My personal details were shared by Skipton. They will not delete my account. Ombudsman?

vikkiew

I had a cash ISA account with Skipton from 2016. The email address I provided Skipton was unique. Nobody else knew it. I started receiving targeted scam emails. By targeted I mean the sender knew my name and post code. I transferred the ISA account so I have no open accounts with Skipton anymore. I have tried to have my online account deleted even made a complaint but just given the go around. After a three month review the complaint was closed without any real explanation as to what happened or acceptance. Just standard verbage about terms and conditions. The final letter suggests going to the Ombudsman if I am not satisfied with the outcome. Is this the best course of action? I know it is too late now but is their any harm in changing the personal details in my online account or will false information cause problems with other banks?

xylophone

You  had an ISA with on line access.

The ISA was transferred in full to another provider.

Why was the account not closed?

false information

Why on earth would you do this?

And if the e-mail account is the worry, why not just close it?

masonic

Yes, it would be harmful to provide false information to any bank about your name, address, date of birth etc. It is likely they would need evidence to support the changes, but if not it could result in this information finding its way into your credit files or CIFAS.

It's not really clear what you are trying to achieve. Skipton has a legitimate interest to retain your personal details on file if you have held an account with them. They could remove your online account, but this would not reduce the amount of personal information they held.

The fact that targeted scam emails started getting sent to the unique email address you used with Skipton does not necessarily mean they have been sharing your details or suffered a data breach. There are a number of ways in which such information could find its way into the hands of a scammer. If the problem is not widespread among Skipton users, then that would tend to point away from Skipton being the culprit and towards an attack on the affected user.

Qyburn

Did you complain about your specific grievance, suspicion that they had inappropriately disclosed your personal details? 

huw01

I think if you want to take it further then it would be a matter for the Information Commissioner's Office ICO not the ombudsman
. It would be a data protection complaint

https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/

phillw

masonic said:

There are a number of ways in which such information could find its way into the hands of a scammer. If the problem is not widespread among Skipton users, then that would tend to point away from Skipton being the culprit and towards an attack on the affected user.

And I'm not sure how anyone would prove that the email address hasn't been entered on any other site on the internet, or if the details had been entered on a computer which was infected by some malware at the time.

Of course Skipton could be the culprit & nobody would know as most people just ignore spam emails without considering how the details were obtained.

DullGreyGuy

vikkiew said:
After a three month review the complaint was closed without any real explanation as to what happened or acceptance. 

Email is not a secure system, many emails flying around between basically random third party servers unencrypted. Plenty of opportunities for others to intercept those messages and reuse the data. Plus the chance someone has picked it up from your own devices. 

If Skipton had had any material breach it's unlikely it would be unknown. Other sources of someone getting the details is much more likely. A rogue employee could always exist but it's certainly on the lower end of the probability scale. 

You dont have a statutory right to have an account closed. Under GDPR you have a right to ask to be forgotten but business can deny the request if they have a legitimate need to retain the data... most banks will need to keep the data for 7 years post account closure and isnt hard to argue it is longer.

Time to move on really.

n15h

DullGreyGuy said:

You dont have a statutory right to have an account closed. Under GDPR you have a right to ask to be forgotten but business can deny the request if they have a legitimate need to retain the data... most banks will need to keep the data for 7 years post account closure and isnt hard to argue it is longer.

Time to move on really.

Completely agree with this! The complaint won't go anywhere if the business has to retain the data to comply with current regulations. With the amount of time and energy that could be wasted on this and the high possibility of getting no where, it's probably best to utilise your resources elsewhere.