For firms that use data matching processes, a recent data protection case suggests that firms may wish to consider the robustness of precautionary verification processes in relation to changes to customer data, particularly in respect of changes communicated by telephone, and/or by authorised financial advisers rather than the customer.
The initial data protection breach in this case appears to have been triggered by the provision of inaccurate information by the financial adviser representing one of the customers. The matter involved the merger of the records of two customers, as a result of which financial information was sent to each of them at various times, and ultimately funds held on a policy belonging to one customer were transferred in error to another firm on instructions from the second customer. A £50,000 fine was imposed by the Information Commissioner (the Commissioner) for the contravention.
Merging of customer records
The firm in this case held customer records in a centralised database which had a data matching function and enabled staff to view all the policies belonging to a customer. Two of the firm’s customers shared the same first name, surname and date of birth.
It appears that in March 2007, the financial adviser of the first customer (A) called the firm on a matter connected with one of A’s policies, but for some unknown reason gave the address of the second customer (B). B did not apparently share the same financial adviser as A; equally, the penalty notice does not suggest that the information was provided by the financial adviser in response to a prompt from an employee of the firm. In any event, the result was that the firm updated the first customer’s address in the database to match B’s address and the records of the two customers were merged; B’s address was applied to the merged account.
In the course of the confusion that then ensued:
- B received statements relating to A’s policies;
- following a call from A about an unrelated matter, A’s address was applied to the merged account
- this resulted in A receiving information about B’s policy; A complained in June 2008, and a note highlighting the error was put on the database, but no further action was taken because the underlying policy showed the correct address;
- in March 2009, the firm sent A an update in respect of B’s endowment policy which was returned unopened, so the firm initiated its “gone away” process and sent a letter to the customer’s bank asking it to be forwarded to the customer’s address (one assumes this was to A’s bank but the notice is unclear);
- in May 2009, B sent the firm a letter of authority for his financial advisers, as a result of which the address of the merged record was changed to B’s address;
- based on information received from the firm, B’s financial advisers recommended, and B provided his signed agreement to, the transfer of funds on one of A’s policies to another firm in July 2009;
- in August 2009, A’s financial advisers indicating that A wanted to take a payment holiday on that policy; the firm told A’s advisers (in a letter copied to B) that the policy had been transferred;
- in March 2010, A’s adviser asked for a copy of the transfer papers and these were sent to A’s advisers (and to B) on 31 March 2010;
- B telephoned the firm in April 2010 asking why he had received these papers, and not a statement for his endowment policy; he followed this up with a complaint, stating clearly that he had lived at the same address for over 15 years;
- in May 2010, the firm responded, explaining that in 2007 his bonus statement had been sent to another customer with the same name, and assuring B that his records had now been corrected;
- in September 2010, A contacted the firm in relation to his policies and gave his address; the address record was changed on the policy system – this prompted a change of address letter to be sent to the previous listed address, which meant that B received a letter saying that the firms records showed a change of address but that a letter was being sent to the previous address as a security precaution;
- B telephoned the firm for an explanation.
At this point, the firm undertook an investigation, identified the issue, arranged to demerge the customer records, paid compensation to both customers, took steps to recover the monies transferred in error, and to improve its processes and staff training to minimise the risk of recurrence, and cooperated with the Commissioner.
Reasonable steps to prevent contraventions
The Commissioner took the view that given its size and the number of customers it served, the firm should have appreciated the risk that customer records could become mixed-up. It appears that the firm was aware that several thousand, amongst some six million, of its customers shared the same name. Although for any one person, the odds of someone else having the same name and birth date is small, in a large group, analysis undertaken in the context of voting irregularities suggests that a sizable number of people will have the same name and birth date, and that, even for less common names, a shared birth date is less rare than one would intuit.
The Commissioner considered that the firm should have taken reasonable steps to “prevent the contravention” However, the only step the Commissioner identifies that the firm should have taken is immediate action to investigate B’s complaint in April 2010, which the Commissioner believes would have led to identification of the issue and remediation at an earlier stage.
To some extent this may reflect the fact that the Commissioner’s powers to impose a monetary penalty did not come into force until April 2010. The contravention the subject of the penalty notice is expressed to be breach of the requirement for personal data to be accurate and, where necessary, kept up to date, between April and September 2010, although the Commissioner took into account matters prior to April 2010 in setting the penalty. It is also plain that the Commissioner considered that the firm had missed several opportunities to identify the problem before April 2010.
In terms of considering what might have caused the matter to play out differently, it is arguable that if a letter confirming the change of address indicated by A’s financial adviser had been sent to A in 2007 by way of safety precaution (as appears would have been required for a change to be effected to the underlying policy documents), A might have been made aware of a potential issue from the outset. It is not entirely clear why A’s 2008 complaint did not trigger an inquiry into the root cause of the error, in addition to a notification on the database. Nor is it apparent from the penalty notice how the “gone away” process, initiated in March 2009, was closed out to the firm’s satisfaction, and whether something more might have been done at that point.
Equally, from the customer end, it is somewhat baffling that B should have signed an agreement in May 2009 to transfer a policy he did not hold, and yet in April the following year queried the receipt of a copy of that transfer, and that A’s financial advisers did not pursue the matter of the transfer of funds in March 2010.
In any event, firms using data matching processes may wish to consider whether their current policies and processes are capable of identifying such issues, and whether they would constitute sufficient by way of reasonable steps to prevent a contravention, as well as to identify and remediate it after the event. It would be prudent to put in place some means of verifying information about changed details provided by a representative on behalf of an account holder.