Privacy & Information Security Law Blog

On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.

Under Sections 55A and 55B of the DPA, the ICO has the power to impose monetary penalties of up to £500,000 for serious violations that may cause substantial damage or distress. The ICO fined Prudential £50,000 on the following grounds:

• Prudential breached the Fourth Data Protection Principle in the DPA, which requires data controllers to ensure that personal data are accurate and up to date; and
• the breach was of a kind likely to cause substantial damage or distress, given the potential for financial loss and identity fraud, and given that one of the customers was able to transfer funds from a policy belonging to the other customer.

In addition to the ICO’s monetary penalty, Prudential paid compensation to both of the affected individuals.

This latest ICO fine is notable both because it is the first time the ICO has levied a monetary penalty for a violation that did not relate to a data loss, and because the enforcement action involved a private sector entity. Up to this point, the vast majority of the ICO’s monetary penalties have been imposed on public sector organizations. In a press release, ICO Head of Enforcement Stephen Eckersley commented on the fine, saying “[i]naccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life. We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate.”