Whistleblower in limbo as sensitive NatWest customer files remain under her bed

A former Royal Bank of Scotland (RBS) worker who blew the whistle on lax data protection practices at the bank faces storing sensitive information under her bed indefinitely as a second regulator says it can’t help her.

The bank, now part of NatWest Group, alleges the whistleblower has “sought payment” in exchange for the data, which she vehemently denies.

The details of about 1,600 RBS customers remain in her home after a decade-long dispute gets no nearer resolution, with the Financial Conduct Authority (FCA) joining the Information Commissioner’s Office (ICO) in turning down the whistleblower’s call for help.

The former worker, who wishes to remain anonymous, has been fighting to get the bank to agree to the return of the paper-based customer files, which she had in her home when working remotely between 2006 and 2009. She wants a guarantee in writing that if any of the data is misused there will be no repercussions on her, which the bank has given verbally but not in writing.

In 2006, the data was sent to the worker’s home as part of a home working arrangement – in breach of data protection rules. The worker was given the opportunity to work from home and, on the bank’s instructions, used customer banking information to help her generate mortgage and loans business. Over three years, she received thousands of paper documents.

After an investigation in 2012, the ICO slapped the bank’s wrists over the arrangement and advised the former employee on the safe return of the customer files until 2021, when it ended its involvement in the dispute. According to the whistleblower, the ICO informed her in July 2021 – nearly a decade after it became involved – that it could do nothing about it because only electronic information was covered by the Data Protection Act 1998, and not paper-based information.  

Most of the files she used in her job were returned to the bank, but she retained 1,600 as evidence for any legal proceedings, of which the ICO was aware.

The bank said it would provide a signed and dated receipt for the documents, stating: “NatWest Group confirms that all of the documents in the schedule of material provided by [the former worker] have been received as at the date of delivery.”

But the former worker told Computer Weekly: “I informed the bank on numerous occasions that this receipt alone was not enough and would not offer me the peace of mind that the bank would not implicate me or my family in any future investigation relating to these customers.”

She said the stress caused by the dispute has had a harmful effect on her health and that she has nowhere to turn to for help.

Late last year, the former worker requested help from the FCA, on the advice of the Competition and Markets Authority.

In an email to the FCA, the whistleblower complained: “I am being denied the right to meet with the FCA supervisor that regulates NatWest Bank. I have requested the meeting so I can show the evidence that I hold in relation to sensitive financial documentation relating to its customers, which the bank has decided to leave in my home. It has been impossible to get the bank to engage in any sensible conversation to help the return of these documents.”

She was turned away by the FCA, which told Computer Weekly it does not consider complaints or provide guidance regarding data security concerns, which it said was the remit of the ICO.

It also said it was unable to comment on individual firms.

Computer Weekly asked the ICO what the former bank worker should do with the customer files. In response, an ICO spokesperson said: “The delay in return of any outstanding information has been the subject of negotiations between the individual and the bank for some time and it is for those parties to resolve this matter.”

NatWest said: “The situation could have been resolved at any point in the past decade through the return of the documentation, as the former employee claimed to have done in 2012. Instead, she chose to retain copies of the documents and she has sought payment and concessions from the bank in exchange for them.”

The whistleblower said she has never demanded money for the return of the files.

When pressed by Computer Weekly on the claim that she has “sought payment” for the return of the documents, NatWest said “[She] has told us that she believes that she is entitled to compensation.”

When asked if implying that she believes she is entitled to compensation is akin to asking for money in return of the documents, the bank said: “As far as we are concerned, there are no new developments and we have nothing further to add.”

The former worker said: “The written agreement I agreed to sign with the bank makes no reference to any financial payment. I can’t control what the bank says about me when approached by others that want to know more about my story. I have not asked for any payment from the bank in exchange for the documents.”

NatWest, which stopped communicating with the whistleblower a year ago, said: “This former employee was dismissed in 2009 for gross misconduct as a result of her repeated refusal to return customer information. There has been no customer detriment and the bank does not believe this historical documentation poses any risk to customers.”

NatWest has constantly claimed the data is historic and that there has been no customer detriment. But despite the time that has passed, some of the files held relate to current customers of the bank.

To test NatWest’s claim that the customer data is historical, the former staffer, now a registered data controller, claimed she has established that some of the data belongs to current customers.

“I put to the test the bank’s assertion that this data is historical and that it poses no risk to customers, and I have established that some of the data is existing customers’. I immediately informed the bank and the ICO of this,” the former RBS worker told Computer Weekly in June 2022.

In February 2022, an attempted burglary of her home highlighted the precarious security of the confidential documents.

The whistlebower told Computer Weekly she had approached the FCA several times in the belief it would investigate and help, and that she had previously “felt reassured” knowing the ICO would offer guidance when needed, but this also stopped.

“I want either the bank or a regulator to take some responsibility for a situation which was never of my making. No one was interested and, as so often, there was much buck-passing,” she added. “I was left trying to find an organisation to help me understand what to do with many hundreds of documents which had been with me for so long and which I just wanted to return to the bank. After over a decade of trying, it seems to have become an impossible task.

“My concerns were always about bank customers, with no knowledge of what happened to their personal confidential banking information. I shouldn’t have and I don’t want this information in my home. I have been trying to negotiate a safe return of the information for years, so why won’t the bank allow me to return it on terms which protect me.”

She said the dispute has taken its toll and put her under “immense pressure”, which has affected her health. “If the bank would stop using aggressive tactics to take an extraordinarily aggressive approach to this matter and would just use a bit of common sense, this could have been resolved a long, long time ago.”

A lawyer who has assisted the whistleblower on a pro-bono basis told Computer Weekly: “Time and time again huge organisations with unlimited time and resources seem as if they want to batter those they see as opponents into the ground. All those so-called opponents are trying to do is fairly resolve matters and then get on with their lives.”