Prudential Assurance Company

Breach details

What Data integrity – two customers’ records were merged incorrectly.
How much 2 records.
When March 2007 until 24 September 2010
Why Insufficient steps taken to ensure the accuracy of data once the problem had been reported by both customers.

BW Comments

The breach of the fourth principle was not in respect of the original erroneous merge, but that the Data Controller failed to rectify the problem.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 50,000
When 6 November 2012

Why the regulator acted

Breach of act Breach of the fourth data protection principle – customers’ data must be accurate and kept up to date. Despite repeated notification from both customers, the Prudential failed to adequately investigate of rectify the problem.
Known or should have known The ICO’s view was that Prudential, as “a large company in the financial services sector with approximately six million customers” should have been aware that some customers could share the same name and so should have had processes in place to investigate and rectify such an occurrence when this was reported by a customer.
Likely to cause damage or distress The ICO’s view is that disclosure of financial information to a third party with “no right” to see the information was likely to cause “substantial distress”. Actual damage temporarily occurred in that tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account and was moved away from the Prudential (although all funds have since been recovered, and compensation paid).

BW Observations

The first MPN in respect of a breach of the fourth principle. Although the ICO’s reasoning in respect of the degree of damage or distress is debateable, what is interesting is the Commissioner’s reasoning in respect of the s55A(3) ‘known or should have known’ test. The ICO’s argument is not that the Prudential should have had sufficient data integrity controls in place to prevent the problem occurring, but given such an error was probable in a company with six million customers, that there should have been robust procedures in place to properly investigate the customers’ complaints and rectify the situation.

Organisations should consider whether they have the necessary training and systems in place to recognise that what might appear as a simple change of address problem in a front-line system to be identified and investigated as a potential breach of integrity.