I recently went into a High Street branch of my bank and moved a bit of money between accounts. I could have done more, but I didn’t have any additional forms of identification with me.
At the end, the cashier asked me for my nationality. British, as it happens. Why do you want to know? The cashier explained that this enabled a security control: if I ever bring my passport into a branch as a form of identification, the system can check that my passport matches my declared nationality.
Really? Really? If this is really a security measure, it’s a pretty feeble one. Does my bank imagine I’m going to say I’m British and then produce a North Korean passport? Like a James Bond film?
After she had explained how the bank would use my nationality data, she then asked for my National Insurance number. I declined, choosing not to quiz her any further, and left the branch planning to write a stiff letter to the head of data protection at the bank’s head office.
As a data expert, I am always a little suspicious of corporate motives for data collection. So the thought did occur to me that my bank might be planning to use my personal data for some purpose other than that stated.
Of course, my bank is perfectly entitled to collect data for marketing purposes, with my consent. But in this case, I was explicitly told that the data were being collected for a very narrowly defined security purpose.
So there are two possibilities. Either my bank doesn’t understand security, or it doesn’t understand data protection. (Of course there will be individuals who understand these things, but the bank as an organization appears to have failed to embed this understanding into its systems and working practices.) I shall be happy to provide advice and guidance on these topics.