Union challenges Lloyds TSB over offshore data processing

A trade union at Lloyds TSB is challenging the right of the bank to send sensitive personal information about its customers...

A trade union at Lloyds TSB is challenging the right of the bank to send sensitive personal information about its customers offshore to India for processing.

The union has written to the Information Commissioner seeking a ruling over whether Lloyds TSB is entitled to send data offshore without the written consent of each customer.

The complaint follows Lloyds TSB's announcement that it would close a call centre in Newcastle with the loss of 1,000 jobs and replace it with a centre in Mumbai, India, by November this year.

The union’s lawyers argue that the bank is in breach of the Data Protection Act 1998 because India does not have the high levels of data protection required in UK law under data protection rules.

If the challenge is successful, it could force other banks and financial services companies to rethink their decisions to send data offshore for cheaper processing.

“Our concern is the standard of data protection in India. It is not covered by the Data Protection Act and it does not have the same stringent standards as the rest of the European Union,” said union assistant secretary Peter O’Grady.

The union is backing a complaint made against the bank by an un-named customer and union member, who has demanded that the bank does not send personal data outside of the EU.

It argues that records of standing orders, payments and credit and debit transactions, and personal medical details supplied by customers of Scottish Widows, could provide an insight into the personal lives of customers, if not kept securely.

The union said the bank appears to be arguing that though data on customers can be viewed in India, it has not technically been transferred abroad but is held in the UK, therefore satisfying the requirements of data protection legislation.

Law firm Bindman’s, which is acting for the union, claims that sensitive data can only be transferred outside of the European Economic Area with customers’ explicit consent.

It argues that this must be in written form if data is transferred to a country that does not have the same data protection safeguards as the UK.

Lloyds TSB said in a statement, “We are confident that we comply with the Data Protection Act and our customers can be reassured that their personal information is as protected in India as it would be in the UK.

“The Data Protection Act states that as long as we have measures in place to ensure an adequate level of protection for personal data, we are not required to obtain customers’ explicit consent.”

Read more on IT risk management