The CMO Survey - Highlights and Insights Report - Spring 2024
Co-Operative Bank Letter
1. Court Guinness
W: https://courtg9000.wordpress.com
Page 1 of 5
Mr Nick Slape
Chief Executive Officer
The Co-Operative Bank
1 Balloon Street,
Manchester,
M60 4EP.
23/02/2023
Dear Mr Slape,
OPEN LETTER FOR GENERAL PUBLICATION
My Refs: XXXXXXXXXXXXXXXX
I write following an issue earlier today in which one of your learned colleagues was playing fast
and loose with my personal information in a manner befitting a banking scam and another of your
colleagues and apparently their line manager simply could not care less about the situation. Your
CRM should have detailed notes and if they do not match reality I will be taking further action.
Before I detail these events I will put on record my dissatisfaction that The Co-operative Bank
appear to be heading back to the days of The Reverend Paul Flowers, Crystal Meth and rent
boys. Wholly unacceptable. More recently today I received an email from you asking me donate
via yourselves to a Turkey earthquake appeal. You should spend time making sure your own
house is in good order first before asking your customers to donate to something. As a customer
who stood by the Co-Operative bank during the Reverend Flowers debacle today’s activities by
your bank are not just an insult but a slap in the face too.
At the end of this letter is a Subject Access Request Notice. This letter serves as formal notice in
the Data Protection Regulations and the Subject Access Request Notice is to be actioned in
compliance with the relevant acts of law.
Let us start at the beginning.
This morning at 11:27 I received a call from “Bazzer” allegedly on the telephone number 0116
253 2892. “Bazzer” was offering me a free account upgrade. He was over friendly, under
professional and did not seek to correctly identify me or engage in any Know Your Customer
activity. He wanted to upgrade my account over the telephone which I believe is actually
impossible.
Smelling a rat I ended the call and “Bazzer” was rather dejected at this from the sounds of things.
I then telephoned your central number, one that I trust and have used on a number of occasions.
0345 7212212.
I spoke to a lady with a “Scottish” accent but could not get her name correctly. I felt she was
equally unprofessional and seemed to lack a basic savoir-faire with basic banking procedures
and the banking code. She informed me that the call was being “oversighted” and could offer no
explanation as to what that was. She put me on hold to speak to her manager on a number of
occasions but could not evidence that conversation in reality. A very poor show. What is equally
and if not more concerning is that I could overhear her colleagues discussing fellow customers in
great depth. She seemed to think that it was okay that I could have in effect been scammed by
one of her colleagues. Very Laissez-faire and not what I expect from my bankers. Her line
2. Court Guinness
W: https://courtg9000.wordpress.com
Page 2 of 5
manager apparently refused to be spoken to. I do not believe that she asked the question of her
line manager.
I asked for details of your Senior GDPR officer and yourself. She did not know your name of the
name of your GDPR representative. It is very poor show that someone does not know the name
of their Chief Executive Officer. That goes for any member of staff in any organisation. She said
that “Bazzer” would be given advice! Bloody Hell! Is advice the best you can do? Do you not
have proper control over your staff? Or can they do they like, when they like? Are we actually still
dealing with a culture of Crystal Meth and rent boys at the bank? Certainly your representative
was not what I could call thorough, knowledgeable or professional but at least she did go through
security which I suppose is a small blessing.
It would appear that someone was representing The Co-Operative Bank and had access to the
systems and apparently “Bazzer” left a note on the CRM.
As Someone who spent 17 years in IT and a fair bit of it around banks and banking processes I
am more than flabbergasted by your organisations behaviour today and this has you will imagine
has left me considering your competitors. I further spent more time in financial services and I
know the rules.
Clearly here are three members of staff that you need to take strong action with as a matter of
some urgency. If they were working for me they would have been dismissed within minutes and
trust me when I say they would have trouble getting employment elsewhere.
It is clearly “not on” and I require you to ensure my personal information is kept and utilised in a
more secure fashion than it has clearly been up until now. This a shocking state of affairs.
You need to take personal action on this one. You say on your website : “We’re the bank you
can hold to account. We’re The Co-operative Bank.” Today I am holding you to account on
this matter and it needs to be resolved swiftly. Time is of the essence. I require this issue to
be resolved to my satisfaction by yourself only. There is no passing the buck and I will only
communicate with you, in writing only and will not discuss this with any other member of The
Co-Operative Bank team what so ever.
In view of the seriousness of the matter this letter is being publically published at my website
https:courtg9000.wordpress.com minus very personal information.
Subject Access Request Notice Part
I am making this request for access to personal data pursuant to Article 15 of the General
Data Protection Regulation. I am concerned that your company’s information practices may
be putting my personal information at undue risk of exposure or in fact has breached its
obligation to safeguard my personal information.
I would like you to be aware at the outset, that I anticipate the reply to my request within one
month as required under Article 12, failing which I will be forwarding my inquiry with a letter
of complaint to the appropriate data protection authority.
Please advise as to the following:
1. Please confirm to me whether or not my personal data is being processed. If it is, please
provide me with the categories of personal data you have about me in your files and
databases.
3. Court Guinness
W: https://courtg9000.wordpress.com
Page 3 of 5
a. In particular, please tell me what you know about me in your information systems,
whether or not contained in databases, and including e-mail, documents on your
networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or
accessible from. In case you make use of cloud services to store or process my data,
please include the countries in which the servers are located where my data are or
were (in the past 12 months) stored.
c. Please provide me with a copy of, or access to, my personal data that you have or
are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are
making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my
personal data.
a. If you cannot identify with certainty the specific third parties to whom you have
disclosed my personal data, please provide a list of third parties to whom you may
have disclosed my personal data.
b. Please also identify which jurisdictions that you have identified in 1(b) above that
these third parties with whom you have or may have shared my personal data, from
which these third parties have stored or can access my personal data. Please also
provide insight in the legal grounds for transferring my personal data to these
jurisdictions. Where you have done so, or are doing so, on the basis of appropriate
safeguards, please provide a copy.
c. Additionally, I would like to know what safeguards have been put in place in
relation to these third parties that you have identified in relation to the transfer of my
personal data.
4. Please advise how long you store my personal data, and if retention is based upon the
category of personal data, please identify how long each category is retained.
5. If you are additionally collecting personal data about me from any source other than me,
please provide me with all information about their source, as referred to in Article 14 of the
GDPR.
6. If you are making automated decisions about me, including profiling, whether or not on the
basis of Article 22 of the GDPR, please provide me with information concerning the basis for
the logic in making such automated decisions, and the significance and consequences of
such processing.
7. I would like to know whether or not my personal data has been disclosed inadvertently by
your company in the past, or as a result of a security or privacy breach.
a. If so, please advise as to the following details of each and any such breach:
i. a general description of what occurred;
ii. the date and time of the breach (or the best possible estimate);
iii. the date and time the breach was discovered;
4. Court Guinness
W: https://courtg9000.wordpress.com
Page 4 of 5
iv. the source of the breach (either your own organisation, or a third party to
whom you have transferred my personal data);
v. details of my personal data that was disclosed;
vi. your company’s assessment of the risk of harm to myself, as a result of the
breach;
vii. a description of the measures taken or that will be taken to prevent further
unauthorised access to my personal data;
viii. contact information so that I can obtain more information and assistance
in relation to such a breach, and
ix. information and advice on what I can do to protect myself against any
harms, including identity theft and fraud.
b. If you are not able to state with any certainty whether such an exposure has taken
place, through the use of appropriate technologies, please advise what mitigating
steps you have taken, such as
i. Encryption of my personal data;
ii. Data minimisation strategies; or,
iii. Anonymisation or pseudonymising;
iv. Any other means
8. I would like to know your information policies and standards that you follow in relation to
the safeguarding of my personal data, such as whether you adhere to ISO27001 for
information security, and more particularly, your practices in relation to the following:
a. Please inform me whether you have backed up my personal data to tape, disk, or
other media, and where it is stored and how it is secured, including what steps you
have taken to protect my personal data from loss or theft, and whether this includes
encryption.
b. Please also advise whether you have in place any technology which allows you
with reasonable certainty to know whether or not my personal data has been
disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
9. Regarding employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals
within your organisation will be monitored to ensure that they do not deliberately or
inadvertently disclose personal data outside your company, through e-mail, web-mail,
or instant messaging, or otherwise.
5. Court Guinness
W: https://courtg9000.wordpress.com
Page 5 of 5
b. Have you had had any circumstances in which employees or contractors have
been dismissed, and/or been charged under criminal laws for accessing my personal
data inappropriately, or if you are unable to determine this, of any customers, in the
past twelve months.
c. Please advise as to what training and awareness measures you have taken to
ensure that employees and contractors are accessing and processing my personal
data in conformity with the General Data Protection Regulation.
Yours Sincerely`
Mr C.Guinness