Philip J Openshaw - stock.adobe

Sensitive NatWest customer files set to be returned after High Court agreement

Sensitive NatWest customer files set to be secured by bank after years in the home of a data breach whistleblower

Files containing the personal financial details of hundreds of former and current NatWest customers will be returned to bank after courtroom agreement.

On the 14 September, after over a decade in a data breach whistleblowers home, the sensitive banking details of about 1,600 people will be collected and secured by NatWest.

During an application made by NatWest for an injunction for the return of the documents, High Court judge David Richards encouraged the parties to come to an agreement.

He suggested, because the whistleblower wants to return the documents and NatWest wants possession of the documents, an agreement could be made. “I am a court, not mediation,” he said.

“Now that everybody is here, a discussion about the terms would perhaps be more fruitful,” he said. The whistleblower was a litigant in person, but was assisted by a barrister from the Chancery Bar Litigant in Person Support Scheme.

The parties discussed final terms in private, which Computer Weekly was not privy to, but in court an agreement was negotiated which would see the documents collected by NatWest from the whistleblowers home on 14 September. Then, by 21 September, under the supervision of solicitors, digital copies of all the files will be made to allow the whistleblower to inspect any of them through a court order, if required in the future. NatWest will provide a witness statement regarding this.

A cost order has been reserved and the proceedings have been stayed for a month while the terms of agreement are met.

As revealed by Computer Weekly two years ago, the whistleblower, a former administration officer at NatWest Group, had worked at the bank for a decade when she began to be sent documents to keep at her home as part of a remote working agreement between 2006 and 2009. Her job was to contact customers using the data to generate mortgage business for the bank.

When the former worker realised that the HR department was not aware of her working arrangement, she contacted an advice line within the bank and explained her concerns about the information stored in her home. She was asked to put everything in writing to her manager, which she did, inadvertently blowing the whistle on the lax data security practices.

After going through the bank’s grievances procedure, she was dismissed in May 2009 for not returning the documentation. The official reason for her dismissal was gross misconduct and “flagrant disobedience following a reasonable instruction from a more senior employee”. An employment tribunal later upheld the decision.

In a 2012 investigation, the Information Commissioner’s Office (ICO) found that the bank had failed to comply with data protection rules when permitting home working to the branch worker, but no further action was taken.

After the ICO investigation, most of the files the former NatWest employee used in her job were returned to the bank through the ICO, but she retained 1,600 as evidence for any legal proceedings, of which the ICO was aware. The whistleblower said she was advised by the Financial Services Authority in 2012 to get a receipt from the bank before handing back the information, to protect her own position against future possible litigation.

She has been in negotiations with the bank for 14 years, attempting to return the documents with guarantees she will face no repercussions if any of the affected customers’ data is misused. 

The bank had said it would provide a signed and dated receipt for the documents, stating: “NatWest Group confirms that all of the documents in the schedule of material provided by [the former worker] have been received as at the date of delivery.”

But the former worker, who has had to register as a data controller at her own cost, told Computer Weekly that a receipt alone is not enough and would not offer the peace of mind that the bank would not implicate her or her family in any future investigation relating to these customers.

In July this year, with negotiations with the bank in stalemate, the whistleblower contacted the bank and the Information Commissioner’s Office (ICO) to inform them that she will begin contacting the people affected by the breach, in her position as a registered data controller.

After the whistleblower contacted 30 customers informing them about the situation and offering to initiate the safe return of their confidential, two made contact with Computer Weekly and expressed “shock” and “disgust” at NatWest’s handling of the issue.

NatWest has offered £200 compensation to the customers that contacted it about the breach and applied for the injunction for the return of the documents.

During the court hearing, NatWest alleged that the whistleblower contacting customers was “active misuse” of the data and had caused “stress” for customers.

Prior to the whistleblower contacting customers, NatWest had consistently told Computer Weekly that the data held is not that of current customers and that there has been no customer detriment.

Read more Computer Weekly articles about the dispute

Read more on IT for financial services