Halifax BOS break the data protection act and admit liability

Yep you read that right. Halifax BOS (Bank Of Scotland) have broken the Data Protection act and admitted it in a letter to me. In this day and age, where Identity Theft is at the forefront of the news, a member of staff at my local branch of Halifax gave information about one of my accounts to a man. I'm a woman. Here below is the timeline of events. I'm publishing this here because I want people to see it.

Oh and in addition to the below check this out: Times Online interesting article apparently our data is being sold off from Indian call centres for as little as a fiver.

Anyway, here below is my sorry tale of how Halifax BOS got caught with their pants down around their ankles;

On Tuesday 8 August 2006 I went and had a jab for Tetanus, Diphtheria and Polio (for my new hobby as a hand spinner). I was laid up for a couple of days after and returned to work on the Friday 11th August for half a day. When I got there, I called Halifax insurance division in relation to a problem I was having with a buildings insurance policy that was a block policy. They had not noted another property by address on the block policy which was taken out in 1997 (the property is the flat above my own) - they told me that they were not insuring anything other than one property and they said "we did tell you all this on 8th August."

Cue my concern that I didn't speak to them on 8th August - so who did they speak to? I was still rather poorly and let it slide till Monday 14th when I was back to full health.

I called them on 14th and asked who they had spoken to on the 8th as it certainly wasn't me. Apparently "someone" had gone into my local branch and had spoken to a member of staff there, who had called the Insurance division on two separate occasions over some time from 11:55am. The staff member, who's name I won't reveal initially though I am sorely tempted to do so, was a woman who had worked for Halifax for some time and was a very experienced staffer - so much so that she was the front of house contact person.

As it turns out, the person who walked in was a man. I am a woman with a rather feminine name, and frankly never in my life have I ever met a man with my name. I don't honestly ever think I will either.

Apparently, this man had some kind of letter from a solicitor - the letter has never been produced by Halifax BOS, therefore it either doesn't exist or they didn't bother to take a copy of it to help back them up when they were caught.

So it transpires that the man who did this was the man who lives upstairs from me. He admitted this to me on 1 September, where he laughed in my face and said he hadn't broken the law but the bank were at fault as they shouldn't have given him the information, he didn't care though as he had what he wanted. The information they gave him was that the building he lives in is not insured (and they gave him details of the premiums paid on the insurance), this was incorrect information and Halifax insurance have since assured me that the building IS insured and has been insured since 1997. They changed underwriters at one point and therefore they no longer offer block policies but that they would honour the policy but not renew it in October (as it happens they sent me a renewal letter just this week!).

The man owed me insurance payments for the last four years and in light of the information they gave him, he refused to pay what he owed.

I tried to call Halifax on 14th August; some 40 telephone calls later (in which I was asked my security details twice only) where you call a number that takes you through to a call centre who then connect you to the branch (they won't give you the branch telephone number) yielded nothing but a ringing phone repeatedly.

Eventually I extracted a fax number and branch manager’s name. I sent 5 faxes asking them to call me urgently as there was a possible fraud / ID theft going on on one of my accounts (at this stage I didn't know who had got the info just that someone had). I received silence in response. The call centre assured me they had sent emails to the Manager and to the staff member who had given out my information asking them to call me.

I had no choice then but to take 15th August off work. I'd wasted an entire working day on phone calls and faxes and now I was forced to take a day off to go and deal with this.

I went into my branch and the first person I met was the staff member in question. I asked her if she recognised me, and when she said no I presented her with my passport and asked her if she recognised my name now. Her face paled a little and then I hit with the burning question "could you explain to me why you have given out information on one of my accounts last Tuesday morning to someone who was not me?"

She went to get the manager. She then came out and offered me a cup of tea or coffee in the nicest possible way but her face gave away that she was rather scared and upset. She knew she had done wrong.

The manager finally came out and I requested that we establish a) was it a man or a woman who had come in b) I wished to view CCTV footage and c) I wished the police to be involved.

I was sweet talked nicely and told I had to give them 5 days and that CCTV footage is not held on the premises and that I shouldn't involve the police just yet.

I left rather incensed and still with no explanation. So I took a trip to the police who told me that I should give them the five days they requested and then review how I felt.

Five days came and passed. I called the manager (she gave me a number for the branch finally) and asked what was happening. She said she'd passed it to head office "haven't they contacted you?"

She then composed a letter admitting liability and offered me £50 as a gesture of goodwill and hand delivered the letter on her way home that night.

I wrote back thanking her for the gesture and pointing out the very real and actual cost to me in terms of finances (two days salary) and in addition the worry that my personal data was now floating around with some random stranger who walked in off the street.

I was told it was to be passed to head office.

8 weeks later on 10 October 2006, I finally get a scrawled letter saying "sorry you aren't happy we can offer you £150 as full and final settlement" and here’s how to contact the ombudsman. I've not replied to that, but I chatted to the nice chap in customer services who was dealing with the insurance side of things.

He asked me how everything else was; I told him what they had said in the banking division. Interestingly he was rather shocked himself and said he thought it was appalling and that it seemed a bit stupid to just offer £150 which doesn’t cover my costs, and suggest I go to the ombudsman when it will cost Halifax £380 if I go to the ombudsman irrespective of whether they are found at fault or not!

Anyway so here I am, with an offer of £150 in full and final settlement - I don't want to accept it as "full and final settlement" - I'd hoped they would go after the guy as it is the guy who lives upstairs from me and he has openly admitted he did it. His solicitor tried to fob it off as "oh his mortgage is with Halifax thats why he did it" when the reality is, he bought his place for cash outright - he doesn't have a mortgage.

So I guess I'm taking a nice trip to the Ombudsman and wondering how I go about contacting the Information Commissioners Office.

Ultimately for me it isn't about the money side of things, it is entirely the principle of the thing; that a random person of the opposite sex can walk in off the street and just get detailled information about policy or account documents without challenge from the staff at Halifax.

So since they were nice and understanding and helpful about this, I'm going to stick a SAR (Subject Access Request under the Data Protection Act) in next week when I've finished putting together my Nat West claim ;) They will have 40 days to comply and at this point in time I don't feel inclined to offer them the additonal 7 days after the 40 that I offered to Nat West.

Tonight I'll be putting together the final bits I need to move my account from Halifax. I'll be starting with my current (checking) account and moving on to savings, credit card and last but by no means least, my Mortgage. After that, when its all done and dusted, expect to see a very very nasty post here naming the individuals involved.

EDIT 19 October 2006:

This morning I returned a call to a customer services executive who had telephoned me in response to the Insurance divisions customer relations manager calling them. I've just had a chat with the representative who told me she had taken it to the DP dept in Halifax (thats the Data Protection Department). Apparently, the DP department don't believe there has been a breach in the Data Protection Act. This is a complete farce, how can it be that a man can walk in off the street, get information about a policy that is in MY name only, a female name, from a member of staff in the bank and it not be a breach in the data protection act? They gave out personal data belonging to me and about me to a random person that walked in off the street. I find it incredible that the Halifax Data Protection department really do believe that - I can't in all honesty believe they actually have any understanding of the situation whatsoever.

Edit 2:

Interestingly, another fraud was committed at my branch of Halifax two months before this happened to me;

"Lorraine Burt, 41, appeared at Wimbledon Magistrates'Court on Tuesday last week on charges of attempting to defraud the Wimbledon branch of the Halifax Building Society by pretending to be a woman named Ruby Donoghue. She was charged with attempting to obtain property by deception, using a false instrument and possession of a false identity document on June 16." Source: Fraud Centre Website

So they managed to notice the documentation she produced was false but they couldn't manage to notice that a MAN walking in and gaining access to personal information about a woman is OK?