Respecting and protecting our customers’ privacy is a key part of our relationship with them. We endeavour to be transparent with our customers and we make sure that they can access the information we hold about them.
Our Privacy and Security teams work closely together. They make sure we keep a good balance between protecting customers' information and giving them more ways to access it.
What we’ve done in 2016
We had over 1.5 million Subject Access Requests* between 1 January and 30 November, averaging over 180,000 a month. (This is including PPI-related information requests.)
We finished a review of how well we’re following international privacy laws. It showed some areas where we can improve and we’re already working on it.
We held biannual meetings with the privacy regulator, the Information Commissioner's Office (ICO), to talk about key regulatory developments and ad-hoc issues that have arisen.
Requests for assessment are down from 2015
The table below shows the amount of Requests for Assessment (RFAs)** we’ve had from the ICO. These numbers have fallen compared to 2015.
(1st Jan 2016 – 31st October 2016)
|Total number of Requests for Assessment received||58||53|
|Uphold Rate %||70%||60%|
We welcome the changes to European data protection rules
We’ve setup a bank-wide plan to make all the changes we need by May 2018.
We’ll be changing the privacy notices we send to our customers:
- They’ll be clearer.
- They’ll give customers more choices for how we use their information.
- They’ll be better suited to the different ways our customers engage with us – both in person and through our apps.
* A Subject Access Request is a written request from an individual to see information an organisation holds about them. Organisations must provide the information subject to very limited exemptions. In the UK, organisations must provide the information within 40 days of receipt of the request and can charge a maximum of £10 to respond to such requests.
** The ICO may issue a Request for Assessment to organisations if it has concerns about that organisation’s compliance with applicable data protection legislation (e.g. if a customer makes a complaint).