Précis - The Information Commissioner's Office ("ICO") has fined The Prudential Assurance Company Limited £50,000 for errors in its customer records. This is the first fine issued by the ICO for a non-security breach of the Data Protection Act 1998 (DPA). It serves as a reminder to organisations that they must comply with all eight data protection principles set out in the DPA, not just the data security principle.
What? Prudential has been issued with a monetary penalty notice (a civil fine) for £50,000 for multiple administrative errors which led to two of its customers having their accounts merged, enabling one customer to access the funds of the other. Despite numerous complaints from both customers over a period of three years, Prudential failed to realise their error and rectify the mistake which was caused by the customers sharing the same first name, surname, and date of birth.
Prudential was held by the ICO to have failed to uphold the third and fourth data protection principles of the DPA, namely that it failed to ensure that the personal information held by it was:
- adequate, relevant and not excessive; and
- accurate and up to date.
The ICO held that the seriousness of the breach was exacerbated by the length of time taken to rectify the situation, and the risk of financial loss and possible identity fraud.
So what? This is the first time that the ICO has issued a monetary penalty notice against a data controller for breach of the data adequacy and accuracy principles. Historically, all fines for breaches of the data protection principles have been in relation to the seventh data protection principle (i.e. for failures by a data controller to take appropriate and effective security measures in relation to personal data held by it). This decision reminds data controllers of the fundamental importance of maintaining data accuracy.
This fine is also significant as it indicates that the ICO is expanding its enforcement regime. It is clear that in serious cases, companies will no longer only be held to account for failing to keep personal information secure, but for failing to ensure data processing activities are otherwise in line with the DPA principles. It is worthy of note that this breach only affected two individuals but still led to a fine.
In addition to requiring data adequacy, accuracy and security, the DPA principles also demand that data controllers: only process personal data where fair and lawful to do so and do not process it for additional purposes incompatible with those previously agreed fair and lawful purposes; do not retain personal data for longer than is necessary for those purposes; process the personal data in accordance with the DPA rights of data subjects, such as on subject access requests; and do not transfer personal data outside the European Economic Area without ensuring there is adequate safeguard for it.
In the next few years the sanctions for breach of data protection legislation are expected to increase and fines may grow from a maximum fine of £500,000 to a sum equivalent to 2% of the global turnover of the institution in breach. The current priority of reviewing compliance measures and, where necessary, revising any areas of non-compliance may need to be reconsidered accordingly.
It is not difficult to appreciate that the accuracy of customer data may be compromised in large organisations and that warnings may be missed. Indeed, it would be imprudent to dismiss this as a rare set of facts and a scenario faced only by this particular data controller.
The lessons are that security of customer data is not the only issue to be concerned about and that it is vital to guard against errors involving customer accounts, which must not be permitted to persist upon discovery.
For those reading this briefing and thinking "there but for the grace...go I", proactive steps to take include asking some basic questions internally. Does your organisation have checks and balances to guard against this type of error? Are your staff trained periodically on how to handle customer data, in particular to appreciate that data accuracy is paramount and must be preserved? Do you have an audit trail to back-up your assertions to your customers about data accuracy, security and the professionalism and expertise of your staff who handle customer data? Prudential has learned from its mistakes and acted accordingly. Our advice is to take steps now to guard against the same.