From BAs reply “Do set a schedule to change your password at regular intervals.” this hasn’t been industry best practice for over 5 years now and I don’t know why companies keep insisting on it.

Hope ICO take the OPs complaint seriously, after BA’s recent fine they ought to be hauled over the coals for their response here.