Teal blue graphic

Merge overkill - Prudential fined for data mix-up

The Information Commissioner's Office (ICO) has fined Prudential £50,000 for a serious breach of the Data Protection Act following an administrative error that saw the records of two customers being merged and culminated with one customer transferring tens of thousands of pounds belonging to the other. 

Customer A and customer B were two Prudential policy holders who shared the same first name, surname and date of birth. In March 2007, a mix-up led to customer A's address being updated to be the same as customer B's and the two customer records were subsequently merged. When customer A contacted Prudential regarding a non-related matter his original address was reinstated, resulting in a corresponding change to the address held for customer B's policy. Over the next three years both customers repeatedly received financial information relating to the other. Critically, in July 2009, customer B's financial advisors reviewed the financial statements he had received, and advised him to transfer funds to another investment company which handled his pension. This resulted in tens of thousands of pounds which actually belonged to customer A being transferred by customer B.

Despite being contacted several times by each customer in relation to the error, the two customers' records remained merged until September 2010, and the erroneously transferred funds were not recovered until 2011.

This case is significant as it is the first monetary penalty notice that has been issued which has not related to breach of the seventh data protection principle (the requirement to keep data securely). In this case the fine was imposed for breach of the fourth data protection principle which requires data controllers to keep personal data accurate, and where necessary, up to date. It is worthwhile noting that the majority of complaints the ICO receives relate to inaccuracies in individuals' personal information. This fine is a signal to all data controllers that those inaccuracies may be punished, particularly where they relate to customers' financial affairs.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.

Insights & events View all