The Bank's Duty of Confidentiality, Disclosure Versus Credit Reference Agencies; Further Steps for Consumer Protection: 'Approval Model'.
© Samahir Abdulah
First Published in the Web Journal of Current Legal Issues
Citation: Abdulah S, 'The Bank's Duty of Confidentiality, Disclosure Versus Credit Reference Agencies; Further Steps For Consumer Protection: 'Approval Model'', (2013) 19(4) Web JCLI
The world today is witnessing a tremendous development in the field of information, technology and rapid access to electronic data. In practice, the growth of Electronic Funds Transfer makes it possible for banks to execute increasingly sophisticated analyses of their customers' saving and spending habits, which enable banks to market their own products more effectively, but also provide a potentially very valuable source of marketing information for third parties, such as Credit Reference Agencies. Consequently, consumer protection has become a central concern especially with regard to privacy and the capacity of the banks to employ protection systems which are efficient in safeguarding customers' confidential data. At the same time, scant attention has been given to analysing the function of the Credit Reference Agencies to determine whether they implement a public purpose for the benefit of users and business sector, or whether they merely supply a service in the interest of the banks. The conclusion reached in this article is that there is a lack of uniform or harmonizing legislation in the procedures for data exchanging and that the customer's consent is therefore the essential key to the transmission of customer information involving. There is a further conclusion that consent for the passing of customer information should be subject to certain conditions. Therefore it is important to have an approved model to regulate and clarify the principles and conditions of customer data exchange.
A technological revolution has changed the global balance of economic and political forces and created a new world where information is stored and transmitted not on paper but electronically and is accessible by means of a monitor screen. In banking, the development of Electronic Funds Transfer(1) systems makes it possible to store a large amount of data relating to customers' transactions. This enables banks to market their own products more effectively and also provides a potentially very valuable source of information for Credit Reference Agencies.(2) At the same time, banks owe their customers a fundamental duty of confidentiality and are also obliged to maintain high standards of accuracy with regard to the information they hold (Goode R, 1989, p.269). The duty of confidentiality is not absolute, however, and is subject to four exceptions, discussed below.
An EFT constitutes the most modern type of payment system, enabling funds to be transferred electronically from a customer's bank account to another account. Such a transfer is classified as either a credit transfer or a debit transfer (Goode R, 2009, pp.504-505). A credit transfer instruction is initiated by the payer who orders his/her bank to move funds from his/her account to the payee's bank account (Ellinger EP, Lomnicka EVA and Hare CVM, 2011, p.562; Cox R and Taylor J, 2010, p.57). Thus, the payer's bank moves the amount of the transaction to the payee's bank by some form of credit transfer, such as a standing order. On receipt of the payer's payment instruction, the payer's bank account is debited and the payee's bank account is credited. Conversely, a debit transfer instruction is initiated by the payee who orders his/her bank to withdraw the funds from the payer's bank account, for example as a direct debit (Hapgood M, 2007, p.361). A debit transfer instruction can be initiated by the payer and passed on to the payee, as for instance in a payment by cheque (Goode R, 2009, p.504; Ellinger EP, Lomnicka EVA and Hare CVM, 2011, p.562). On receipt of the payee's order, the payee's bank will credit the payee's account with the funds withdrawn from the payer's account. Subsequently the payer's account will be debited. The transaction of funds to the payee's account is considered final when the payment is accepted by his/her bank: it then becomes irrevocable.
In UK, the lack of comprehensive regulation governing EFT means that EFT transactions come under the jurisdiction of the law of contract and the law of agency. The established legal view of the banker-customer relationship in the EFT is that it is an agent- principal relationship (Chorley L, 1974 Ch.3). There is consensus (Hapgood M, 2007, p.406; Ellinger, EP Lomnicka EVA and Hare CVM, 2011, p.126 and p.601; Arora A, 1992, p.291; Cox R and Taylor J, 2010, p.124) in the literature that the banks act as an agent to their customers in the EFT transaction. The importance of the law of agency in EFT is demonstrated through the decision of Webster J. in Royal Products Ltd v Midland Bank Ltd.(3) Webster, J. held that one of the bank's duties as its customer's agent was strict adherence to the customer's mandate. Another legal aspect of the banker-customer relationship in the EFT is the debtor-creditor relationship. This relationship is founded on the fact that when the customer's account is in credit the customer acts as creditor to the bank, and conversely the bank acts as creditor when the customer's account is debited or overdrawn. A further consequence is that the customer's funds deposited in the bank's account are owned by the bank, so that the customer has to request those funds from the bank as a creditor (Sappideen R, 2003, p.587). In Royal Products Ltd v Midland Bank Ltd,(4) the litigants were Royal Products "a Maltese company which trades in Malta", which had a current account with Midland Bank and also with the Bank of Industry, Commerce and Agriculture Ltd (BICAL) in Malta. The facts of the case were that Royal Products gave an order to Midland Bank in the UK to transfer £13,000 from their current account there to their current account with the BICAL in Malta. However, BICAL was facing insolvency problems at that time. Midland Bank therefore wanted to avoid involvement in the legal issue and so used the Bank of Valletta (National) in Malta as its intermediary to transfer £13,000 to the BICAL. National consequently transferred the funds to BICAL, informing them that the funds were to be credited to Royal Products' account. The next day BICAL became insolvent and defaulted to credit the £13,000 to the Royal Products' account. Royal Products Ltd litigated versus Midland on the grounds that, if National was not the agent of Midland then, their order was never executed, which meant that Midland was liable; but if National were acting as an agent of Midland, then they broke essential obligations and duties of a fiduciary nature, for breach of which Midland were liable. In this case, the decision of Webster J. was for Midland.(5) With regard to the relationship between the payer and the payer's bank, Webster J. considered the legal implications of the payment instruction given by the customer to the bank. His Lordship held:(6)
"What, then are the legal implications of those instructions? How are they to be regarded, as a matter of law? In my judgment they are to be regarded simply as an authority and instruction, from a customer to its bank, to transfer an amount standing to the credit of that customer with that bank to the credit of its account with another bank, that other bank being impliedly authorized by the customer to accept that credit by virtue of the fact that the customer has a current account with it, no consent to the receipt of the credit being expected from or required of that other bank, by virtue of the same fact."
The court held that Midland's contract with Royal Products was not specifically a contract to supply a fund transfer only. The relationship between bank and customer normally involves the payer bank charging the payer a fee to issue a fund transfer on the payer's behalf.(7) In each case, the terms and conditions of the contract between the parties will be significant in determining the duties and the obligations for both parties.
The great concern about bank's duty of confidentiality in the EFT context compared with non-electronic payment systems is because, first, there are now numerous bank records full of customer information in the form of easily accessible electronic data. Secondly, electronic data in EFT is easy to collect, organise and save, and it offers large amounts of information. Thirdly, the growth of EFT systems makes it possible in practice for banks to store and save many data relating to their customers' financial affairs which enable banks to be valuable sources of information for the CRAs. Fourthly, the internal procedures of EFT are invisible to customers, who have no awareness of the data collected about them, who is using it, and for what purpose.
The objective of this study is to examine the ambiguities surrounding the disclosure of customer data to CRAs and to determine whether this disclosure falls within the interests of the bank or whether it needs to be approved, implicitly or explicitly, by the customer. Furthermore, it is important to consider whether or not the disclosure of customers' data to the CRAs is in the public interest. There have been concerns in relation to consumer credit records and banks provide varying degrees of customer confidentiality, offering contractual terms and conditions which differ from one bank to another. There is no uniform standard, and moreover no guarantee of absolute secrecy since confidentiality can be waived in certain legal circumstances.
The methodology used in this study is to examine and analyse existing laws and to recommend new approaches toward the disclosure of customer data to CRAs and the protection of that data.
The banker-customer relationship is an agency contract and the element of privacy stems from this contract. Generally, an agent is under a duty of care and privacy to his principal.(8) The bank's duty of confidentiality implies a legal obligation to maintain the customer's information securely. The case of Tournier v National Provincial and Union Bank of England,(9) identified the principles of a bank's duty of confidentiality. The Tournier principles, however, left some issues unconsidered. The banks' duty of confidentiality is implied by the claim that it is difficult to set general rules dealing with breaches of confidentiality. In view of the intense competition within the sector, a bank's profitability depends on its ability to maintain its reputation and inspire its customers with confidence. Confidentiality is implied therefore from the very beginning of the banker-customer relationship. Furthermore, the bank's obligation of confidentiality is a legal one, and banks have recently started to include in their contracts with customers terms dealing with confidentiality under different headings, such as the use of customers' personal information,(10) personal information,(11) or simply by reference to term confidentiality.(12) Thus, confidentiality has become an explicit legal term in the banker-customer contract.
The bank's duty of confidentiality covers all customers' information about themselves and their accounts obtained by the bank, irrespective of the information source and for as long as the banker-customer relationship exists.(13) There are many logical reasons for obliging the banks to keep customers' confidential data private before, during, and after their relationship. First of all, information provided to the bank before the beginning of the contractual agreement is possibly the same information that is provided by the customer after that agreement has been instigated; consequently such information falls under the duty of confidentiality. Secondly, information provided to the bank at any period during the banker-customer relationship does indeed fall under the bank's duty of confidentiality according to the common law definition of confidence.(14) Thirdly, in practice, there is nothing to prevent banks from submitting an explicit duty to the customer to inhibit the disclosure of specific information, even if such information theoretically is not within the ambit of the bank's duty of confidentiality. Fourthly, the customer's right of privacy must certainly be respected and a most important aspect of a person's rights is the right to keep his/her information private. There is the further possibility that disclosure of any confidential information after the termination of the banker-customer relationship may cause loss or damage to the person (Hapgood M., 2007, p.158). Finally, a customer's confidential information could be of a commercially sensitive nature, and disclosure might adversely affect his/her subsequent business or commercial activities. Given the above factors, it seems that the bank's duty of confidentiality should be maintained indefinitely, even after the customer's death, as long as the law does not indicate a specific time for the termination of the duty.
A bank's duty of confidentiality is not absolute, and is subject to four exceptions, identified in Tournier:(15)
- disclosure by compulsion of law;
- disclosure under duty to the public interest;
- disclosure under the bank's own interest and
- disclosure under the customer's approval.
The first two qualifications mean that the disclosure of a customer's privacy data may be required by law in cases where the public interest prevails, as the bank has no power to avoid the rules of law and will be liable if the revelation does not occur. Disclosure under the public interest has been described as 'the difficult and comprehensive meaning of the Tournier qualification' (Hapgood M, 2007, p.159). These difficulties could be due to a lack of clarity regarding the circumstances which would create exceptions in the public interest. Disclosure under the bank's own interest is the third exception to the bank's duty of confidentiality identified by Tournier.(16) The fourth qualification in Tournier is the customer's consent, which may be either explicit or implicit. In Tournier, the court held that the best instance of a customer's implicit approval for the revelation of confidential information is where he/she authorises the bank to provide a reference. This approach has been adopted by the banking sector for years.(17) However, it is sensible not to assume that a customer who provides his/her bank details when applying for a credit card is giving implicit approval for the disclosure of confidential information by his/her bank. Tournier has therefore been exposed to criticism in this respect (Hapgood M, 1996, p.124; Chorley L, 1974, p.24). One of the Jack Committee Report recommendations was that at the beginning of the bank-customer relationship the bank should explain and describe very clearly how the banking system works and should invite customers to give or withhold a general approval for their banks to submit opinions on them in response to government enquiries.(18) Nevertheless, there is nothing to prevent a bank from including in its contract with the customer a term authorising disclosure of information on a customer's creditworthiness.(19)
The Court of Appeal in Turner v Royal Bank of Scotland plc  2 All ER (Comm) 664 CA(20) however, held that a bank could not depend on banking practice to justify the assumption of its customer's implied approval for the use of private details in providing other banks with references. Therefore, the theory that the bank could pass on its customer's confidential information on the grounds that the bank has its customer's implied consent was rejected. Hooley (2000) argues that Turner's decision presents a clear explanation in the area of implied consent theory. In this regard, the best recommendation is that the principles governing the bank's duty of confidentiality should be regulated by statute in order to avoid any ambiguities. Given the above position, it seems that the law has been changed, since the Court of Appeal in Turner held that the bank has no right to disclose or exchange customer's confidential information depending on the customer's implied consent. There are, however, double limitations upon the scope of Turner. First, Turner presents no final norms to determine whether a bank can depend on its customer's general approval in responding to status enquires, or whether a customer's particular approval is required. Ellinger EP, Lomnicka EVA and Hare CVM (2011) agree that a bank may depend on its customer's general approval in responding to status enquires, although the consequence of allowing a bank to depend on a customer's general approval must be that the bank bears the burden of confirming that the customer is informed of the way in which the bankers' reference scheme operates (Hooley R, 2000, p.23). Secondly, Turner surely expands a customer's right to establish liability against a bank for breaching its duty of confidentiality by reporting its customer's private data to a third party without customer's approval, although the customer may find difficulty recovering essential losses in subject of that breach (Ellinger EP, Lomnicka EVA and Hare CVM, 2011, p.197). General damages will usually be available(21) but particular damages will not always be easy to recover. If the bank reveals accurate data that is positive to the customer it is improbable that the customer will suffer any adverse consequences resulting in loss; nevertheless this is not an absolute norm.(22) If the data is accurate but negative, it would be difficult for the customer to prove that the disclosures without his/her approval caused such losses.(23) The only case where particular damages would probably be easily recoverable is where the data provided by the bank proves to be inaccurate: in such a case the customer will also have a concurrent claim based upon the breach of the bank's duty of skill and care (Toulson RG and Phipps CM, 2006, paras.3-092-3-097).
The bank has to notify its customer about any reference before it is transmitted and is moreover, required to obtain the customer's written consent before any action is taken with regard to the reference. Overall, it is fair practice to obtain the customer's express consent before passing any confidential information to another party and if the bank fails to do so it will be liable for breach of a duty of confidentiality. Moreover, unless there is a legal reason the bank has no right to refuse to disclose customer's information if such disclosure is in accordance with the customer's request. In practice, the bank could give advice to the customer, explaining that the bank could not act on the customer's request, as long as there are good reasons for not so acting.(24)
Regarding 'the bank's duty to exercise reasonable care and skill and the confidentiality of EFT systems', banks must adopt highly sophisticated encryption systems(25) to prevent hackers from gaining access to its own and its customers' data. The bank is under strict liability to employ reasonable and secure software programs for executing its intended purposes and such liability does not depend on proof that the bank was negligent.(26) Azzouni (2003) considers encryption systems one of the most significant problems associated with electronic banking confidentiality. Such a problem can be solved by adopting a highly secret system to prevent any unauthorised access to the bank's electronic data. Nonetheless, the first step in protecting a customer's information must be through the privacy of the information about each party involved in the EFT transaction. Neither payers nor payees have access to each other's personal transactions, irrespective of which type of EFT method is used, thus ensuring their privacy is protected (Sadeghi AR and Schneider M, 2003, p.118).
The development of banking, and in particular the growth of EFT, makes it possible for banks to execute increasingly sophisticated analyses of their customers' saving and spending habits, enabling banks to market their own products more effectively and also providing a potentially very valuable source of marketing information for CRAs.(27) Scant attention has been paid to some significant issues arising from this situation, namely the ambiguity surrounding the disclosure and exchange of customer data with the CRAs and whether these disclosures and exchanges fall within the bank's interests or the public interest, and whether they are subject to the customer's approval (Wadsley J and Penn A G, 2000, pp.137-199; Ferretti F, 2008, p.96). There is a need for an analysis which will determine the actual function of the CRAs and whether they serve a public purpose for the benefit of users and the sector or whether they merely supply services in the interest of the banks. Further clarification is also needed to determine whether CRAs fall under The Data Protection Act 1998(28) and the Human Rights Act 1998(29) and whether any defaults should be considered as a breach of statutory duty under the Acts. Finally, there is a significant need to analyse and determine whether CRAs owe a duty to act with reasonable care and skill regarding the customers' confidential data.
In the EFT system, confidentiality is violated when a customer's information is, without legal authority, made available to and exchanged by a third party who is not a party to the EFT transaction, for goals other than those required to achieve the transaction. These goals other than those required to achieve the EFT transaction could be the exchange and disclosure of customer data to the CRAs. CRAs are self-governing institutions which obtain and collect various financial data about both customers and businesses. They also collect and issue records of individuals' financial affairs.(30) There is no doubt that disclosure of customers' private data to the CRAs is not mandatory or obligatory and that it occurs on a voluntary basis (Ferretti F, 2007, p.72). There needs to be an examination, based on the results of the first analysis, of the actual function of the CRAs in order to discover whether they are implements of the public interest or whether they merely supply services in the interest of the banks; also whether proposals for UK laws apply to all the different subjects that consumer credit recording entails. A connected argument is that data credit exchanges through CRAs are executed in the interest of the parties involved. Assuming the validity of CRA services, introducing worthwhile business would indeed be in a party's interest. However, the best argument is that if the CRAs evolved procedures similar to those of the private sector institutions such as banks, an evaluation of the right compliance of consumer credit recording with the necessities of data protection would result in better regulation. If CRA services worked in a manner similar to that of government institutions and under a government umbrella then they would serve a public interest. There is a difference, however, between an action which is in the public interest and an action which is obligatory (Howells G, 1995, p.349). It seems that CRAs do not operate in the public interest and therefore banks cannot justify the disclosure of customer's private information to the CRAs on public interest grounds, because in this context the public interest applies only to matters involving the safety of the state or the prevention of criminal activity. It is important to assess the functions of CRAs in order to ascertain whether the existing law sufficiently defends against one interest prevailing over the other. At the very least some attempt should be made to find a balance between the interests of the parties involved. In the final analysis, CRAs are private organisations working under government regulations.(31) Thus, the next issue is whether banks are pursuing their own interest in their justification of disclosure of customer data to CRAs. Disclosure under the bank's own interest is subject to wide interpretation and therefore, the bank could justify any disclosure under its own advantage or interest (Alhosani W, 2012, p.16). There is no general acceptance of disclosure under the bank's own interest, unless it relates to the public interest and not only that of the bank, since such qualifications may offer the bank opportunities for abuse (Cranston R, 2002, pp.174-176). The banks therefore have no right to disclose information to the CRAs on the basis of the bank's own interest. With regard to CRAs as 'private organisations', it is clear that the existing law is insufficient to protect customers against the disclosure of private information and against CRAs acting in their own interests. This then leaves banks dependent on customer approval, which could be either express or implicit.
There are two types of customer data, positive and negative. The bank's right to disclose private data belonging to its customer differs according to the data type. The Lending Code 2012 permits the bank to pass negative information without a customer's approval,(32) although, the customer must be given notice of the release of that information at least 28 days before the disclosure is made. Within this period, the customer must be given clarification of the ways in which this negative data might affect his/her right to obtain credit.(33) This 28 day period will allow the customer time to make repayments or come to some arrangement with the bank before negative information is passed to the third party.(34) Conversely, the customer's approval must be obtained before the bank provides positive information in a reference.(35) Nevertheless, the Lending Code 2012 fails to stipulate whether the approval required of the customer should be express or implicit. As seen above, the law has been changed and the bank has no right to disclose or exchange customer's confidential information by relying on the customer's implied consent.
In practice, the banks have a right to pass and exchange their customers' confidential financial data by giving facts about the customer in terms of his/her capacity to enter into and fulfil a specific financial commitment. These disclosures and exchanges fall completely under the general terms and conditions of the banker-customer contract and are subject to the customer's general approval.(36) However, these general terms and conditions of the customer contract leave the customer without any real option to accept or reject exchange and disclosures of his/her data, because rejection by the customer to those terms and conditions will cause the banks to refuse to open an account with him/her. It would be salutary to bring the sophisticated electronic technology involved in personal data exchange into the ambit of a data protection regime. As a consequence, the customer data subject to transfer would not be available to the public and transfers would be made using secure encryption.
Finally, mention should made of the difficulty involved in separating the use of customer data for the legitimate purpose of credit management and the use of that data for marketing purposes. There is to date no law or body of regulation which prevents government agencies or new commercial organisations from becoming clients of CRAs and participating in its supply and transmission of data. The foregoing examples show the ambiguities of the norms of information exchange in practice and the conflicting interests of CRAs operating strictly in accordance with those norms.
3.2.1 The Consumer Credit Act 1974 (as amended by the Consumer Credit Act 2006)
UK law presents examples at a national level of recent legislation, including consumer credit law and the associated issue of consumer credit records. The Consumer Credit Act 1974 presents a number of provisions to protect consumers from abuse. For example, section 25 of the 1974 Act requires CRAs to be authorised by the Office of Fair Trading and, in cases of untrustworthy business practices and unfair or incorrect conduct, the Office of Fair Trading has the right to revoke such authorisation. The authority given to the Office of Fair Trading to withdraw the CRAs licence is to safeguard consumers and ensure that CRAs reveal credit data about individuals only for the prescribed purpose. Section 157 of the Consumer Credit Act 1974 stipulates that the customer has the right to request from the lenders the name and address of the CRA which provided the lender with the customer's data. Section 158 of the Act 1974 imposes on the CRAs a duty to provide the customer with a copy of the data provided to the lender and under section 159 the customer has the right to correct any mistakes or inaccurate data (Alqudah F, 1995, p.54).
The Consumer Credit Act 2006 amended the Consumer Credit Act 1974. The purpose of the Consumer Credit Act 2006 was to safeguard consumers and produce a fairer and more equable credit market. The financial sector wished the Consumer Credit Act 2006 to address the issue of data exchanges. However, it was decided that this outside considered the ambit of the Act. Consequently, the Act does not cover data exchange and sharing, and the government has given no indication that it intends to further legislate the CRAs in the near future.(37) In view of this, it is worthwhile to point out that although the Consumer Credit Act 1974 refers in a number of its provisions to CRAs.
Accordingly, currently the main legislations governing the collection, exchange and sharing of electronic data in the UK are the Data Protection Act 1998 and the Human Rights Act 1998.
3.2.2 The Data Protection Act 1998
The second issue of whether CRAs fall under DPA 1998 can be decided by an analysis of the CRA system. In R v Brown  1 All E.R. 545 HL, (38) the court held that data collected and recorded via electronic means falls under DPA 1998. Nevertheless, according to the Act, collecting and storing electronic data is not processing unless the data are first registered with a 'data controller'.(39) So as long as the customers' data are stored and exchanged by electronic methods within the CRAs they are considered 'controlled data' and fall under the DPA requirements.(40) If a CRA is regarded as a 'data controller' it will owe a statutory duty to apply and comply with the DPA 1998 in relation to all credit data which it controls, and any defaults would be considered a breach of statutory duty under the Act.(41) Consequently, any contravention of the requirements of the Act on the part of the CRAs which causes damage or losses to the customer entitles the latter to demand compensation.(42) This provides the customer with a kind of protection, although the CRA has the right to attempt to prove that it took all reasonable care and took all the necessary steps to protect the customer data.
However, not all customer information recorded electronically is protected under judicial authority by the DPA 1998. In Durant v Financial Services Authority  FSR 28, 573 CA(43) the court held that the meaning of 'personal data' should not be interpreted too widely, and does not essentially include all information recorded by a computer. However, a personal name is considered personal data protected by the DPA 1998. Even though, in Durant v Financial Services Authority,(44) Auld LJ. submitted two notions intended to be helpful in defining 'personal data' as follows:
"The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity."(45)
Data recorded electronically which is significantly biographical in the sense that they relate to the customer's private personal or family life, business or profession fall under the protection of the DPA 1998. Such data could also include opinions expressed concerning.(46)
Within the DPA 1998 several obligations are imposed on a data controller to comply with the 'data protection principles'. The controller is required to use personal data fairly and legally; for precisely those aims for which it was delivered, without any changes: to be sufficient, relevant and precise; and where important, kept updated. Furthermore, suitable procedures must be undertaken with regard to unauthorised or illegal use of information and any damage or losses.(47) The CRAs have to satisfy a minimum of conditions within the DPA 1998. Inter alia, these conditions are: the exchange must be important for the achievement of a particular public purpose, for example, the administration of justice; and the exchange should be significant to the pursuit of legitimate interests on the part of the data controller or a third party to whom the data is disclosed.(48)
3.2.3 The Human Rights Act 1998
The European Convention on Human Rights1950 (ECHR), article 8, is concerned with respect for the individual's private life and its protection. The aim of the relevant article is to protect the individual's privacy and to prevent any violation of that privacy under any circumstances, except where there is legal provision allowing for such violation. In Niemietz v Germany (1992) 16 EHRR 97,(49) the court held that under article 8 an individual's private life includes certain aspects of an individual's professional or business life, especially where information is protected within a confidential relationship. Article 8, then, involves CRAs in a duty of confidentiality, since the protection of information collected and recorded by CRAs concerning an individual customer is an aspect of the right to a private life enshrined in the Article.
Article 8(1) embodies the principle that any contravention of a person's rights is illegal. Article 8(2) establishes the different conditions that must be applied by the public authorities in order to avoid any misuse of a person's confidential information. The CRAs must apply the conditions laid down in article 8(2), otherwise they would be in breach of their legal duty. Article 8(2) can be expressed as follows: any interference with a person's rights will be illegal, unless there is: A necessity deemed to be in the interests of national security in a democratic society, a necessity due to concern for public safety, for the economic well-being of the country, for prevention of disorder or crime or the protection of health or morals or for the protection of the rights and freedoms of others.
Given the above exposition, the author's view is that when a CRA breaches its duty of confidentiality it should make clear reference to the statutory provision which justified it, otherwise it would be liable for a breach of the duty of confidentiality under the HRA 1998. The aim of this section is to formulate a clear guide to the avoidance of misuse of customer data. This involves applying article 8 to a CRAs' duty of confidentiality in order to protect a customer's data from any interference other than that sanctioned by the law. Finally, with the sophistication of the general law protecting privacy there is no reason to disallow the CRAs from being governed by the rules of HRA 1998.
3.2.4 The Duty of Care and Skill
There is no contractual relationship between the CRA and the customer, and thus there is no contractual liability. In the absence of contract liability between the CRA and the customer, can there be an assumption of liability according to a duty of care in tort at common law? In Customs and Excise Commissioners v Barclays Bank plc,(50) the Customs and Excise Commissioners, freezing orders were obtained for all the assets of two companies in an attempt to recover outstanding VAT from them. Barclays were informed of the orders yet later passed payments from the accounts of the companies in breach of those orders. The Commissioners alleged damages for negligence against Barclays. The court held that Barclays owed no duty of care to the Commissioners, but the Court of Appeal conversely held that a duty of care was owed in tort liability for economic damage.(51) The court held that there are three tests for the imposition of a duty of care, viz: the 'assumption of responsibility' test; the 'threefold test'; and the 'incremental' test: (52)
"Three tests have been used in considering whether a duty of care is owed in tort by a defendant for pure economic loss. The first is whether, objectively, the defendant assumed responsibility for his words or conduct vis-a-vis the claimant, or is to be treated as having done so. The second, the threefold test, requires the claimant to show that the loss was reasonably foreseeable, that there was a relationship with the defendant of sufficient proximity and that imposition of a duty would in all the circumstances be fair, just and reasonable. The third is the incremental test. That test, that new categories of negligence should be developed incrementally and by analogy with established categories, is of limited assistance since it does not provide any qualitative criteria by which to measure whether a duty should be held to arise."
Regarding the CRA, the issue is whether the CRA assumed a responsibility to the customers. Hypothetically, no connection exists between the CRA and the customer, thus it is reasonable not to assume the existence of liability under tort. This opinion was held by the Court of Appeal in Keith Smeaton v Equifax Plc,: (53)
"It would not be fair, just or reasonable to impose such a duty [duty of care in tort].(54) The judge had erred in concluding that a CRA assumed a responsibility to every member of the public simply by choosing to operate that type of business. Imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class. A co-extensive duty of care in tort would also be otiose, given that the Act provided a detailed code for determining the civil liability of credit reference agencies and other data controllers arising out of the improper processing of data".
Thus, CRAs owed no duty for the exercise of care in tort. CRAs as 'data controllers' owed a customer civil liability under the DPA 1998, such liability issuing only when there was improper processing of data.
This article argues that the disclosure of a customer's confidential information to the CRAs is forbidden unless the bank obtains the customer's express authority for such disclosure. Therefore it would be desirable to have a model or at least a code of practice which regulates these points and clarifies with precision the principles and conditions by which the bank can exchange information. The bank should notify its customer about any reference and obtain the customer's consent in writing before taking any action, irrespective of whether the data is negative or positive. Accordingly, the bank would have no right to disclose any confidential data belonging to the customer by depending on the customer's implicit approval. Difficulties may occur, nevertheless, when a customer who initiates a banker-customer contractual agreement fails to understand who will be granted access to the bank's account data and for what aims. In this regard, a banker-customer contractual agreement, particularly a term involving the disclosure of confidential data could be subject to an evaluation under the Unfair Contract Terms Act 1977 and the Unfair Terms in Consumer Contracts Regulations 1999,(55) because both statutes cover all contractual terms that have not been subject to negotiation.(56) It is upheld within schedule 2 of the Unfair Contract Terms Act 1977 that the banks have the right to include their contracts with the customers an express term excluding liability, but only if this term is deemed reasonable. Within these statutes, if the contract includes an 'unfair' term the customer shall not be liable for non-execution of that term (Arora A, 1992, p.293). As long as the bank is under a duty to exercise reasonable care and skill and has passed its customer's data without customer's knowledge, and as the latter's agent, it is reasonable to consider the exclusion of the bank from liability as 'unfair'. The bank is liable to prove that the exclusion liability is reasonable and fair. Most credit contracts are standard form contracts to which the terms apply and the approval term is doubtful that it was subject to the negotiation. Therefore, would be difficult for the customer to establish the claim that the bank has breached its duty of confidentiality by failing to obtain customer approval and that such information was disclosed without consent, since the standard contracts include these terms. Nevertheless, schedule 2 of the Unfair Contract Terms Act 1977 might be applicable in determining the fairness of the approval term. The approval term could be subject to the Unfair Contract Terms Act 1977 if the customer has no choice but to agree to the terms when he wants to open a bank account.
A more important problem stems from access authorised to some governmental body by statute without the customer's approval. The existing legal safeguards for confidentiality are insufficient to deal with violations of confidentiality in the EFT context. Further, there is no statutory protection for the EFT customer, thus the customer is placed in a weak position to defend against obligatory and unlimited access by agencies such as CRAs and fraud prevention and law enforcement agencies.(57) Given the mass of information obtained by banks with so little difficulty, it is important to present safeguards against the exchange, sharing and disclosure the customer data to CRAs when the exchange, sharing and disclosure have occurred without customer approval. Therefore, it is important to adopt a clear privacy consent model to preclude any misuse of customer data. Such a model is needed to clarify and protect those privacy data and to balance a customer's right of confidentiality with the legal authority's interest in data disclosure. The proposal for an approval model in this article is as follows:
First, the model should include the bank's procedures for notifying the customers about how it might use their data, regardless whether it is positive or negative, with the customer's express approval.
- Before customers sign a contract involving an EFT system, the banks must provide them with a privacy notice written in understandable and clear language, explaining the conditions under which the EFT data, whether negative or positive, will be exchanged and disclosed to the CRAs. Such notice must be given annually thereafter.
- That privacy notice should explain how the bank will use and protect customer information.
- The bank should obtain a new consent from the customer if there is any change in the terms and conditions of the privacy notice.
- The bank must use customer data for exclusive purposes and according to the reason for its collection, such as for making debit or credit transactions. Further, data processing should be with significant protection and under internal control or direct supervision.
- The customer shall have the right to refuse to sign the notice and the right refuse the bank permission to exchange and use his/her data without any effect on the customer-banker relationship. Currently most banks offer online banking for their customers. As a result, registered internet banking customers must accept the bank's terms by exercising 'tick-box' which enable the customer to exercise most banking transactions via the internet, for example, make payment, drawing cheques or transferring bank. Internet banking has developed that promises great advantages to banks and customers. Customers will adopt the online banking if they believe the system will bring advantages such as saving time by not physical visiting to bank and protect their confidential data. Online banking services will not process unless ticks the box to accept the bank's terms. That leaves customer without any right to refuse any bank's terms as the computer will not process customer transactions unless accept the general terms and condition by click on the particular box to accept the bank's terms. Thus, even with the online banking the customer should have the right to refuse the bank permission to exchange and use his/her data without any effect on the customer-banker relationship
- In the case of the customer's refusal to give the bank general approval to disclose and exchange his data, the bank should obtain the customer's express approval each time the bank wants to exchange its customer data.
- The bank must clarify to the customer what a CRA is and in whose interest is the data exchanged.
Secondly, there must be an emphasis on the voluntary nature of the disclosure and exchange of the customer's data to the CRAs. Such disclosure must be regulated and must be specific to particular data, with unlimited disclosure being unacceptable. Furthermore, it is essential also to regulate the CRAs and the ways in which they use and protect a customer's private information.
Thirdly, the bank must supply accurate customer data. Regarding accurate data, the CRAs should exercise reasonable care and skill in demonstrating the accuracy of data provided by the banks and should state the purpose for which they were exchanged and disclosed.
The following conclusions can be drawn from the present study, the customer's approval is an essential key to the transmission of confidential credit data and such approval enables the bank to avoid breaching its duty of confidentiality. One of the more significant findings to emerge from this study is that the examples taken from UK law given rise to concerns about the exchange and sharing of customer's private data without data protection regimes sufficient to resolve customers' concerns over the confidential of data. The second major finding was that the UK examples present problems regarding the exchange and sharing of customer data and its compliance with the data protection legislation which was intended to deal with concerns over confidentiality. The third obvious finding was that the customer's right to give or withhold approval would be better protected if it were the subject of legal provision.
The findings of this study suggest that there is a need for a new and comprehensive legal approach to the bank's duty of confidentiality. Such an approach should ensure that the bank's liability for disclosing information is included in the customer contract and should emphasise the need to protect and respect customers' data. Moreover, such an approach should take into account all the exceptions and limitations regarding the disclosure of customer information, and should create a balance between the customer's right to privacy and the interests of the CRAs. It is also necessary to adopt a clear and approved model for the prevention of any misuse of customer data.
In the EFT context it is important to control the quantity and nature of data recorded and stored. Accordingly, the types of data recorded and stored in EFT systems must be limited. In this sense, the privacy model should state exactly to whom and for what purposes confidential data can be disclosed. Any use not specifically condoned would consequently be unlawful disclosure. Access to this data should be restricted to that which is essential for the execution of the EFT transaction. This article concludes that the existing confidentiality laws do not provide the customer with an adequate level of protection and safety for the control of the recording and exchange of data relating to EFT transactions. Thus, the model proposed in this article should assist in providing sufficient protection to the customer. Disclosure of a customer's data should be made to a third party only if it is necessary to the EFT procedure, or for a purpose to which the customer has given express approval. It is recommended that further research be undertaken in the following areas:
- The outlining of a Code of Conduct for CRAs. This would have the aim of introducing a greater degree of responsibility into the domain of consumer credit.
- Problems surrounding the notion of consent. This is important to understand whether it is implied consent or express consent is required to disclose customer's data to the CRAs.
- The role of the CRA in contemporary society and whether it is achieved public interest as it is one of the government institutions or private interest.
- The CRA in the context of the European Union. Such point should be achieved by limitations the CRAs' rights to disclose customer's data across the Europe.
- The outlining of a new policy for consumer protection. Such policy should protection of the customer from unfair contract terms imposed by the bank.
Alhosani W 'Banking confidentiality versus disclosure', (2012) Durham Law Review 1 http://durhamlawreview.co.uk/articles/25-banking-confidentiality-versus-disclosure.html accessed 07 Dec 2013
Alqudah F, 'Banks' duty of confidentiality in the wake of computerised banking', (1995) 10 Journal of International Banking Law 50.
Arora A, 'Contractual and tortious liability in EFT transactions in the United Kingdom', (1992) 1 Law Computers & Artificial Intelligence 291.
Attorney-General v Times Newspapers Ltd. (No.2)  1 AC 109 HL.
Azzouni A 'Internet Banking and the Law: A Critical Examination of the Legal Controls over Internet Banking in the UK and their Ability to Frame, Regulate and Secure Banking on the Net', (2003) 18 Journal of International Banking Law and Regulation 351.
Barclays Bank: http://www.barclayswealth.co.uk.
Chorley L, Law of Banking (6th ed, London, Sweet & Maxwell 1974).
Cox R and Taylor J, 'Funds Transfers' in Brindle, M. and Cox, R., Law of Bank Payments (4th end, London, Sweet & Maxwell 2010).
Cranston R, Principles of Banking Law (2nd end, Oxford University Press 2002).
Customs and Excise Commissioners v Barclays Bank plc  UKHL 28,  1 A.C. 181.
Department of Trade and Industry, Consumer Credit Bill, Full Regulatory Impact Assessment. Online Available at: http://webarchive.nationalarchives.gov.uk/+/http://www.berr.gov.uk/files/file24434.pdf.
Department of Trade and Industry home page http://webarchive.nationalarchives.gov.uk/+/http://www.berr.gov.uk/files/file24434.pdf.
Durant v Financial Services Authority  EWCA Civ 1746,  FSR 28, 573 CA.
Ellinger EP, Lomnicka EVA and Hare CVM, Ellinger's Modern Banking Law (5th ed, Oxford University Press 2011).
Ezsias v Welsh Ministers,  EWHC B15 (QB).
Ferretti F, 'Consumer credit information system: A critical review of the literature too little attention paid by lawyers?', (2007) 23 European Journal of Law and Economics 71.
̶ ̶ The Law and Consumer Credit Information in the European Community (London, Routledge-Cavendish 2008).
Niemietz v Germany (1992) 16 EHRR 97.
Goode R 'The banker's duty of confidentiality', (1989) Journal of Business Law 268.
̶ ̶Commercial Law (4th ed, Penguin Books 2009).
Hapgood, M Paget's Law of Banking, (11th ed, London, LexisNexis Butterworths 1996).
̶ ̶ Paget's Law of Banking (13th ed, London, LexisNexis Butterworths 2007).
Hedley Byrne & Co. Ltd v Heller & Partners Ltd  AC 465 (HL).
Hooley R 'Bankers' references and the bank's duty of confidentiality: When practice does not make perfect', (2000) 59 Cambridge Law Journal 21.
House of Commons Treasury Committee (2005). http://www.parliament.uk/.
Howells G 'Data protection, confidentiality, unfair contract terms, consumer protection and Credit References Agencies', (1995) 4 Journal of Business Law 343.
Industry Guidance for FSA Banking Conduct of Business
Sourcebook, January 2011
Jack RB, Review Committee on Banking Services: Law and Practice, Report by the Review Committee Vol. XLIX. (1989)
Jackson v Royal Bank of Scotland,  UKHL 3,  1 WLR 377 (HL).
Keith Smeaton v Equifax Plc  EWHC 2322 (QB),  EWCA Civ 108.
Lloyds Bank http://www.lloydsbank.com
R v Brown  AC 543 (HL).
Re ABC Ltd  F.L.R. 159 (Grand Ct of the Cayman Islands).
Regal (Hastings) Ltd v Gulliver,  2 AC 134, Boardman v Phipps  2 AC 46.
Royal Bank of Canada v Compain (1999) 178 Sask R. 257.
Royal Products Ltd v Midland Bank Ltd  2 Lloyd's Report 194.
Sadeghi AR and Schneider M, 'Electronic Payment Systems' in Becker E, Digital Rights Management (V. 2770, Springer-Verlag Berlin Heidelberg 2003).
Sappideen R 'Cross-border electronic funds transfers through large value transfer system, and the persistence of risk', (2003) Journal of Business Law 584.
St. Alban's City and District Council v International Computers Ltd  4 All ER 481 (CA).
Toulson RG and Phipps CM, Confidentiality (2nd ed, London, Sweet & Maxwell 2006).
Tournier v National Provincial and Union Bank of England  1 K.B. 461.
Turner v Royal Bank of Scotland plc  2 All ER (Comm) 664 (CA).
Wadsley J and Penn AG, The Law Relating to Domestic Banking (2nd ed, London, Sweet & Maxwell 2000).
White Paper: Banking Services: Law and Practice (1990, London, Cm 1026).
(1) EFT hereafter.
(2) CRAs hereafter.
(3) Royal Products Ltd v Midland Bank Ltd  2 Lloyd's Report 194, 198.
(4) ibid 209.
(5) ibid 201.
(6) ibid 198.
(7) ibid 209.
(8) Regal (Hastings) Ltd v Gulliver  1 All ER 378; Boardman v Phipps  2 AC 46.
(9) Tournier v National Provincial and Union Bank of England  1 K.B. 461 at 427
(10) Barclays,Barclays Terms: Your Agreement with Us, 2013, s.G http://www.barclayswealth.co.uk/Images/IBIM1000.pdf accessed 22th January 2013.
(11) Lloyds TSB, Personal Banking terms and conditions, 2012, s.D (14) http://www.lloydstsb.com/media/lloydstsb2004/pdfs/personal_banking_terms_and_conditions.pdf accessed 6th October 2012.
(12) HSBC, General Terms and Conditions, Current Accounts Terms and Conditions, 2012, s.2(34)[34.2] http://www.hsbc.co.uk/1/PA_esf-ca-app- content/content/uk/pdfs/en/General_Current_Accounts_Aprl1.pdf accessed 6th October 2012.
(13) n 9 Bankes LJ 473-474 and Atkin LJ 485.
(14) Attorney-General v Times Newspapers Ltd. (No.2)  1 AC 109 HL 281-282.
(15) n 9 Bankes LJ 473.
(17)Hedley Byrne & Co. Ltd v Heller & Partners Ltd  AC 465 (HL) 503-540.
(18) Jack RB Review Committee on Banking Services: Law and Practice, Vol. XLIX (1989) 48.
(19)Royal Bank of Canada v Compain (1999) 178 Sask R. 257 at .
(20) Turner v Royal Bank of Scotland plc  2 All ER (Comm) CA 664.
(21) ibid .
(22) Jackson v Royal Bank of Scotland  UKHL 3,  1 WLR 377(HL).
(23) n 20 .
(24)Re ABC Ltd  FLR 159 (Grand Ct of the Cayman Islands).
(25) Industry Guidance for FSA Banking Conduct of Business Sourcebook, January 2011, s.5.9.
(26) St. Alban's City and District Council v International Computers Ltd  4 All ER 481 (CA).
(27) There are three main consumer CRAs in the UK; Callcredit, Equifax, and Experian.
(28) Data Protection Act 1998.
(29) Human Rights Act 1998.
(30) Consumer Credit Act 1974 s 145(8) defines a CRA as: 'a person carrying on a business comprising the furnishing of person with information relevant to the financial standing of individuals, being information collected by the agency for that purpose'.
(31) Consumer Credit Act 1974; The Consumer Credit (Disclosure of Information) Regulations 2010(2010 No.1013); Consumer Credit Regulations 2010 (2010 No. 1010) which replaced UE Consumer Credit Directive 2008 (2008/48/EC).
(32) The Lending Code 2012, s.3.
(33) ibid .
(34) ibid .
(35) ibid .
(36) For example, see HSBC, General Terms and Conditions, Current Accounts Terms and Conditions, 2012, s.; Barclays, Barclays Terms: Your Agreement with Us 2013, s.G; Lloyds TSB, Personal Banking terms and conditions, October 2012, D.
(37) Department of Trade and Industry, Consumer Credit Bill, Full Regulatory Impact Assessment. Online Available at: http://webarchive.nationalarchives.gov.uk/+/http://www.berr.gov.uk/files/file24434.pdf accessed 30th September 2012.
(38) R v Brown  AC 543 (HL) 555.
(39) The Data Protection Act 1998, s 17(1): Sch.1, Part 1(1) defines a data controller as "a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed' and defined 'data processor', in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller".
(40) Keith Smeaton v Equifax Plc  EWHC 2322 (QB)  Anthony Thornton QC; Data Protection Act 1998, s.9.
(43) Durant v Financial Services Authority  FSR 28, 573 CA Auld LJ 586-587.
(46) Ezsias v Welsh Ministers  All ER (D), at [59-66], , , , , .
(47) Data Protection Act 1998, sch.1(4).
(48) ibid sch.2.
(49) Niemietz v Germany (1992) 16 EHRR 97.
(50) Customs and Excise Commissioners v Barclays Bank plc  UKHL 28,  1 A.C. 181.
(51) ibid 184.
(53) Keith Smeaton v Equifax Plc  EWCA Civ 108.
(54) Words in square brackets added.
(55) (SI 1999/2083).
(56) Unfair Terms in Consumer Contracts Regulations1999, reg.3(1).
(57) HSBC, General Terms and Conditions, Current Accounts Terms and Conditions, 2012, s.2(34) [34.5.2].