ICO fines Prudential for inaccurate data

The ICO fined Prudential £50,000 on 6 November for a failure to keep customer data accurate. The ICO, which has so far mostly fined public sector organisations, says that this is a warning to the financial sector.

Prudential’s data breach occurred when the records of two of its customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007. The error, which was not noticed until 2010, meant that tens of thousands of pounds, meant for an individual’s retirement fund, ended up in the wrong account.

The company was alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point, the ICO says.

Stephen Eckersley, ICO's Head of Enforcement, said: “Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved. This case would be considered farcical were it not for the serious sums of money involved.”

“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”