InfoLaw Update November 2012
The Information Commissioner’s Office (ICO) has issued a warning to the financial sector after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. The company was the Prudential, a trusted household provider of financial services. This is the first monetary penalty served by the ICO which relates to faults on data handling rather than to a significant data loss.
The Prudential Assurance Company Limited holds all its customer records in a centralised database, which enables staff to view all of the policies belonging to a customer. The database contained records in relation to two customers who shared the same first name, surname and date of birth, Customer A and Customer B, respectively. Customer A had two policies and customer B had one policy. Apparently, in March 2007, customer A's financial adviser telephoned the Prudential on a matter connected with one of his policies but, for some unknown reason, gave the address of customer B. As a consequence, customer A's address was updated on the database to be the same as customer B’s. Subsequently, both customer records were merged as a result of the data matching function.
In May 2007, customer B received pension and policy statements relating to customer A which detailed the amounts then accrued and the projected income on retirement. In August 2007, customer A telephoned the Prudential about an unrelated matter but subsequently his address was re-instated. However, this resulted in the address on customer B's record being amended to that of customer A because their records had already been merged. The change of address was also applied to customer B's individual endowment policy and, subsequently, customer B’s policy statements were also sent to customer A.
On 24 June 2008, customer A complained to the Prudential that he was receiving customer B’s policy information but, whilst a note was then put on the database to highlight the error, because the endowment policy showed customer B’s correct address, no further action was taken. In March 2009, a mortgage endowment update letter intended for customer B was sent to customer A, whose address was still shown on the merged record. The letter was returned unopened so the Prudential initiated its "gone away" process, which involved sending a letter to the customer's bank and asking them to forward it to their customer's current address.
In May 2009, customer B sent the Prudential a letter of authority for his financial advisers to act on his behalf. As customer A's address was still shown on the record, the Prudential assumed that customer B was also notifying them of a change of address and the address on the merged record was changed to that of customer B.
In July 2009, customer B's financial advisers, having considered his financial position based on previous statements and updated information they had received from the Prudential, advised him to transfer funds to another investment company, which apparently handled his employment pension. On 17 July 2009, the data controller completed the transfer following receipt of customer B's signed agreement.
In August 2009, customer A's financial advisers wrote to the data controller advising that their client wanted to take a payment holiday in respect of his policy and the Prudential replied (copied to customer B, whose details were still shown on the merged record) to confirm that the policy had been transferred to another investment company the previous month! Customer A’s financial advisers asked for a copy of the transfer papers, signed by customer B, which were duly sent to both customer A's financial advisers and customer B. Surprisingly, customer A's financial advisers do not appear to have taken this matter any further.
On 20 April 2010, customer B telephoned the data controller to question why he had received these documents, and had not received any statement for his endowment policy. During the telephone conversation, he was assured that his records had been corrected and that this would be confirmed in writing. Customer B the next day wrote a letter of complaint to the data controller about this mix-up, in which it was clearly stated that they had lived at the same address for over 15 years. The day after that, the Prudential sent a yearly statement to customer B in relation to customer A's policy, which was shortly afterwards followed by a letter from the Prudential’s then Head of Operations in response to their complaint, to explain that in 2007 their bonus statement had been sent to another customer with the same name. This letter again reassured them that the records had now been corrected.
Some five months later, customer A contacted the data controller in relation to his policies, which prompted him to reiterate his current address. The data controller then changed the address record on the policy system, which prompted the sending of a "change of address" letter to customer B stating that its records showed he had changed his address but they were writing to his former address as a security precaution. As customer B had lived at the same address for over 15 years, he then telephoned the Prudential to find out why the letter had been sent to him and he was subsequently send a further letter assuring him that the data controller did have his correct address on its records.
Following an investigation at this point, the data controller finally arranged to de-merge the customer records on 24 September 2010 and then began, in October 2010, to try to obtain a refund of the monies transferred in error to the other investment company by customer B which actually belonged to customer A.
The ICO’s response
The Commissioner found that there had been a serious contravention of the Prudential’s obligation, as data controller, to comply with the data protection principles, specifically the Fourth Data Protection Principle which requires that personal data shall be accurate and, where necessary, kept up to date. As the re-telling above shows, there had been a number of complaints over a period of some three years, during the course of which the Prudential failed to correct the inaccuracy. The Commissioner was satisfied, clearly, that a contravention of this nature is of a kind likely to cause substantial distress to the data subjects whose financial information has been sent to another customer, as well as exposing them to identity fraud and possible financial loss.
The Prudential knew, or ought to have known, that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention. The Prudential is a large company in the financial services sector with approximately six million customers, several thousand of whom share the same names. It is used to handling financial information on behalf of its customers on a daily basis ought to have known that there was a risk that customer records could become mixed-up and should have taken immediate action to investigate properly and de-merge the customer records on receipt of the complaint from customer B and his wife on 21 April 2010, bearing in mind the background to this matter.
As the brief description of events above indicates, this was a tangled web. Stephen Eckersley, ICO Head of Enforcement, said that “this case would be considered farcical were it not for the serious sums of money involved. “Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.
Last year the public made more complaints about the way money lenders were handling their information than for any other sector. Around 15% of the almost 13,000 data protection complaints received by the ICO during the last financial year were due to concerns relating to this group, with inaccurate data the third most complained about issue across all sectors. Commenting on the ICO’s concerns in this area, Stephen Eckersley’s view is, while data losses may make the headlines, that “most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.”
“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early state.”
Almost all monetary penalties indicate that training and an understanding of the risks which are important to both individual data subjects and the Commissioner need improvement. This case is no different. It also highlights the need for large providers of services which require the processing of significant amounts of data to ensure that nothing falls between the cracks. This is even more important where an organisation has many customers with the same name. Someone needs to “take ownership” of an issue as soon as it is reported. Prudential has now improved the training it provides to its staff and updated its processes to ensure that the accuracy of customers’ records is maintained at all times.
About the author
Published: Thursday 22nd November 2012
Categorised: Information Law