ICO statement on banks sharing and gathering personal information

26 Jul 2023 11:37 PM

Information Commissioner John Edwards responds to the media reports of NatWest Bank sharing personal financial information about Nigel Farage with the BBC

• Concern at banks sharing personal information with media
• ICO writes to banks around information held on customers
• ‘Farage’s experience shows why data protection rights are so important’

Following media reports of NatWest Bank sharing personal financial information about Nigel Farage with the BBC, Information Commissioner John Edwards said:

“The banking duty of confidentiality is over a hundred years old, and it is clear that it would not permit the discussion of a customer’s personal information with the media.

“We trust banks with our money and with our personal information. Any suggestion that this trust has been betrayed will be concerning for a bank’s customers, and for regulators like myself.”

On the complaint raised with the ICO, Mr Edwards added:

“This case is out of the ordinary in terms of its profile, but it is important that we follow our usual processes and procedures. This means that an organisation would be given a chance to respond to a complaint before the ICO gets involved.”

ICO writes to UK Finance to remind them of responsibilities on information they hold

On suggestions that banks have gathered excessive dossiers on customers, Information Commissioner John Edwards said:

“Banks need to hold a lot of information about customers, to properly run their accounts, and to uphold the law around aspects like money laundering. But data protection rules still apply.

“I have written to the banks to remind them of their responsibilities to the public. Banks should not be holding inaccurate information, they should not be using information in a way that is unduly unexpected, and they should not be holding any more information than is necessary.

“Even the information banks gather around politically exposed persons must follow the law. We are working with HM Treasury, who set the rules in this area, and with the Financial Conduct Authority, who oversee those rules.”

Farage story shows value of data protection rights

On Nigel Farage accessing information held about him through a subject access request, Information Commissioner John Edwards said:

How to make a subject access request in five easy steps:

1. Include a clear label for your request: eg use ‘subject access request’ as your email subject line
2. Make sure you include a comprehensive list of what personal data you want to access, and how you would like to receive the information
3. You can use the template request on our website to help you
4. An organisation should respond within a month
5. If you’re not happy with the response – or don’t get one – complain to the organisation (there’s a complaint template on our website), and if that doesn’t work, complain to the ICO.

Notes to editors

About the ICO

• The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
• The ICO has specific responsibilities set out in the DPA 2018, the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
• The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement, and audit.
• To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.