Précis: For the first time the Information Commissioner’s Office (“ICO”) has used its power to fine for serious breaches of the Data Protection Act 1998 (“the Act”) in response to a customer data accuracy breach rather than data security breach. It has warned the financial sector in particular to guard against errors involving customer accounts. Penalties could be up to £500,000. Take steps now to protect your organisation.
“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate [and that] staff receive adequate training...”
This is the warning from the ICO after enforcement action against Prudential Assurance Company Limited (“Prudential Assurance”) on 29 October 2012 for its serious breach of the Act, namely its obligation to ensure the accuracy of Personal Data. This is significant since it is the first ICO monetary penalty other than for a security breach. FS organisations in particular should take care.
Money lenders and complaints to ICO
Whilst the facts of the breach by this specific Prudential entity warranted the ICO’s attention, it is unlikely to be alone in its non-compliance. 15% of the 15,000 complaints to the ICO during the last financial year were specifically about the way money lenders handle customer data, with inaccurate data ranked third most complained about issue across all sectors. In the ICO’s words, this is an opportunity “...to reinforce the need...to take reasonable steps to ensure the accuracy of...databases.” Prudential Assurance has now taken steps to minimise the risk of a recurrence by improving its staff training and updating its processes to ensure customer records are accurate and kept up to date. FS organisations should use this as an opportunity to verify their own compliance and, if necessary, to learn the same lessons as Prudential Assurance.
The facts and why this is a “serious breach”
The reported facts are that Prudential Assurance consistently confused two customer’s accounts and paid tens of thousands of pounds into one account instead of into a separate customer’s retirement fund. Both customers involved had the same first name, surname and date of birth. Significantly, the error was initiated not by Prudential Assurance but instead by one customer’s financial adviser who for an unknown reason gave the address of the other customer. Consequently, Prudential Assurance updated the first customer’s address to match that of the second customer. The first customer’s correct address was reinstated when he notified Prudential Assurance of the error but then the second customer’s address was matched to that of the first customer. Their records were subsequently merged in error in a centralised database of policy details. Policy statements and other financial information were sent to the wrong recipients.
However, that was not the serious breach of the Act. The problem was that the error persisted unchecked for more than three years despite Prudential Assurance being alerted to it including by the customer and despite a note on the database which highlighted the error. Prudential Assurance failed to investigate the matter thoroughly and customer data was put at risk. The penalty was served because the inaccuracy continued for six months after the point at which it should have been addressed and after several missed opportunities and warnings that the failure ought to be remedied. The error was likely to cause substantial distress in that financial information was sent to another person who had no right to see it and it could have been disseminated, thereby risking identify fraud and financial loss, and moreover funds were diverted and paid to the wrong customer. The ICO concluded that when inaccurate customer records relate to financial affairs they can have a significant impact and there is a risk of substantial damage or distress. In short, the “serious breach” test was satisfied and Prudential Assurance was penalised.
Penalties of up to £500,000 (ICO) and unlimited fines (FSA)
The level of penalty at £50,000 in itself is not that high. The ICO can issue penalties of up to £500,000 for serious breaches of the Act, including for example its data accuracy and security principles. A serious breach is either deliberate or one where the data controller (in this case, the FS organisation) knew or ought to have known of the risk and that such a breach would be likely to cause substantial damage or substantial distress to the data subject concerned (in this case, the customer) and failed to take reasonable steps to prevent the breach. The level of penalty takes into account remedial action by Prudential Assurance, its cooperation with the ICO and the fact that only two customers were involved.
The ICO is not afraid to issue higher penalties where it sees fit, or indeed where it wants to “make a point”. In June 2012 a security breach by Brighton and Sussex NHS Trust involving Sensitive Personal Data of staff and patients resulted in a £325,000 penalty. Note the ICO’s comment in the Prudential Assurance penalty notice before mitigating factors were considered: “[There are] sufficient financial resources to pay a monetary penalty up to the maximum without causing undue financial hardship to [Prudential.]” Whilst the Financial Services Authority (“FSA”) did not take action against Prudential Assurance in this case, it is empowered to issue unlimited fines for breaches of its rules and regulations including those involving use of customer data. As we have seen with data security breaches, levels of monetary penalties are likely to increase as the ICO’s patience wears thin.
A warning to FS organisations – are you next in line?
It is not difficult to appreciate that the accuracy of customer data may be compromised in large organisations and that warnings may be missed. Indeed, it would be imprudent to dismiss this as rare set of facts and a scenario faced only by Prudential Assurance. The ICO’s statements might easily apply to a number of FS organisations which know or ought to know of the risk that customer records could be mixed up.
The lessons are that security of customer data is not the only issue to be concerned about and that it is vital to guard against errors involving customer accounts, which must not be permitted to persist upon discovery.
For those reading this briefing and thinking “there but for the grace...go I”, proactive steps to take include asking some basic questions internally. Does your organisation have checks and balances to guard against this type of error? Are your staff trained periodically on how to handle customer data in particular to appreciate that data accuracy is paramount and must be preserved? Do you have an audit trail to back-up your assertions to your customers about data accuracy, security and the professionalism and expertise of your staff who handle customer data? Prudential Assurance has learned from its mistakes. Take steps now to guard against the same.