The Records Commissioner’s Space of job has ended its involvement in a dispute between a recordsdata breach whistleblower and NatWest bank
The Records Commissioner’s Space of job (ICO) has ended its involvement in a dispute between NatWest and a pale department worker over confidential buyer recordsdata saved on the ex-worker’s home.
The buyer recordsdata, in paper layout, used to be section of a piece-from-home settlement with the pale worker’s department manager, which ran from 2006 to 2009.
However around 1,600 paper recordsdata containing confidential buyer runt print live within the home of the ex-member of group, who has been making an strive to reach support them for better than 10 years. These consist of documents with buyer names, addresses and talk to runt print as successfully as account summary/history recordsdata.
In 2012, after an investigation, the ICO slapped the bank’s wrists over the procedure and has been advising the pale worker on the safe return of the patron recordsdata since.
In line with the pale worker, who wished to remain nameless, the ICO told her in July 2021 – with regards to a decade after it grew to turn into enthusiastic – that it can presumably well elevate out nothing about it ensuing from simplest digital recordsdata used to be covered by the Records Protection Act 1998 and no longer paper-based entirely mostly recordsdata, the layout that she had it.
Computer Weekly asked the ICO why it had no longer told the pale worker that it can presumably well no longer elevate out anything earlier, nonetheless it refused to comment.
The ICO confirmed to Computer Weekly it had ended its involvement within the dispute. “The ICO has provided recommendation on recordsdata protection disorders to occasions inquisitive about an employment dispute dating support to 2009.
“We’re elated that the aptitude chance posed to other folks would now not warrant extra motion, despite there being a alternate within the guidelines [General Data Protection Regulation] since that time.”
GDPR, which used to be launched in 2018, procedure that banks absorb to sigh customers of doable breaches of their recordsdata.
The pale worker had worked at a NatWest department from 1998, promoting mortgages and loans, and he or she used to be provided the chance to develop a residing from home for private causes from 2006. On the bank’s instructions, she used buyer banking recordsdata to assist her to generate mortgage and loans substitute.
As section of the working setup, which persevered except 2009, she got paper documents with buyer recordsdata from her manager. These had been either silent on the department on a weekly basis or posted thru her letterbox at various instances.
When the pale worker realised that the HR department used to be no longer conscious of her working procedure, she contacted an recommendation line all the procedure thru the bank and explained her considerations about the records saved in her home. She used to be asked to position the entirety in writing to her manager, which she did, inadvertently blowing the whistle on the lax recordsdata security practices.
Following going thru the bank’s grievances assignment, she used to be pushed apart in May maybe perhaps perhaps moreover 2009 for no longer returning the documentation. The official cause of her dismissal used to be unsuitable misconduct, and “flagrant disobedience following an cheap instruction from a extra senior worker”.
An employment tribunal later upheld the decision.
The pale worker stated she used to be told by the FSA to salvage a receipt from the bank forward of handing support the records to guard her absorb situation in opposition to future imaginable litigation.
In 2009, the ICO told RBS: “It’s no longer unreasonable for each and each occasions to tag an challenge/receipt which would acknowledge that [the former employee] has handed over the total buyer recordsdata in her possession, and the bank acknowledging what she has handed over is what she had in her possession, especially as the bank has no file of what recordsdata used to be given to [her].”
Eleven years later, NatWest at closing agreed to provide a receipt for the documents, nonetheless the pale worker asked the bank to indemnify her in opposition to future claims connected to the storing of the records in her home and the work she used to be asked to abet out, which it refused to abet out.
In its 2012 investigation, the ICO discovered the bank had failed to conform with recordsdata protection ideas when allowing home working to the department worker, nonetheless no extra motion used to be taken.
The ICO stated on the time: “Whereas this incident used to be a ‘native’ instruct at department level, RBS did now not abet compliance with the seventh recordsdata protection precept at some stage within the length in query. Each occasions had been made conscious of this decision. No extra motion used to be taken by this office and the case used to be closed and stays closed.”
As section of that investigation, the pale worker handed over thousands of recordsdata to the ICO, which absorb been subsequently returned to NatWest. Alternatively, she retained a box containing 1,600 buyer recordsdata to provide her evidence for any just appropriate court cases, of which the ICO is conscious.
The pale worker is raring at hand the recordsdata support nonetheless needs to be indemnified in opposition to future claims from pale and contemporary NatWest customers. The negotiations absorb hit a stalemate and the ICO has withdrawn its advisory enhance.
A spokesperson at NatWest Community stated: “This pale worker used to be pushed apart in 2009 for unsuitable misconduct ensuing from her repeated refusal to reach support buyer recordsdata.
“The bank understood that the total documentation had been returned, by the utilize of the ICO, in 2012. It subsequently transpired that this used to be fraudulent. In 2019, the pale worker alleged that she had, in fact, retained extra documentation.
“The bank continues its makes an strive to enhance this recordsdata. As with the documentation got in 2012, there has been no buyer detriment and there are no considerations that it has been shared with any other occasions.”
IT attorney Dai Davis asked why the bank doesn’t salvage a court expose to absorb the documents returned. “The bank has doubtlessly made a call that, on the steadiness of issues, it’s no longer value it. The records is stale and it’s no longer genuinely a chance,” he stated.
Stammer Continues Below
Learn extra on IT for financial services
![]()
NatWest Financial institution shutters its app based entirely mostly bank after five months
By: Karl Flinders
![]()
Digital and innovation apprentices to initiate NatWest programme
By: Karl Flinders
![]()
NatWest bank uses artificial intelligence to foretell the future
By: Karl Flinders
![]()
Interior NatWest Ventures
By: Karl Flinders
