The Information Commissioner’s Office (ICO) fined the firm after the incidents which saw payslips, bank statements, account details and mortgage applications, all with customer names and address, sent to wrong numbers.
In total, 21 documents were sent to a third party organisation by mistake, while a further 10 misdirected faxes were sent to a member of the public. Both of the wrong numbers had one digit different from the intended recipient, which was a department within the bank that handled document uploading to internal systems.
The first incident was reported to the bank as far back as 2009. Despite this warning, the problems persisted and eventually the third party receiving the wrong faxes told the ICO, which began an investigation.
The outcome of the case was cited by head of enforcement at the ICO, Stephen Eckersley, as yet another example of shoddy data practices that are causing organisations to be hit by needless fines.
“To send a person’s financial records to the wrong fax number once is careless. To do so continually over a three-year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act,” Eckersley said.
“Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today’s penalty reflects the seriousness of this case."
A spokesperson for Lloyds Banking Group, the parent company of Bank of Scotland, acknowledged the errors and said the firm was reviewing its processes as a result.
"We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected. This occurred over a period in which several million customer documents, using the same process, were correctly received," the firm said.
"No customer suffered any harm or detriment as a result of this error. We are continually reviewing our processes to ensure our customers' information remains safe."
The case is not the first time the ICO has issued fines for fax blunders. Earlier this year, NHS Trust Staffordshire was fined £55,000 when sensitive medical details were sent to a member of the public via fax when a staff member entered the wrong number.