Barclays was flagged as a "concern" by the Information Commisioner's Office (ICO) over data breaches more times than any other UK lender last year, files seen by ComputerworldUK reveal.
The bank, which says it takes data protection "extremely seriously", was highlighted as an organisation of concern to the ICO 21 times in 2013, according to files disclosed under the Freedom of Information (FOI) Act. Barclays was deemed to have been unlikely to have complied with the Data Protection Act (DPA) on each instance - forcing the ICO to take remedial action.
The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. It will intervene where the DPA has been breached, flagging a firm as a "concern" following a complaint from an individual.
Following an investigation into a "concern", the ICO can serve enforcement notices, fines of up to £500,000, and can prosecute firms or individuals for serious data breaches.
Public sector and private companies are obliged to report a data breach although it is voluntarily. Firms that admit a serious breach have been anonymised by the ICO so as not to deter self-reporting in the future.
Other lenders who incurred repeat security breaches in 2013 included Santander - which was found unlikely to have complied with the act 15 times.
The ICO was made aware of 199 separate concerns within the lender sector throughout the year. Lloyds TSB, which then split into Lloyds Banking, featured on the offender's "concern" list, as well as NatWest, Royal Bank of Scotland, HBOS, Aviva, Nationwide Building Society and Yorkshire Building Society.
Additionally, some 36 further financial services firms self-reported serious data breaches and were issued enforcement orders from the ICO, but were granted anonymity.
A Barclays spokesperson said: "Barclays takes our responsibility to protect our customers extremely seriously. We take every practical measure to prioritise the safety and security of our personal and financial data."
When asked for more details on the breaches within Santander, the bank responded: "Without knowing what breaches you are referring to, we can't comment on specifics, but we know from the cases that have been reported to the ICO, in almost all, the issue was as a result of human error, and for each we have taken the necessary steps to address the problem and any complaints raised."
Central government departments were also listed as "concerns". The Department for Work and Pensions (DWP), for example, was deemed "unlikely" to have complied with data protection law on 20 separate occasions.
Further, the ICO found HMRC was also likely to have breached the act on 15 occasions, the Home Office five times, the Ministry of Defence (MoD) three times and the Ministry of Justice (MoJ) six times.
Sign up for CIO Asia eNewsletters.