Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Prudential fined £50,000 after inaccurate personal data records lead to mistaken customer funds transfer


Financial services firm Prudential has been hit with a £50,000 fine by the UK's data protection watchdog after funds belonging to one customer were mistakenly transferred out of their account by another customer who shared the same first name, surname and date of birth.

The Information Commissioner's Office (ICO) said that the accounts of the two individuals were merged as a result of Prudential's failure to keep accurate records of the two customers' addresses.

It is the first time that the ICO has issued a civil monetary penalty notice (12-page / 1.1MB PDF) to an organisation over an issue that has not been related to a "significant data loss" occurrence.

The problem, which existed for approximately three and a half years, meant that each of the two individuals were sent "financial information" about the other person and meant that "tens of thousands of pounds" from the retirement pot of one of the affected individuals was "transferred in error to another investment company" by the other person, the watchdog said. These incidents occurred despite both customers each notifying Prudential of their correct addresses during that time period, the ICO said.

"The case would be considered farcical were it not for the serious sums of money involved," head of enforcement at the ICO, Stephen Eckersley, said in a statement.

The ICO said that Prudential had been guilty of a serious breach of the Data Protection Act (DPA). The Act requires that organisations must ensure that personal data they store is "accurate and, where necessary, kept up to date".

The watchdog said that the accounts had been merged since March 2007 after a financial adviser dealing with Prudential on a policy for one of the affected individuals gave that individuals' address as being the one belonging to the second, same-named customer. The problem persisted until September 2010 when the accounts were "de-merged".

The ICO has only had the power to issue fines of up to £500,000 on organisations that are guilty of a serious breach of the DPA since April 2010. However, the watchdog said that it was still right to fine Prudential in relation to how it dealt with the problem after that date.

"The accounts remained confused for more than three years, and the problem was only resolved in September 2010," the ICO said in a statement. "This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months."

The ICO said that Prudential at least "ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress" but that it had "failed to take reasonable steps to prevent the contravention".

"In this particular case, funds from a policy belonging to another customer were transferred in error by one customer on 17 July 2009 and the potential for further substantial damage remained until the customer records were finally de-merged on 24 September 2010 and [Prudential] recovered the transferred funds from the other investment company, which did not occur until 2011," the ICO said.

"Further, the data subjects would be justifiably concerned that after being sent to the wrong person their data may be further disseminated even if those concerns do not actually materialise. If the parties the data was disclosed to had been untrustworthy then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud and possible financial loss," the watchdog added.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said it was significant that the ICO's penalty regime was expanding beyond punishing firms for compliance problems uncovered following data loss incidents.

"After two and a half years of having fining powers and 25 fines, the ICO's fines are diversifying," Dautlich said. "Although elements of the accuracy and retention principles set out in the DPA have been relevant to previous penalties imposed on data controllers, the advent of the first circumstance where the criteria triggering the requirements for a fine have derived from outside of the rules about data security is a milestone. Controllers will wish to look over their deduping services, and perhaps contracts for deduping services where they engage a third party on their behalf."

The ICO said that Prudential had improved staff training and "updated its processes" in order to ensure that accurate customer data is "maintained at all times".

The ICO added that approximately 15% of the 13,000 data protection-related complaints it received from the public in the last financial year had related to issues about how "money lenders" had handled personal data. It warned financial services companies in particular about the need to hold accurate customer records.

"While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information," Eckersley said. "Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life."

"We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage," he added.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.