The Information Commissioner's Office (ICO) has fined Prudential £50,000 for a serious breach of the Data Protection Act following an administrative error that saw the records of two customers being merged and culminated with one customer transferring tens of thousands of pounds belonging to the other. 

Customer A and customer B were two Prudential policy holders who shared the same first name, surname and date of birth. In March 2007, a mix-up led to customer A's address being updated to be the same as customer B's and the two customer records were subsequently merged. When customer A contacted Prudential regarding a non-related matter his original address was reinstated, resulting in a corresponding change to the address held for customer B's policy. Over the next three years both customers repeatedly received financial information relating to the other. Critically, in July 2009, customer B's financial advisors reviewed the financial statements he had received, and advised him to transfer funds to another investment company which handled his pension. This resulted in tens of thousands of pounds which actually belonged to customer A being transferred by customer B.

Despite being contacted several times by each customer in relation to the error, the two customers' records remained merged until September 2010, and the erroneously transferred funds were not recovered until 2011.

This case is significant as it is the first monetary penalty notice that has been issued which has not related to breach of the seventh data protection principle (the requirement to keep data securely). In this case the fine was imposed for breach of the fourth data protection principle which requires data controllers to keep personal data accurate, and where necessary, up to date. It is worthwhile noting that the majority of complaints the ICO receives relate to inaccuracies in individuals' personal information. This fine is a signal to all data controllers that those inaccuracies may be punished, particularly where they relate to customers' financial affairs.