Trade in pensions information 'the next PPI scandal', warns privacy watchdog

Christopher Graham told the Today programme on BBC Radio 4 that businesses with access to individuals' financial data found to have shared the information without their consent face being fined up to £500,000. He said that "rogue individuals" also face criminal penalties if they are found to have been acting in breach of the Data Protection Act.

Graham was commenting after a Daily Mail investigation found that some companies are willing to sell personal financial information relating to thousands of people, including information on salaries, investments and pensions, to cold calling companies.

The paper's investigation comes ahead of reforms to the pensions market which will provide members of defined contribution (DC) pension schemes with more flexibility over how they access their savings once they turn 55. The Pensions Regulator has previously warned that this change could encourage scammers to contact people approaching 55 and seek to exploit their interest in the change in the law.

The Information Commissioner's Office (ICO) has launched an investigation after being passed information uncovered by the Mail.

Graham told the Today programme that his office is liaising with the Pensions Regulator, the Financial Conduct Authority and the police on the case.

Graham said: "The Data Protection Act is there to make sure that your personal info stays under your control… Your personal information is not for … [third parties] to give permission to others to access… Unless you have tick some box to say you can share this with everyone and everybody, and I suspect that people do not do that, then that information should stay private."

"It looks as if you have got legitimate processing by contractors who are maintaining databases and cleaning up information and so on but that information is then being passed on and that is against the law. We've got to investigate this but on the face of it, it is a very serious breach of the Data Protection Act and there will be consequences," Graham said.

"Data controllers have obligations under the Data Protection Act which they must honour but it may be that we're dealing with rogue individuals who will be committing a criminal offence," he said. "We've been warning that pensions selling, accessing pensions information, is really the next PPI scandal and we've been working very hard to take action against cold calling companies for example in this very area."

Out-Law.com asked the ICO to confirm whether the data processor contractors Graham had referred to operate in the public or private sector but a spokesperson for the watchdog said they could not comment as the ICO will be looking at the types of contractors allegedly involved as part of its investigation.

The ICO spokesperson said: "We’re aware of allegations raised against several companies involved in the cold calling sector, and will be making enquiries to establish whether there have been any breaches of the Data Protection Act or Privacy and Electronic Communications Regulations.”

Regulatory and compliance expert Barry Vitou of Pinsent Masons, the law firm behind Out-Law.com, said: "The ICO is increasingly baring its teeth when it comes to enforcement matters and working with other agencies in the context of misuse of data and is looking at civil and criminal enforcement. Broadly speaking it is an offence for a person to knowingly or recklessly disclose personal data without consent. Firms should ensure that they are taking appropriate steps and have put in place controls to safeguard personal data from misuse."