The BBA said that organisations need to be able to "identify individuals" who make data subject access requests. However, it said that companies may not be able to ensure that they are sending personal data to the right people if plans to force them to respond to requests for the information made electronically are introduced into law.
The BBA's concerns were contained in written evidence (266-page / 3.73MB PDF) submitted to the inquiry into EU data protection reforms being run by the House of Commons' Justice Committee.
Current rules generally require that organisations provide individuals who they hold personal information about to provide those individuals with details of what is stored when those 'data subjects' file a 'subject access request', which in the UK costs the requester £10 to submit.
However, under proposed reforms to the EU data protection regime the European Commission has outlined plans to require organisations that process personal data by "automated means" to "provide means" for subject access requests to be submitted "electronically" for free. If subject access requests are made electronically companies would generally be obliged to provide the information sought to the requester in "electronic form".
The BBA, though, has identified problems with those proposals claiming that banks would face greater costs in order to meet the IT security standards required to comply.
"Data controllers are required to identify individuals making subject access requests, which is unlikely to be possible via some electronic channels, such as email," the BBA said in its written evidence submission. "Banks are open to receipt of electronic requests where practical and secure facilities exist, but we argue that there is no place for [these requirements to be contained] in a Regulation whose intention is to remain technology neutral."
"In addition, our members have concerns about sending data electronically. Extra controls will need to be implemented so as to ensure that email requests are not fraudulent attempts to obtain information which will require extra resource. The growing IT security issues our members face generally in the fight against fraud is a robust reason as to why this would not be desirable. In addition, the amount of data that could be disclosed may be significant requiring the use of encryption tools that may not be compatible with our customers' IT resources," it said.
The BBA also said that the draft general Data Protection Regulation, which the European Commission published in January, does not contain enough scope for banks to store personal data for the purpose of combating illegal activity. It has proposed changes to the Commission's text in order to provide a legal basis for processing personal and sensitive personal data for such purposes.
"Banks are required to collect, assess and retain various types of data relating to preventing and combating fraud and other criminal activities such as anti-money laundering and terrorist financing," the BBA said. "This data collection is relevant both prior to and as part of internal and external investigations. It is not appropriate, as is currently implied in the proposed Regulation, to limit the legal obligations around storing such data."
"Therefore the BBA believes the [Justice] Committee and the Government should consider an exclusion in Article 9 [of the draft Regulation] for processing that is necessary for compliance with a legal obligation, a regulatory rule or a piece of guidance, industry code of practice to which the controller is subject. An additional processing condition is needed in Article 6 to explicitly allow certain anti-money laundering and fraud detection purposes. This processing is necessary to protect customers and businesses from financial loss and for regulatory reasons. This provision could be similar to the wording under ... the UK Data Protection Act," it said.
The BBA raised a number of other concerns with the Commission's draft Regulation. These concerns included reservations with the proposed penalties regime for data breaches. It said that there should be a "statutory maximum" fine that regulators could issue companies with as punishment for non-compliance. Plans to enable regulators to issue companies with fines of up to 2% of firms' annual global turnover were criticised by the BBA.
"The BBA feels there should be a statutory maximum figure for fines," the industry body said. "In addition, there should be further alternative available measures in relation to applying enforcement orders and/or undertakings, as appropriate in each jurisdiction. Furthermore, the maximum fine of 2% of the annual worldwide turnover is disproportionately high in relation to the risk of harm."
"In addition, there are many financial services organisations where the processing of personal data relates to a very small proportion of overall global business, particularly in the investment banking area. It is not fair or appropriate to penalise business operations that are not related to the processing of personal data or which were not associated with the incident other than being a sister company in a shared group of companies. In this respect, fines, if relevant, should be imposed on the basis of the turnover of the legal entity which committed the breach."