The UK Information Commissioner’s Office (ICO) served a monetary penalty of £50,000 on Prudential, after Pru merged accounts of two people with the same name and same date of birth five years ago. The “mix-up” in administration of two accounts culminated in tens of thousands of pounds ending up in the wrong account. Despite repeated attempts to sort out the matter over a three-year period, the Pru continued to confuse the accounts and accountholders.
This is the first time the ICO has issued a monetary penalty for a breach of the Data Protection Act other than for loss of personal data. The ICO determined that the inaccuracies and failure to keep customer records up to date was a serious contravention of the Data Protection Act.
The ICO received more public complaints about data handling by the money lenders than any other sector. Around 15% of the nearly 13,000 data protection complaints related to concerns about the financial services sector, with inaccurate data the third most complained about issue across all sectors.
Stephen Eckersley, ICO head of Enforcement, stressed that “staff should also receive adequate training on how to manage and maintain [customer records], with any concerns fully investigated in order to ensure problems are addressed at an early stage.”
Prudential has co-operated with the ICO and has now updated its processes and implemented staff training to ensure greater accuracy of customer records.