The Information Commissioner’s Office (ICO) has today fined Prudential £50,000 for a serious breach of the Data Protection Act (DPA). Prudential mixed up the account of two individuals and tens of thousands of pounds intended for a retirement fund ended up in someone else’s account. Amazingly the account remained confused for 3 years even though they had been alerted to the mistake on several occasions over the three years.
In defence of Prudential (I’ll get letters now!) the two individuals in question had the same first name, surname and date of birth. The reason for the severity of the penalty was that they had received letters from both customers yet the bank had failed to investigate these letters thoroughly.
This is the first time the ICO has issued a monetary penalty that doesn’t relate to a loss of data, and with it the ICO issued a firm warning to the financial sector.
Stephen Eckersley, ICO Head of Enforcement, said:
“Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.
“This case would be considered farcical were it not for the serious sums of money involved.”
On the ICO’s website they state that they received more complaints from money lenders than any other sector.
“Around 15% of the almost 13,000 data protection complaints received by the ICO during the last financial year were due to concerns relating to this group, with inaccurate data the third most complained about issue across all sectors.”
With this landmark fine for Prudential, financial organisations should ensure that they are DPA compliant, handle sensitive information correctly and keep it up to date.. Otherwise, the ICO may be paying them an unwelcome visit…