FYI; The IC web site contains details of a breach of the Data Protection Act by a bank;

www.dataprotection.gov.uk/ar2001/annrep/htmlrep/007chp3.html

Case Study

BREACH: Unfair processing (1st DP principle) Inadequate, irrelevant and excessive (3rd DP principle) Inaccurate (4th DP Principle)

A complainant applied for a current account and a mortgage with a leading bank. Although the mortgage was granted the current account was declined. The bank advised the complainant that he should resubmit his application for the current account when his mortgage had been arranged, as preference was given to people with mortgages. Unfortunately, at the time he did so the complainant had moved to the new house so the address details on the application form were incorrect.The bank also conducted three credit reference checks, on two occasions using different periods for length of time at address. A fraud prevention database spotted this anomaly and the file was passed to a fraud investigator. Several procedural errors then took place, the outcome of which was the addition of a marker indicating possible fraud which was shown when a credit reference check was made.The complainant worked within the financial services sector. It was his belief that this marker prevented him obtaining employment within this field, as finance houses are unwilling to employ someone whose probity is in any doubt.

OUTCOME:

The assessment was made that this processing breached the first, third and fourth data protection principles. A review of all the relevant procedures, plus additional data protection training for staff at branch level was required.

And I guess the "Final" outcome will be in the courts.

-- screwed (p.loco@virgin.net), January 08, 2002