By-James Castro-Edwards, Partner in Data Protection at Wedlake Bell
Royal Bank of Scotland (RBS) is reported to be facing an investigation by regulators following allegations that it falsified customer records. The Times reports that the bank is alleged to have edited customer emails and call transcripts, as well as the way it presented its central correspondence file. According to the Times, the Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO) are aware of the allegations.
The allegations come at a critical time. European data protection law reforms look set to grant data protection authorities such as the ICO enhanced powers of enforcement; the English courts increasingly recognise a common law right to privacy and the possibility of claiming compensation for pure distress; and an increasing number of data-related headlines, such as the Ashley Madison cyber-attack and the Dean Street HIV Clinic incident, have raised public awareness of privacy and its ever-increasing importance.
Many banks are already well aware of the importance of data protection to protect against abuses such as fraud, money laundering and other financial crimes. Many will have in place policies and management structures to address the risk. However, as data protection and privacy law evolves to recognise and protect very human vulnerabilities and potentially impose heavier sanctions on those organisations which get it wrong, are banks and financial institutions doing enough to comply?
The Data Protection Act 1998 (DPA) applies to organisations established in the UK that handle ‘personal data’, that is, information that identifies a living individual. Virtually all organisations, whether in the public, private or third sector, use personal data for purposes such as staff administration, maintaining customer records, and paying their suppliers. Essentially, the DPA requires these organisations use personal data fairly and keep it secure, and grants a number of rights to those individuals about whom the data relate.
The DPA is enforced by the ICO, which can intervene where organisations have not met their obligations, and issue fines of up to £500,000.However, for financial services companies regulated by the FCA,penalties may be significantly higher, with one operator being fined over £3,000,000 for failing to adequately protect personal data.
The DPA imposes a number of obligations that are especially relevant to banks and financial institutions. In particular, the use of individuals’ data must be fair and lawful, information must be kept accurate and up to date, and individuals have a right to access the information held about them and to object to processing that causes them damage or distress. An organisation that systematically holds inaccurate information may well be in breach of the DPA and potentially faces enforcement action including heavy fines.
If the fines and potential reputational damage under the existing legal regime were not enough, European data protection law, from where the DPA stems, is currently under reform. The EU General Data Protection Regulation would introduce heavier penalties – up to 5% Worldwide annual turnover, or €100,000,000 has been discussed, and a raft of complex obligations upon organisations. The first draft Regulation was leaked at the end of 2011 and it has been heavily negotiated since. However, European lawmakers have agreed a timetable that would see the Regulation finalised by the end of 2015 (though early 2016 seems more likely), which would mean its provisions would take effect two years later, in 2017-2018.
At the same time, a potentially ground breaking case could establish the misuse of private information as a tort, or civil wrong, and enable individuals to claim compensation for pure distress where their personal information has been misused. Perhaps more worrying still for financial institutions,Vidal-Hall v Google the ‘David and Goliath’ case from which these potential landmark changes stem has been brought against global giant Google by three ordinary UK citizens, yet may have very far-reaching consequences. The substantive issues have yet to be decided, but to give an idea of the potential damages at stake, the actress Sadie Frost was awarded £260,000 against News of the World for the misuse of her personal data as part of the phone hacking scandal, and the former newspaper has a fund of over £16m to meet potential future claims. An organisation that deliberately alters personal information to the detriment of the individuals to whom the information relates risks committing the tort of misuse of private information, and potentially faces serious consequences.
Data protection currently seems to be experiencing a ‘coming of age’. Public awareness has increased, thanks to data breaches making news headlines, while data protection authorities’ powers look set to be enhanced with the power to grant a broader range of sanctions and heavier penalties. Most recently, data protection has made headlines again, as the European Court of Justice declared the European Commission’s US Safe Harbour decision invalid on 6th October. Despite the potential adverse impact on Transatlantic trade, individuals’ privacy rights have been put first.
Banks and financial institutions need to be aware of the growing risk of enforcement action against those who break data protection laws and the increasing risk of greater penalties. The DPA imposes a number of minimum standards upon organisations that handle information about their employees, customers and suppliers. Personal data must be processed fairly and lawfully, and kept accurate and up to date. Where organisations fail in their obligations, they face increasingly serious consequences. Banks be warned: Breach data protection laws at your peril.