Employee data isn’t always fair game: what employers should learn from the Lloyds Bank backlash

In 2025, Lloyds Banking Group collected, analysed, and aggregated anonymised data from the personal Lloyds accounts of 30,000 employees, with a view to using it in pay talks. Since coming to light, Lloyds has not denied these actions, but maintained that the data was used in compliance with data protection law. 

Certainly, two unions did not find fault with the process and approved pay deals. However, a third suggested raising the matter with the Information Commissioner’s Office (ICO), as it believed Lloyds did not act reasonably, and went on to state that the bank ‘had no legitimate reason accessing staff accounts without permission’.

The outcome of the matter is likely to turn on whether the data was collected appropriately in the first place, and, if it was, whether it was anonymised or, in fact, pseudonymised data.

UK GDPR

The UK GDPR requires Lloyds, when collecting personal data, to have had a lawful basis for doing so. The Financial Times raises the point that employees sign up for accounts as a condition of employment and, in addition, were actively encouraged to bank with Lloyds, which raises the question of whether the employees’ consent was freely obtained. The grounds for initial data collection for account set-up purposes would typically be consent but, given the ‘encouragement’, that may not have been freely provided in the first place.

The UK GDPR also requires data controllers to communicate at the time of collection the purposes for which personal data is collected. As per the ICO, ‘Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.’

Whether one of the purposes communicated at the point of account set-up was the use of payment transaction data for the purposes of collective bargaining is a moot point. Where workers bank with their employer, expectations that account data might be analysed for industrial relations purposes are not obvious and given that, one would hope that any privacy notice included very clear terms that such personal data might be used in this way. Even then, given that pay negotiations have a direct personal impact on employees’ finances, it can be seen why employees or their union might have felt the need to push back against the data use in this instance.

Anonymisation

Commentary has focused on whether ‘anonymised, aggregated customer data’ was truly anonymised before any identifiable access occurred. The BBC reports that Lloyds said it used anonymised, aggregated bank account data to assess savings, spending, and resilience levels during pay negotiations. Publicly available information does not describe the specific, technical anonymisation methods used by Lloyds. Certainly the data was collected from the employees’ personal accounts – a pre-requisite for anonymisation means names, account numbers or any other identifiers will first need to have been stripped out.

Lloyds maintains that this was the case, ie analysis was based on group level statistics without exposing individual records. However, a further step is needed – in stripping out personal identifiers from the accounts, Lloyds would have needed to ensure that it had put the ability to re-identify the data out of its reach, for example, by engaging a third party to de-personalise the data.

If the de-identification was an in-house job, Lloyds would need to have irreversibly destroyed the link between the aggregated dataset and the individual accounts. If not, it is likely that the data has only been pseudonymised, and therefore remains subject to the UK GDPR and its protections. Lloyds would also certainly have been expected to undertake a data protection impact assessment before undertaking the aggregation exercise to understand the risks of the exercise and take steps to mitigate those risks.

If the data was, in fact, successfully aggregated and anonymised, there may still be concerns regarding its use. In particular, if the bank cannot reverse engineer the datasets from which its conclusions were drawn or trace its findings back to identifiable data subjects, it becomes difficult to evidence how that data supports its assertion that employees were less affected by the cost-of-living crisis than the general population. Such uncertainty in the data could, as a result, lead to questions which may undermine the pay negotiations, especially if it is suspected that anonymisation has obscured whether particular groups of employees (including but not limited to active union members) were disproportionately affected.

Pseudonymisation

If the data is pseudonymised data and subject to the UK GDPR (and assuming consent does not work as an appropriate basis for processing), the next question is whether Lloyds could rely on its legitimate interests to interrogate the employees’ payment transaction data for insights.

If legitimate interest is the underlying basis for the processing, Lloyds would had to have carried out a balance of interests assessment, balancing its legitimate interests against the interests, rights and freedoms of the employees concerned. Recital 47 of the UK GDPR indicates a legitimate interest can exist where there is a ‘relevant and appropriate relationship’ between a data processor and an individual – for example, an employer and employee.

As per the ICO, ‘the nature of your relationship means the processing is less likely to be unexpected or unwanted, so the balancing test is likely to be easier. In some instances it may be that your interests and those of the individual are actually aligned or intertwined […]. However this does not mean that when there’s an appropriate relationship there’s automatically a mutual legitimate interest’. Given the ICO’s guidance, it is unlikely the balance of interests assessment would fall in Lloyds’ favour.

Financial sector regulatory – Consumer Duty

The FCA Principles for Businesses, and particularly principle 12 (Consumer Duty), set out that a firm must act to deliver good outcomes for customers. The Lloyds employees in question were all Lloyds customers, and therefore the Consumer Duty enshrined in principle 12 applies to their treatment.

In practice, the FCA’s Consumer Duty and UK data protection laws reinforce one another, with the former demanding good outcomes for consumers, and the latter safeguarding those outcomes through strict requirements on fairness, transparency, and data rights.

Conclusion

Any employer using the personal data of their employees may find itself in hot water if it cannot identify a lawful basis for the processing – being sure to pinpoint not only the provisions you rely on, but ensuring that the purpose of the processing is sound, is crucial.

Penningtons Manches Cooper’s data protection and employment lawyers have significant experience in guiding employers through this complex area of law. This is combined with our banking team’s in-depth knowledge of the regulations that apply to financial sector institutions.

This article was co-written by Elizabeth Ahmad, trainee solicitor in the employment team.