Outcomes - Selected Case Summaries



Verification of employment letter by retail bank

Informal Resolution | 05 March 2021

While in the process of opening a bank account for the data subject, an employee of a retail bank attempted to verify the authenticity of the data subject’s employment letter by sending a copy of the letter to the employer’s general inquiries e-mail address which is accessible by other members of the employer’s staff. The next day, the employer informed them of the breach.

We found that the existing protocol created ambiguity and increased the risk of errors, and in any event procedures were not followed when the letter was sent. This was a violation of the seventh data protection principle which requires that appropriate organizational measures (such as policies and procedures) against unauthorized or unlawful processing be established. The notification of the breach to the data subject was not fully compliant, and the bank offered the customer a fee waiver.

Although five employees at the recipient organization read the letter, we were satisfied that the breach was contained. We recommended that the bank review and update its procedures to identify and mitigate potential risks, and develop additional staff training.