The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Fax remains a common means of transmitting personal data from one location to another in particular industries. Due to the limitations of the technology it is not generally possible for a data controller to overlay additional encryption measures.

Although fax machines are not immune from interception whilst in transit the Privacy and Electronic Communications Regulations require the provider of a public communications network to assure the security and confidentiality of the service.

As it is not possible to implement encryption of the message, it is essential to ensure that faxes are sent to the correct recipient or to consider whether another means of communication may be more appropriate.

Fax machines in public areas also present a risk that received faxes are not collected and any personal data they contain can be read by any passing individual.

As a result a number of organisations have moved fax machines into ‘safe havens’ - a secure physical location with an agreed set of organisational measures surrounding their usage.


A civil monetary penalty of £75,000 was served on Bank of Scotland plc for repeatedly faxing customer’s account details to the incorrect recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.

The data controller failed to implement additional technical and organisational measures having been previously informed that faxes were being misdirected.