The ICO has issued a warning to the financial sector after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.
This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.
Prudential has been served with a monetary penalty of £50,000 following the incident, which resulted in a serious breach of the Data Protection Act 1998.
The original error was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007. The accounts remained confused for more than three years, and the problem was only resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.
Stephen Eckersley, ICO Head of Enforcement, said:
‘Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved. This case would be considered farcical were it not for the serious sums of money involved.
While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.
We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.’
Prudential says that it has now improved the training it provides to its staff and updated its processes to ensure that the accuracy of customers’ records is maintained at all times.
View the ICO’s recent monetary penalties