By Tess Waldron
As has been widely reported, on 6 November 2012 the ICO fined Prudential £50,000 for what was described by the ICO’s head of enforcement, Stephen Eckersley, as a case that “would be considered farcical were it not for the serious sums of money involved”.
The breach originally occurred in 2007, when the records of two individuals with the same first name, surname and date of birth were erroneously merged, causing thousands of pounds meant for one individual’s retirement to end up in the wrong account. Despite the fact that the issue was brought to the attention of Prudential on more than one occasion, it took three years to remedy the situation, including a delay of six months following receipt of a letter from one of the customers involved pointing out that his address had not changed for 15 years. The ICO indicated that the penalty imposed related to this six-month period, during which the company “failed to investigate thoroughly”.
This decision is notable as it is one of the few times that a fine is imposed on the private sector and that an entity has received a penalty for anything other than data loss. However, it may well not be the last. As Mr Eckersley observed:
While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record … can have a significant impact on someone’s life. We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate.
In handing out this penalty the ICO has ensured that it is not just data losses that will be making headlines in the future (the story was one of the most-read items on BBC Business) and made it clear that fines may be imposed for other breaches of the Data Protection Act which cause significant harm.
This post was prepared with the assistance of Jaime Hall, a trainee solicitor in the London office of Latham & Watkins.