The information watchdog is questioning Lloyds Banking Group over a potential breach of privacy rules after it accessed data from 30,000 staff bank accounts during union pay talks last year.
Lloyds – which owns the Halifax and Bank of Scotland brands – used aggregated salary, spending and savings data as part of a presentation to staff union representatives, which suggested that its lowest-paid staff had been in a better financial position than the wider population in recent years.
The banking group’s 65,000 staff are strongly urged to hold their personal account with Lloyds, meaning the lender could access financial information without permission.
The Information Commissioner’s Office (ICO) has now confirmed it is making “inquiries” with Lloyds over whether it may have breached data privacy rules as a result.
Initial signs of wrongdoing could prompt the ICO to launch a full investigation, with the watchdog ultimately having the power to fine the banking group up to 4% of its annual turnover if it is found guilty of breaching UK rules. That could result in a bill of up to £1.36bn for Lloyds, based on its earnings for 2024.
An ICO spokesperson said: “We are aware of this incident and are making inquiries with Lloyds Banking Group.”
Lloyds, which had been locked in pay negotiations with staff unions, ultimately agreed on a £1,200 pay rise for its lowest-paid staff for each of 2026 and 2027, representing a 7%-9% increase over the two years. That pay agreement was backed by union members.
Accord, one of Lloyds’ staff unions, said Lloyds had assured it that the information was fully aggregated, and that no individual information was reviewed by negotiators.
“Understandably, given the confusion and concern, the ICO is looking into what Lloyds Banking Group (LBG) did and whether it broke any data laws,” Accord said.
“We believe this is absolutely right. We need an independent assessment to review what took place and if anything untoward was found to have been done, to ensure it never happens again.”
The ICO carries a number of powers to punish data breaches, including formal reprimands, mandatory audits of data handling, and fines that can be worth up to 4% of a company’s annual turnover. Lloyds reported total income of £34bn for 2024, meaning that if the ICO found it to be in breach of UK data laws, it could end up facing a maximum fine of about £1.36bn.
Accord said it reserved the right to sue the banking group if the ICO found it had breached data rules. “If the ICO finds that LBG breached data privacy rules, Accord will not hesitate to escalate the matter legally,” the union said in a member newsletter. “We will hold the employer fully to account as Accord will always put members’ interests first.
“Even if the ICO finds that no data privacy rules were breached, LBG needs to learn lessons. Critically, LBG needs to ensure this kind of situation (and the confusion and concern it has caused) is not repeated. Members deserve certainty and respect – and we intend to secure both.”
Lloyds said the banking group was “committed to fair and progressive pay that provides certainty and support for all colleagues, and in this case more junior colleagues”.
A spokesperson said: “We have worked hard with our unions, using aggregated data and direct colleague input and we are pleased that members of our recognised unions have voted to support our competitive multiyear pay proposal for 2026 and 2027 by a significant majority.”
