Breach details
| What | Data integrity – two customers’ records were merged incorrectly. |
| How much | 2 records. |
| When | March 2007 until 24 September 2010 |
| Why | Insufficient steps taken to ensure the accuracy of data once the problem had been reported by both customers. |
BW Comments
| The breach of the fourth principle was not in respect of the original erroneous merge, but that the Data Controller failed to rectify the problem. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 50,000 |
| When | 6 November 2012 |
Why the regulator acted
| Breach of act | Breach of the fourth data protection principle – customers’ data must be accurate and kept up to date. Despite repeated notification from both customers, the Prudential failed to adequately investigate of rectify the problem. |
| Known or should have known | The ICO’s view was that Prudential, as “a large company in the financial services sector with approximately six million customers” should have been aware that some customers could share the same name and so should have had processes in place to investigate and rectify such an occurrence when this was reported by a customer. |
| Likely to cause damage or distress | The ICO’s view is that disclosure of financial information to a third party with “no right” to see the information was likely to cause “substantial distress”. Actual damage temporarily occurred in that tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account and was moved away from the Prudential (although all funds have since been recovered, and compensation paid). |
BW Observations
| The first MPN in respect of a breach of the fourth principle. Although the ICO’s reasoning in respect of the degree of damage or distress is debateable, what is interesting is the Commissioner’s reasoning in respect of the s55A(3) ‘known or should have known’ test. The ICO’s argument is not that the Prudential should have had sufficient data integrity controls in place to prevent the problem occurring, but given such an error was probable in a company with six million customers, that there should have been robust procedures in place to properly investigate the customers’ complaints and rectify the situation.
Organisations should consider whether they have the necessary training and systems in place to recognise that what might appear as a simple change of address problem in a front-line system to be identified and investigated as a potential breach of integrity. |
Links
| View PDF of the Prudential Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Prudential Monetary Penalty Notice (Via ICO Website) |