Scottish Widows has been accused of breaching data protection rules after it sent sensitive client information to the wrong policy holder by accident.
Last month, one of Scottish Widows’ clients received a letter, seen by Financial Adviser, which included various pieces of information about another client’s pension pot.
This included details such as the start date of the plan, the amount of assets held, the membership number and the level of employer contributions.
It also included personal information such as the client’s name, age, selected pension age and occupation.
Scottish Widows has confirmed that this letter was sent out in error and said it was an isolated case that followed an employee making a mistake when entering data.
The error arose when the employee was completing the same task for two different customers at the same time.
Both clients received their correct cover letter and policy information but one of the individuals received a second letter intended for the other customer, as the employee processing the requests added the wrong address to one of the letters.
Scottish Widows has since explained to both customers how the mistake happened and said it had increased oversight levels on their files as a precaution.
Financial Adviser understands the client who received the incorrect letter has been compensated £50 for the inconvenience caused, but it is unknown what level of compensation, if any, the other person was awarded.
A spokesperson for Scottish Widows said: “We’re very sorry this mistake happened and have confirmed with both customers that it was an isolated case, due to human error.
“Feedback has been provided to the individual involved for training and development purposes.”
The error comes at a time when companies are having to pay more attention than ever before to the data they hold and how they handle it.
The General Data Protection Regulation, which came into effect last year, gave the Information Commissioner’s Office greater powers to tackle data breaches.
For example, in the most serious cases, companies can now be fined up to £20m or 4 per cent of annual worldwide turnover, whichever is greater.
Before GDPR, the ICO could only fine up to a maximum of £500,000.
An ICO spokesperson said: “Organisations must make sure they handle people’s personal information securely in line with data protection law. Where they don’t we have powers to take action.
“Depending on the specific circumstances of a case, this can range from issuing practical advice to the organisation, requesting information from them, carrying out an assessment or, in the case of serious breaches, a fine.”
It is understood neither client wanted to pursue the matter further.
Laura Dean, operations manager at Balance Wealth Planning, said: “The security of someone’s financial data is incredibly important. People are very private about their finances and rightly so.
“Even more care and attention should be taken when dealing with sensitive information, such as someone’s financial position, as the implications of a breach could be quite serious for the party involved.”
Ivor Harper, director at advice company Park Financial Limited, said that the implications of a data breach on the customer are often based on what sort of information has been compromised.
Mr Harper said: “For example, let us imagine that a random stranger makes the discovery, through a mis-addressed letter, that some chap called Ivor Harper has a pension with Aviva and has recently invested £10,000 of his pot into Woodford Patient Capital. If that is all the intelligence he has acquired, what’s the harm to me?
“On the other hand, if the letter contains such a wealth of information that it could be used by criminals to begin the process of creating an identity theft, then that’s arguably a different story.”
He added: “My personal view is the GDPR has been a massively over-engineered piece of legislation.
“However, regardless of that view, it still is the legislation and, as a result, of course it must be complied with.”
But Darren Cooke, chartered financial planner at Red Circle Financial Planning, had sympathy with the provider as he said mistakes are bound to happen with the amount of data that they have to hold.
Mr Cooke said: “While this is clearly a serious breach, and I wouldn’t be very happy if it happened to me, I have great sympathy with Scottish Widows, and any other provider for that matter.
“They handle vast amounts of data and are compelled to send out huge amounts via post – which is hardly the most secure method in the first place.
“No matter what checks you put in place it is almost inevitable that there are occasional errors in the system and incidents like this can happen.”
Tim Morris, independent financial adviser at Russell & Co, agreed that “mistakes do happen”, but said it was how these mistakes were dealt with that mattered most.
amy.austin@ft.com
What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know
