-
In terms of "published", what if it's stored and not published? What are 'reasonable means' required to protect an account number? Will a password protected login do or do the ICO require this data to be encrypted? Do these requirements change if the account details are linked to an individual?
hippy-
The new standard with GDPR in mind, is to isolate all information from each other, allocate each an identifier, and only store collections of identifiers, and then use systems of record to resolve bringing the information together at a time when you need to (whilst auditing access to each system of record, and alerting on abnormal access patterns, etc).
GDPR is pretty interesting, read about it here: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/
Velocio
There are several things here:
Who publishes information matters. You can publish your own sensitive data, you cannot publish someone else's.
Sensitive data is different from personally identifiable data. Bank account information may be sensitive as a set of facts (this sort-code, that account number) but is only personally identifiable when associated with a name or address. Only the latter is the domain of the ICO.
Further on #2, addresses are not secret and do not need to be protected. Names are not secret and do not need to be protected. Associating a name to an address is now personally identifiable and needs to be protected.
This was written quickly, it's a guide only, but there are subtleties in data protection and PCI stuff.