The Pru's case of mistaken (customer account) identity is the first ICO fine for a breach which isn't a significant data loss. It's also a lesson for any bank/insurer involved in data migration/merges either as a result of IT integration projects or following mergers and acquisitions.
- The Pru had two customers with the same first name, surname and date of birth.
- Their account details were merged back in 2007 and they remained merged until 2010.
- This was despite the fact that one of the customers had complained to the Pru alerting them to the fact that he had not changed address for the past 15 years and that the data which was being processed by the Pru was inaccurate as a result of the merge.
- Sadly, the Pru failed to investigate and resolve the customer's complaint and the merged accounts continued for a further six months following the notification - this is the reason for the 50k fine.
The key message is that data controllers are under a legal obligation to ensure that the data they hold about their customers is accurate and to take active steps to ensure that it remains accurate and up-to-date (particularly where a customer tells them that it isn't accurate).
- This is an emerging area of focus for the ICO, particularly in relation to the financial services sector (and we expect the position to become more critical once the General Data Protection Regulation becomes law);
- Of around 13,000 data protection complaints last year, 15% related to the financial services sector and the third most complained about issue was inaccurate data.
- We also expect to see greater focus on data retention periods/policies and practices with regard to erasure data i.e. the duty of organisations to hold data only for so long as necessary to satisfy the purpose for which it was collected. Again, we see particular challenges in this area for organisations operating in the financial services sector.
The message remains the same - those organisations who start thinking seriously about data protection compliance now will be in a much better position to comply with the new Regulation (as the key principles remain the same). There is a potentially long and complex journey for those organisations whose data protection practices may not currently constitute 'best practice' and who may not be 'getting the basics right'.
We're yet to see if the FSA will take action should they believe that the Pru has a systems and controls issue which enabled the accounts to be merged and remain merged (and incorrect) for 3 years. For those in the financial services sector, remember that fines may also be levied by the FSA as well as the ICO for systems and controls deficiencies which manifest themselves as data protection breaches (and these are not capped at 500k and have previously run into several million pounds, particularly in relation to security breaches). Whilst this case was the result of a manual error, the FSA has recently fined Bank of Scotland 4.2m in relation to misleading mortgage information being sent to customers as a result of the bank having relied on data from poorly integrated systems and manual processes to connect its customer database to its mortgage correspondence system.
For those organisations who embrace the spirit of data protection laws, we can see the potential for commercial advantage to be gained from the development of a relationship of trust and transparency in the way they approach data protection compliance with their customers......the sort of thing you might expect from a bank (or other financial services provider).This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.