The Data Protection Registrar, who keeps an eagle eye on the use of personal data, is concerned that the regulations are too lax and are being undermined.
The Code of Banking Practice, which has been in force since last year, says that banks, building societies and card issuers cannot disclose details of their customers or their accounts to any third party, including other companies in the same group, unless the customer requests or consents to it.
The code also says that the institutions are not to pass customers' names and addresses to other companies in the same group unless the customer expressly consents.
The first alarming gap in the code is that it does not apply to finance houses.
John Lamidey, an assistant registrar at the Data Protection Office, says: 'It is a great anomaly.
'If you borrow money from a finance house to buy a car your details could go to all and sundry. We believe finance houses should be bound by exactly the same rules.'
The rules in their present form definitely leave something to be desired.
I have an account with the Northern Rock Building Society. Recently I received a mailing from Northern Rock Financial Services Ltd extolling the virtues of 'an outstanding investment opportunity' - an insurance bond which was not a Northern Rock product.
I declined the kind invitation to invest, but was quizzical as to how they had got my name and address.
A spokesman for Northern Rock said: 'Northern Rock Financial Services is an independent intermediary.
'It is a wholly-owned subsidiary of the Northern Rock Building Society and a separate company.'
Apparently when I opened my building society account I consented to the passing of information to subsidiary companies. But I could not remember ticking a box to that effect.
In fact there is no box on the application form to give your positive consent. What there is, in small print, is a clause saying that you agree that the information held by the society on its computer records may be made available to other organisations within the Northern Rock Group.
I could write to the society asking them not to pass the details around.
Needless to say I didn't spot the notice, so I did not write. I have no grouse against Northern Rock - in fact they manage my postal building society account beautifully.
It is the rules that need changing as the majority of banks and building societies act in a similar fashion when it comes to personal information.
Mr Lamidey says: 'By putting in these clauses, what the banks and building societies are saying is that you waive your right to confidentiality.
'They are banking on the fact that very few people notice them.
'In our view consent is saying 'Yes', not failing to say 'No'. You only have to look at the current debate on date rape for an analogy.
'Why don't the banks and building societies ask outright on the forms whether you actually consent instead of these circuitous clauses? The reason is they are terrified you will say 'No.' '
The banks and building societies commonly use 'host mailing' to circumvent the code. They mail selections of individuals on their own databases with offers of goods or services from other companies in their groups.
Mr Lamidey cites an example. A bank mails a financial service offer on behalf of another company in the group. It does so only to those customers with a deposit balance of at least pounds 5,000.
The other company will know that any customer responding to it has such a balance. The information will in effect have been passed from the bank to the other company without its customer's knowledge, let alone consent.
David Wolfson, a barrister specialising in banking law, says: 'In my opinion the bank cannot say that the customer consented to disclosing his account details.
'For consent to be valid it must be both freely made and in the full knowledge of all the circumstances. The bank would have to warn the customer that by his reply he would be disclosing that he had an account of pounds 5,000 or more.'
In the current code the emphasis has been placed on the disclosure of information. Mr Lamidey says the vast majority of financial institutions use host mailing to enable their subsidiaries to market products to customers without their details actually being disclosed.
'In our view a bank's duty not to disclose can be circumvented by the use of host mailing,' he adds. 'The rules need to be changed.
'A bank can use and disclose the data if the customer positively says they can. If they don't, the bank should not do it.'
A review committee has been set up to monitor the operation of the code. However, according to a spokesman for the British Bankers' Association, the report will not be published for some months yet.
(Photograph omitted)Reuse content