First DPA fine for customer account error
For the first time the Information Commissioner’s Office (ICO) has used its power to fine for serious breaches of the Data Protection Act 1998 in response to a customer data accuracy breach rather than data security breach.
15% of the 15,000 complaints to the ICO during the last financial year related to the way money lenders handle customer data, with inaccurate data ranked third most complained about issue across all sectors.
The ICO have warned the financial sector to guard against errors involving customer accounts or face penalties up to £500,000.
The warning follows enforcement action being taken against Prudential Assurance Company Limited (“Prudential Assurance”) on 29 October 2012.
The breach related a serious breach of the Act, namely its obligation to ensure the accuracy of Personal Data.
The reported facts are that Prudential Assurance consistently confused two customer’s accounts and paid tens of thousands of pounds into one account instead of into a separate customer’s retirement fund.
Both customers involved had the same first name, surname and date of birth.
The error was initiated not by Prudential Assurance but instead by one customer’s financial adviser who for an unknown reason gave the address of the other customer.
Consequently, Prudential Assurance updated the first customer’s address to match that of the second customer.
The first customer’s correct address was reinstated when he notified Prudential Assurance of the error but then the second customer’s address was matched to that of the first customer.
Their records were subsequently merged in error in a centralised database of policy details.Policy statements and other financial information were sent to the wrong recipients.
The penalty was served because the inaccuracy continued for six months after the point at which it should have been addressed and after several missed opportunities and warnings that the failure ought to be remedied.
The ICO concluded that when inaccurate customer records relate to financial affairs they can have a significant impact and there is a risk of substantial damage or distress.
Conveyancers hold a lot of sensitive data about their clients. Could this type of issue be something that conveyancers might fall victim to?