We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

ICO Targets Financial Sector for Data Breach

ICO Targets Financial Sector for Data Breach

So far the majority of fines from the ICO under its increased powers have been issued to public sector organisations, following significant data security breaches. However the tide looks to be turning - a fine of £50,000 has just been issued by the ICO to Prudential for not keeping customer records accurate. This is the first time that the ICO has issued a significant fine just for inaccurate data, rather than data loss. In this situation, two customers with the same first name, surname and date of birth were merged into one record, which resulted in tens of thousands of pounds being paid into the wrong account.

The decision confirms that the ICO views an individual’s financial affairs as something that can have a significant impact on their life, so failure to protect financial information meets the criteria for an ICO fine. Crucially, the data involved does not need to be classed as ‘sensitive’ to attract a fine – here it was just a name and address that was incorrectly recorded. 

This year’s statistics show that 15% of all data protection complaints relate to the financial sector, although until now fines in this sector have been rare. The ICO has, with this decision, sent a very clear message to the financial sector that good record keeping must be a priority.

Keeping data accurate and up to date is only one of the 8 principles of data protection law. It can be one of the most difficult to comply with, especially for large financial sector organisations that have to keep a lot of data.

Here are some tips to encourage compliance:

  • Only ask for information that you need, and delete what you don’t need – the less you have the less likely there is to be a mistake;
  • Have an information retention policy setting out classes of information and how long you need to keep them for;
  • Regularly refresh customer contact databases, requesting updates to address and contact details;
  • Have processes in place to make sure reported errors are highlighted quickly –failure to act on a reported mistake will aggravate any fine;
  • Having policies and processes in place is only part of it - make sure there is a well resourced and supported team responsible for taking ownership of data accuracy; 
  • Implement organisation wide training to bring your policies and processes to life - ensure all staff understand the reasons why data needs to be kept up to date.

Helena Brown