The Legal Consequences of the Unlawful Transfer of Personal Client Data to Third Parties: UK Case Study

As per English common law, banks are liable to both criminal and civil proceedings. According to the case of Bank of Scotland v A, banks have an ability to choose between criminal and civil liability in litigation with their customer. Nevertheless, ‘the last bit’ of this choice has to be decided by the court.

The bank's obligations to keep the bank secrecy are usually implied within client contracts. The contract does not protect the client when a third party has retained and disclosed confidential information, whether it happens accidentally, with the intention or with consent. However, equity law protects the right to privacy and legal protection of this right. The law of equity also guarantees the right to the banks customers that their rights could be protected by the courts right to an injunction.

However, when a client sues a bank with the aim of gaining financial compensation, he or she should prove two things:

  1. that he/she suffers from true financial loss;
  2. that illegal disclosure of his/her data caused moral distress.


It was mentioned in the case of Turner v Royal Bank of Scotland, that the client generally, should know the overall practice of banking, situations of legal disclosure and rights to share information with other banks. The claimant lost the case because he could not prove that he had sustained any financial loss.

In addition to criminal or civil liability, the bank could be also fined by the Financial Conduct Authority (previously Financial Services Authority). HSBC UK was fined for £3.2m for a series of data leakages in 2007 and 2008. In the UK, HSBC had lost 370,000 customers data. The leak was disclosed when the UK branch of the bank was providing the standard procedure of security audit. Based on the verification the bank's management had to admit that they were missing a CD containing personal account data. According to HSBCs report, the Security Manager lost the disk containing data of a personal nature, including names, places of birth, information about insurance and bank accounts.

Clients expect that banks where they’re keep their money will always protect their financial and private data. When the client finds that his/her private information has been wrongly disclosed to a third party he/she could become angry, suffer from moral distress and even lose the confidence in security. Even minor illegal transfers of information could lead to significant problems.

According to the UK non-governmental organisation CIFAS, the United Kingdom had a record number of cases of fraud, which connected with personal data. In the last several years, the numbers of crimes increased by 5%, totalling about 250,000 per year. A half of these offenses were committed as a result of thefts from the bank. In 2015, 123,589 cases of fraud involving the usage of personal information of innocent or fictional people were prevented. It was 9% higher than a year ago. The situations of fraud inside the companies where a staff member compromised individual accounts have risen by 53%. In 2016, the cases whereby criminals illegally took personal data made up 65% of all fraudulent acts.

The Director of CIFAS mentioned that business organisations dealing with personal data should rethink the approach to a leakage information issue. The right solution to this problem should be the appropriate investment in preventive systems and new techniques in internet security and data protection. Otherwise, businesses and society will face even more significant losses.

When dealing with the calculation of damages from the illegal transfer of personal client data to third parties by banks, it is necessary to consider not only the amount of direct damage, but also a very expensive event that took place after a successful attempt to break bank computer systems. Thus, the loss of data on secret accounts with the Bank of England in January 1999 forced the bank to change the codes of all correspondent accounts of its customers.

When it initially happened, the UK was alerting all available forces and counter intelligence to stop the leakage of information that could cause enormous damage. The government took extreme measures to ensure that third parties cannot access account information and addresses, which costs the Bank of England hundreds of dollars every day. Moreover, the UK government was afraid of situations in which data could be available to foreign intelligence services. In such a case, all financial correspondent networks of the Bank of England would have been disclosed. The possibility of damage was eliminated in a few weeks.

The violation of the integrity in the issue of banking security of confidentiality has always caused large losses as to the financial organisation and customers. Losses could not only be financial, but also cadres. The staff changes may not only the low-lying levels of the bank, but also its top and senior levels. For example, the head of information or security departments may quit voluntarily or they may be dismissed.