According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.
And who could be surprised? UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)
UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.
I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.
What do you think?