The Information Commissioner's Office has fined insurance provider Prudential £50,000 after it mistakenly merged customers records for two people with the same name and the same birthday.
It is the first fine the ICO has issued for a breach of the fourth principle of the Data Protection Act, that "personal data shall be accurate and, where necessary, up to date". All previous fines have concern the loss or theft of personal data.
According to the ICO's investigation, Prudential merged the two customers' records in March 2007. This led to each customer being sent erroneous information, and in 2009 funds due to one customer were sent to the other.
One of the customers complained to the company in April 2010, but the records were not demerged until September of that year.
The ICO concluded that the Prudential "knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention."
As a large insurance provider with around six million customers, Prudential should have known that some of its customers are likely to share the same name, and taken precautions to ensure that this did not lead to records being merged.
Prudential has now improved staff training to ensure that such an error could not happen again.
Prudential statement
“We are very sorry for any distress and inconvenience experienced by the two customers, and we have apologised and compensated them. We regret that this incident occurred and was not resolved more quickly," Prudential said in a statement.
"The circumstances surrounding this case are unique, as the two customers have the same first name and last name and the same date of birth. The subsequent accidental merging of the two customers’ details was not the result of system or process failures. It originally happened when the financial adviser of the first customer mistakenly provided the address of the second customer to us and requested that we change the first customer’s registered address.
“The problem was rectified in 2010 to the satisfaction of the ICO. We co-operated openly and fully with the review and we accept the fine imposed. When this issue came to light we reviewed our procedures and staff training and made changes to minimise the chances of a similar error occurring again.
“We note the ICO has said that Prudential’s conduct following the reporting of the case was exemplary and the ICO has recognised that we have taken steps to improve processes and staff training to minimise the risk of a similar error occurring again.”
The ICO said the it received more complaints about financial services providers than any other sector last year, "with inaccurate data the third most complained about issue across all sectors."
"“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate," said Stephen Eckersley, the ICO's head of enforcement. "Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”
Last month, Bank of Scotland (now a part of Lloyds Banking Group) was fined £4.2 million by the Financial Services Authority, after sending misleading mortgage information to customers. It found that Halifax, a division of Bank of Scotland, had relied on poorly integrated systems and manual processes to connect its customer information systems to its mortgage offers letter system.