Bank breaching Data Protection

sophia25

I have 2 accounts in a bank. My estranged husband is court ordered to lodge money into a specific account weekly. He called into a different branch one day without details and asked the teller could he lodge in money. She told him I had 2 accounts and where they were both opened and which one did he want to lodge into. He chose the wrong one and she then gave him receipt with sort code and account number for account he knew nothing about.

I phoned the bank and was told that the teller thought she was helping as he told her he lodges the money every week. If that was true, surely she would check the account to see of there was a regular lodgement as he had described, but that couldn't have happened as she lodged money into wrong account. He now says his solicitor is going to request details of this secret account. Now, there is no money in the account so it's not an issue but potentially could hav been. Surely the bank has an obligation to keep my records private. The bank said it was against policy but it was a mistake and they'll open a new account if I want. That doesn't solve the problem though if next week they give him out new details.

I want to report this the the Data protection regulator as a breach but am I being unreasonable. Should I just let it go??

Fey!

I don't think that there's a breach of the act here.

He was lodging money to your account, and got a receipt showing that money was lodged to an account. The receipt shows the details to make the money tracable in case you say that he never lodged the money.

If the cashier told your husband that any account got a particular lodgement each week, then that would potentially breach the act, as the cashier would be giving out details of the accounts activity.

keithclancy

Fey! wrote: »

I don't think that there's a breach of the act here.

He was lodging money to your account, and got a receipt showing that money was lodged to an account. The receipt shows the details to make the money tracable in case you say that he never lodged the money.

If the cashier told your husband that any account got a particular lodgement each week, then that would potentially breach the act, as the cashier would be giving out details of the accounts activity.

Your bank account number and sort code is private information.

This should never be given out and is quite a common tactic used in 'Pre-Texting'

Pretexting

http://en.wikipedia.org/wiki/Social_engineering_%28security%29#Pretexting

Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple lie, as it most often involves some prior research or setup and the use of prior information for impersonation (e.g., date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.[4]

The bank should not even be giving you, information about your own account

You should never use a current account for deposits as Standing Orders can be setup with hardly any checks.

If some a**hole felt like it they could donate 10 euros a month to 50 odd charities just becuase they felt like it:
E.G.
http://www.shineonline.ie/index.php/component/docman/doc_download/222-standing-order-donation-form?ItemId=77

Will_H

sophia25 wrote: »

The bank said it was against policy

That says it all really!

Sophia - I'd get on to the regulator regardless - get their advice. Once you have that, you can make a better informed decision.

Tel: +353 1 224 4000

Email: conp@centralbank.ie

Fey! wrote: »

He was lodging money to your account, and got a receipt showing that money was lodged to an account. The receipt shows the details to make the money tracable in case you say that he never lodged the money.

Yes, that's true, however, I'm not sure it's as black & white as that.

1. This lady's confidential information was given out to someone [doesn't matter who].

2. Once that person had the information, a transaction took place, which could not have taken place unless the teller had given said information first (without the consent of the account holder I might add).

Fey! wrote: »

If the cashier told your husband that any account got a particular lodgement each week, then that would potentially breach the act, as the cashier would be giving out details of the accounts activity.

The cashier could have looked this up on the system itself without divulging any private information. Sounds like laziness on tellers behalf to me!

Lady Chatterton

I'd report it to the Data Protection Commissioner, there is a clear breach of DPA here, (even if was accidental). All bank staff receive DPA training so this shouldn't have happened.

http://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/about/1c.htm

sophia25

To be honest, I'm not convinced it was accidental. I've tried to lodge a cheque in my own account once and wasn't allowed as I forgot no. and had no photo id. The teller that did it lives in the same town he's from so I think she may have known him and done a favour for him (not necessarily realising the history). I'm more annoyed that the bank think if they open up a new account that there's no problem, but if anyone can call in and be given details again what's the point. Thanks for advice, I'll get onto Data Protection office.

Max Power1

keithclancy wrote: »

Your bank account number and sort code is private information.

How come its at the bottom of every cheque then?

Its not private information, you cant do anything with just an account number and sort code

dudara

Moved to Banking & Insurance & Pensions

dudara

chris85

Max Power1 wrote: »

How come its at the bottom of every cheque then?

Its not private information, you cant do anything with just an account number and sort code

Its still private information. You choose to give out a cheque to someone with your details on it.

OP regulator is not who you should talk to, it should be data protection commission. Also a complaint should be made with the bank.

Lady Chatterton

Max Power1 wrote: »

How come its at the bottom of every cheque then?

Its not private information, you cant do anything with just an account number and sort code

When you write a cheque you are giving your consent for this information to be used. The OP didn't give her consent for details of her second account to be given.

Consent is very important in data protection issues. For example: If your phone number is ex-directory, you can chose to give your number out but if directory enquiries give your number out that's a breach of data protection.

Lady Chatterton

I have had some experience of handling data protection breaches and I would recommend the following;

Write to the manager of the branch where the alleged data protection breach occurred and outline your concerns. Advise them that you would like them to investigate your complaint and respond in writing within 14 days.

When you get your reply back forward it to the Data Protection Commissioner and they will commence their investigation and issue a response.

Rebel1977

Why didnt you give your husband the sort code and account number to which to lodge into in the first place ?

When you write a cheque your sort code, branch, account number is all on it

Jim2007

Sort codes and account number are not private information, some where in your terms and conditions or in the bank regulations you'll find that bank is fully entitled to disclose it, if they were not, then the bank would not be able to operate!

Furthermore, you should be aware that when banks process transactions they use a system called SWIFT messages, these messages contain the sort codes for both banks, the IBAN number of each account, the account holders names and the transaction details. And up until recently US security agencies had access to all SWIFT messages! The new SWIFT center in Europe means that they are not longer able to do this, but there is nothing stopping European security agencies from gaining access.

Good luck with that,

Jim.

Lady Chatterton

Jim2007 wrote: »

Sort codes and account number are not private information, some where in your terms and conditions or in the bank regulations you'll find that bank is fully entitled to disclose it, if they were not, then the bank would not be able to operate!

Furthermore, you should be aware that when banks process transactions they use a system called SWIFT messages, these messages contain the sort codes for both banks, the IBAN number of each account, the account holders names and the transaction details. And up until recently US security agencies had access to all SWIFT messages! The new SWIFT center in Europe means that they are not longer able to do this, but there is nothing stopping European security agencies from gaining access.

Good luck with that,

Jim.

I agree with you to a point but if your neighbour walks in to a bank and asks staff for your sort code and bank account number, the bank are not entitled to provide this information as per the DPA.

Kennie1

sophia25 wrote: »

Now, there is no money in the account so it's not an issue but potentially could hav been. Surely the bank has an obligation to keep my records private.

I want to report this the the Data protection regulator as a breach but am I being unreasonable. Should I just let it go??

Could i be the devils advocate here for a second, you are complaining about someone mistakenly giving out your account number/you never disclosed this account to your ex husband's solicitor... Now which of these is the bigger evil

nlgbbbblth

sophia25 wrote: »

I have 2 accounts in a bank. My estranged husband is court ordered to lodge money into a specific account weekly. He called into a different branch one day without details and asked the teller could he lodge in money.

If your husband had the account details with him then this would never have happened. As he hadn't, the majority of the blame lies with him.

What would you prefer? The cashier (who isn't going to know anything about your history) to say "sorry - no account details, no lodgment"?

amen

She told him I had 2 accounts and where they were both opened and which one did he want to lodge into. He chose the wrong one and she then gave him receipt with sort code and account number for account he knew nothing about.

total over reaction. At the end of the day your husband was trying to make a lodgement, had the correct branch and name. Cashier helped and money was lodge to incorrect account but you got the money.

If it wasn't lodged you would have people posting about useless banks(not saying you would op).

You could purse with the data protection commissioner but this is hardly a big issue and at most a minor infraction. It was not a systemic failure of the system.

amdublin

I think you are over reacting.

You could have avoided this issue if you had just given him the correct account number

Lady Chatterton

There is a court order in place instructing him to make payment on a weekly so he would have known the account number. The cashier should have asked a number of security questions, particularly when the customer had no a/c no. (i.e. how much do you lodge to the account, how often do you lodge that amount?)

For example: if he had said I lodge €150 every week, than surely the cashier would have been able to check both accounts and identify the correct account?

sophia25

Kennie1 wrote: »

Could i be the devils advocate here for a second, you are complaining about someone mistakenly giving out your account number/you never disclosed this account to your ex husband's solicitor... Now which of these is the bigger evil

I have revealed all my relevant financial details to the court. I don't know any of my husbands account details and I don't think the bank would freely offer me the info. if I asked them.

My husband had the correct details for over a year and just forgot to bring them in. If the teller wanted to be helpful a couple of security questions would have revealed the correct account as if she had checked she would have seen the account that was normally used.

Mrsd07 thanks for your advice. I have been onto data protection and they have said it is a breach. They actually said the bank were warned before that they weren't allowed to give out receipts with bank details unless the person lodging had provided the details in the first place.

At the end of the day, it just feels wrong. I am the banks customer not him and I feel they have a duty of care to me as their customer, not to him.

amen

that they weren't allowed to give out receipts with bank details unless the person lodging had provided the details in the first place

so if you both your husband/bank had got the wrong account info and no receipt details this would make it harder to trace.

I also wouldn't accept a receipt with payment details.

Why don't you ask your husband to set up a standing order from his account to yours ? That way the money will be there and be done automatically. No need to visit a bank every week.

sophia25

amen wrote: »

so if you both your husband/bank had got the wrong account info and no receipt details this would make it harder to trace.

I also wouldn't accept a receipt with payment details.

Why don't you ask your husband to set up a standing order from his account to yours ? That way the money will be there and be done automatically. No need to visit a bank every week.

Mmmm that would make sense! Unfortunately he's court ordered to pay it every week, it doesn't mean he actually does. Let's just say it's not his first priority...... and a standing order would take the decision out of his hands.;)

Jim2007

MrsD007 wrote: »

I agree with you to a point but if your neighbour walks in to a bank and asks staff for your sort code and bank account number, the bank are not entitled to provide this information as per the DPA.

OK, first of the sort code relates to the branch and is available to all and secondly the account number is something generated by the bank for the purpose of doing business and is not personal data that you supplied and they recorded. The contents of an account is covered by the DPA since it contains details of transactions which you supply and they record.

That is the general rule of thumb that we use in designing and building banking software.

Having said that, I agree it is bad form for the bank to give out details when not required, but I think you'd have a hard time making a legal case...

Jaim.

goodgolfer64

isnt it well 4 ya......government not payin you enough?

sophia25

goodgolfer64 wrote: »

isnt it well 4 ya......government not payin you enough?

How dare you? Who do you think you are to make judgments about me? You don't know anything about me or my situation and you assume that the government is paying me! Outrageous assumptions which has absolutely no relevance or benefit to the thread,:mad:

BuffyBot

Both of you - enough. If you have a problem with a post, use the report feature. Do not drag it out on the thread.

Shelli2

I had a similar issue with a bank, I won't go into too much detail, but suffice to say it was personal banking details being given to an ex-partner. (it was a little more detail than was given to your ex, but my solicitor said it was not about the amount of detail given but the impact it had on dealings I had with me ex)

The office of data protection comissioner was fantastic, they investigated the matter and produced me with a report of their findings (all by email). I produced the report to my solicitor and he approached the bank on my behalf, settled out of court and got a cheque within 2 weeks of going to my solicitor.

As I said, I don't want to go into too much detail here, but feel free to PM me if you want.

Lady Chatterton

Jim2007 wrote: »

OK, first of the sort code relates to the branch and is available to all and secondly the account number is something generated by the bank for the purpose of doing business and is not personal data that you supplied and they recorded. The contents of an account is covered by the DPA since it contains details of transactions which you supply and they record.

That is the general rule of thumb that we use in designing and building banking software.

Having said that, I agree it is bad form for the bank to give out details when not required, but I think you'd have a hard time making a legal case...

Jaim.

While yes sort codes and bank accounts numbers are generated so that business transactions can be made, under the DPA you are not entitled to know to my account number or find out what branch my account is at unless you have my consent. As I mentioned in a previous post, if your ex-directory, it is your business if you give your number to people but if "Directory Enquiries" give your number out, that amounts to a breach. This is exactly the same thing.

I think that it is generally in people's nature to be helpful and I have no doubt that the cashier in this case was probably just trying to be helpful but she did breach DPA. However, unless the data subject has suffered a loss/injury arising from the disclosure the bank will probably get a caution and the person who made the disclosure will probably be given further DPA training.


I can't go in to specifics but I have seen cases where there has been major fallout due to DPA breaches. The reality is that there are lots of couples out there who have bank accounts and extra credit cards that they would prefer their partner didn't know about. (For example - the spouse of a compulsive gambler, a man who wants to make payments to the children of a former partner, victims of domestice violence etc.

nlgbbbblth

MrsD007 wrote: »

the person who made the disclosure will probably be given further DPA training.

If they're lucky.

There are a number of "punishments" - verbal warning, written warning, action contract and possibly dismissal.