The Information Commissioner's Office has fined Bank of Scotland £75,000 for repeatedly faxing confidential information to members of the public.
On as many as 22 separate occasions, staff misdialled fax numbers so that information including mortgage claims and wills was sent to members of the public instead of an internal document scanning department.
The first incident was reported in 2009, after a member of the public told the bank that they had received confidential documents in error.
An internal probe found an employee had misdialled the number of its Nexus document processing unit, accidentally pressing '8' instead of '2'.
It happened again later that year, when a second member of the public told the bank that they had received private documents in error.
The same thing happened on repeated occasions after that – in one case, 60 faxes were sent in error – and the ICO launched its investigation in April 2012.
Even after the ICO launched its probe, a third member of the public got in touch to warn the bank that they had a further 10 faxes, including mortgage claims and personal wills of its customers.
Based on the fact that the faxes were being sent by multiple internal machines, the bank concluded that it was not a mis-programmed fax machine but repeated miskeying by employees that caused the breaches.
Today, the ICO fined the bank £75,000 on the grounds that it had "failed to take sufficient appropriate technical and organisational measures against unauthorised processing of personal data".
These measures might have included employee and management training and monitoring of the way faxes were used.
The watchdog said the breach was considered "serious" – a prerequisite for a fine – because it was "persistent and repeated over a number of years".
"We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected," the bank said in a statement today. "This occurred over a period in which several million customer documents, using the same process, were correctly received.
"No customer suffered any harm or detriment as a result of this error. We are continually reviewing our processes to ensure our customers' information remains safe".
"The security of our customers' data is always our key priority," it said.
The fine is only the second ever monetary penalty issued to the financial services sector by the ICO.
Last year, insurance provider Prudential was fined £50,000 after it mistakenly merged its records for two customers who had the same name and the same birthday.
Not only was this the first fine for a financial services provider, but it was also the first for a breach of the fourth principle of the Data Protection Act: that "personal data shall be accurate and, where necessary, up to date".
Last year, an NHS Trust in London was fined £90,000 – slightly more than Bank of Scotland – after patient records were faxed to the wrong recipient on 45 occasions.
