A former Royal Bank of Scotland (RBS) branch worker, who has held the personal details of 1,600 bank customers since using them as part of a work-from-home agreement in 2006, faces retaining the documents, which she said have ruined her life.
A deadline to sign a contract for the return of the files, which the bank gave her as part of her job more than 15 years ago, passed on 30 September without agreement.
The former employee, who wished to remain anonymous, worked at a branch from 1998. She was offered the opportunity to work from home in 2006 and, on the bank’s instructions, used customer banking information to help her to generate mortgage and loans business.
Until 2009, she received paper documents with customer information from her manager. When she became concerned that the arrangement could breach data protection rules, she contacted an advice line within the bank about the information stored in her home. But after putting everything in writing to her manager, she inadvertently blew the whistle on the lax data security practices. She was advised to obtain a receipt from the bank before handing back the information to protect her own position from possible future litigation.
The worker was dismissed in 2009 for not returning the documentation, with “flagrant disobedience following a reasonable instruction from a more senior employee” given as the official reason. An employment tribunal later upheld the decision.
The Information Commissioner’s Office (ICO) investigated the working-from-home arrangement and said at the time: “While this incident was a ‘local’ issue at branch level, RBS did not maintain compliance with the seventh data protection principle during the period in question. Both parties were made aware of this decision. No further action was taken by this office and the case was closed and remains closed.”
But it was not closure for the whistleblower, with about 1,600 paper files containing confidential customer details remaining in her home. These included documents with customer names, addresses and contact details, as well as account summary/history information.
The ICO worked with all parties for the safe return of the documents and everything within the agreement it negotiated was agreed, apart from the bank indemnifying the former worker against future claims related to the storing of the information in her home.
NatWest agreed to issue a receipt for the documents, but did not agree to indemnify the former employee.
Read more about data protection
- The Information Commissioner’s Office has published guidance aimed at rendering the application of machine learning to data compliant with data protection principles.
- The Department for Education’s National Pupil Database, which contains millions of items of data on the UK’s schoolchildren, was found to be non-compliant with data protection regulations across the board.
- Ticketmaster has been fined £1.25m by the Information Commissioner’s Office for failing to protect customer data from cyber attackers.
After the 30 September deadline for agreement passed in stalemate, the former bank worker told Computer Weekly that the bank had ruined her life. “My mental, emotional, social and physical wellbeing has suffered over the last decade,” she said.
“The bank’s representatives caused me and my family unnecessary suffering and distress. Not a day has gone by in the last 11 years when I have not thought about the bank’s behaviour, and how it left me with the responsibility of looking after financial documents relating to its customers, when this information would be confidential to the bank and its customers.”
She said she had had to live with the constant pressure of sorting the matter out while grieving the loss of both her parents, and supporting a young family. “I was unable to properly grieve over the loss of my parents as this issue consumed my every being,” she said.
“I was, and still am, keen to have the agreement put forward by the bank signed and the customer data collected, as I have always made clear I wanted to do over a very long period.”
The former employee has written to NatWest CEO Alison Rose nine times since June requesting an update on the terms of the agreement and the return of the documents, but has not received a written response from the bank.
“This continuing and completely unnecessary silence from the bank is having an ongoing detrimental effect on my health,” she said. “My life is stressful enough as a result of the bank’s behaviour and their lack of response is not making it any less stressful. I also want the regulator to regulate. It shouldn’t have been left to me to deal with a very serious data breach for the last decade.”
Computer Weekly asked NatWest for comment on its current stance on the matter, but it did not respond.
In late July, the ICO ended its involvement in the matter. The former employee said she had written a letter of complaint to information commissioner Elizabeth Denham and wants the regulator to remain involved until the documents have been returned to the bank.
At the time, IT lawyer Dai Davis asked why the bank had not obtained a court order to have the documents returned. “The bank has probably made a decision that, on the balance of things, it is not worth it,” he said. “The data is stale and it is not really a risk.”
Computer Weekly asked the ICO to comment on its current stance on the matter, but did not receive a response.
Read more on IT for financial services
Sensitive NatWest customer files set to be returned after High Court agreement
NatWest customer calls bank’s handling of breach of his data ‘disgusting’
NatWest offers compensation to customer affected by data breach exposed by whistleblower
Whistleblower contacts NatWest customers affected by a decade-old data breach