In a sign of an increasing willingness of the Information Commissioner's Office (ICO) to impose large monetary fines for breaches of the Data Protection Act (DPA), Prudential PLC have been served with a £50,000 monetary penalty for confusing the details of two customers. This is the first time that the ICO has imposed a fine that does not relate to the loss of data since the ICO’s powers were increased in April 2010.
The error occurred when the records of two customers, who had the same forenames, surnames, and dates of birth, were merged by mistake in 2007. This led to tens of thousands of pounds of one of the customer's retirement funds being paid to the other. Despite being informed of the mix-up on several occasions, Prudential left the records un-remedied for over three years until September 2010. The size of the penalty in part derived from the failure of Prudential to adequately investigate and remedy the issue when it was raised.
Ensuring that personal data is accurate and up to date is one of the eight mandatory data protection principles under the DPA. The case shows that data controllers need to ensure that all of these principles are complied with, not just that relating to the loss or destruction of personal data.
This fine follows the recent case of Smeaton v Equifax plc (2012) EWHC 2322, in which the claimant successfully established the liability of credit reference agency Equifax to pay compensation under s. 13 of the DPA for holding inaccurate information about him.
The ICO has now issued 26 fines since its powers were increased in April 2010, the highest being £325,000 against Brighton and Sussex University Hospitals NHS Trust for losing highly sensitive personal data relating to tens of thousands of patients and staff, including medical records of patients with HIV.