Failure to rectify data mix-up leads to ICO fine

Failure to rectify data mix-up leads to ICO fine


Author: Pamela Morris

The Information Commissioners Office has fined an insurance company for mixing up two customers' accounts and failing to rectify the mistake

The Information Commissioners Office (the "ICO") has recently issued a significant fine, not because an organisation has lost data, but because they muddled up account data. The ICO came down heavily on the insurance company Prudential after an error in identification led to the merging of two customers' accounts in March 2007.

The fine of £50,000 (reduced by 20% to £40,000 if paid by the end of the month) issued at the end of October is believed to be the first to be imposed that does not relate significant data loss.

What happened?

Unhappily for Prudential, the two customers involved had the same first and surnames and the same data of birth and a significant amount of money, reported to be in the tens of thousands of pounds, intended for one of the customer's retirement fund was transferred to the wrong account. The mistake, which is alleged to have been initially caused by one of the customers' financial advisers, was not rectified by Prudential and the error continued for several years.

Why was the fine so high?

The severity of the fine was due to the significant sums involved, the failure by Prudential to investigate and rectify the error - despite being informed of the mistake several times including in writing by one of the customers; the error continued for a further six months.

Stephen Eckersley (ICO Head of Enforcement) has said:

"Organisations must make sure the information they hold on their customers' files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved."

He also added:

"We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people's records are accurate".

A warning

The fine demonstrates that the ICO is pursuing its focus on the priority sectors announced earlier this year which included credit and finance. Clearly this focus is not misplaced as approximately 15% of complaints to the ICO last year were due to concerns in the financial sector.

However, this case should serve as a warning to all organisations dealing with personal data whether it relates to clients, employees or other individuals; the ICO is flexing its muscle and not only in respect of "lost" personal data.

In light of the forthcoming reforms to data protection across the European Economic Area such enforcement action is only likely to increase; as such the time is now ripe for all organisations to review data protection compliance in respect of both customer and employee records, including policies and training.

How can we help?

Did you know that Shoosmiths has a dedicated data protection team, which can assist with all your data protection questions? To find out more see our website.