The bank, which is currently part of Lloyds Banking Group, was sending confidential banking details, including payslips, bank statements, account details and mortgage applications, together with customers’ names, addresses and contact details, over a three-year period, from February 2009.
The bank was informed of wrong recipients several times, but it failed to take corrective measures, resulting in the matter being referred to ICO.
The ICO found that at least 21 documents were sent to the third party organization during this time, with another member of the public receiving a further 10 misdirected faxes.
ICO enforcement head Stephen Eckersley said that the Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines and one time mistake can be considered just carelessness.
Committing the same mistake repeatedly over a three-year period, despite being aware of the problem, is in clear breach of the Data Protection Act, and the consequences can be imagined if it would have fallen into criminal hands, Eckersley added.
