting as a data controller for it. I see no way out other than handing the files to the people whose data it is for them to protect it.”

The bank has maintained that it wants the files returned, but will not agree to conditions demanded by the whistleblower to protect her from future potential action from the bank’s customers.

Read more about the dispute

NatWest has claimed the data is historic and there has been no customer detriment. But, as revealed by Computer Weekly in June, the whistleblower said she had established that some of the data files related to existing customers and had informed the bank and the ICO.

At the time, she said: “I have put to the test the bank’s assertion that this data is historical and that it poses no risk to customers, and I have established that some of the data is live/existing customers. I immediately informed the bank and the ICO of this.”

She is currently in contact with regulator the Financial Conduct Authority (FCA) to arrange a meeting where she will present evidence of the data she holds with a 72-page document, which was put together with the help of the ICO.

In 2006, the data was sent to the worker’s home as part of a work arrangement – in breach of data protection rules. The worker was given the opportunity to work from home and, on the bank’s instructions, used customer banking information to help her generate mortgage and loans business. Over three years, she received thousands of paper documents, about 1,600 of which are still stored in her home.

When the worker became concerned that the arrangement could breach data protection rules, she put everything in writing to her manager and inadvertently blew the whistle on the bank’s lax data security practices.

The former worker was sacked by the bank in 2009 and has been calling on the bank to collect the files ever since.

In 2012, the ICO investigated the case and slapped the bank’s wrist over the arrangement. The ICO said that while the incident was a “local” issue at branch level, RBS did not maintain compliance with the seventh data protection principle during the period in question. It said: “Both parties were made aware of this decision. No further action was taken by this office and the case was closed and remains closed.” 

The ICO worked with both parties from 2012 to secure the safe return of the files, but negotiations failed and the ICO ended its involvement in July 2021.

NatWest was contacted for comment, but had not responded by the time this article was published.

Read more on IT for financial services