Scottish Widows has been accused of breaching data protection rules after it sent sensitive client information to the wrong policy holder by accident.

Last month, one of Scottish Widows’ clients received a letter, seen by Financial Adviser, which included various pieces of information about another client’s pension pot.

This included details such as the start date of the plan, the amount of assets held, the membership number and the level of employer contributions.

It also included personal information such as the client’s name, age, selected pension age and occupation.

Scottish Widows has confirmed that this letter was sent out in error and said it was an isolated case that followed an employee making a mistake when entering data.

The error arose when the employee was completing the same task for two different customers at the same time.

Both clients received their correct cover letter and policy information but one of the individuals received a second letter intended for the other customer, as the employee processing the requests added the wrong address to one of the letters.

Scottish Widows has since explained to both customers how the mistake happened and said it had increased oversight levels on their files as a precaution.

Financial Adviser understands the client who received the incorrect letter has been compensated £50 for the inconvenience caused, but it is unknown what level of compensation, if any, the other person was awarded.

A spokesperson for Scottish Widows said: “We’re very sorry this mistake happened and have confirmed with both customers that it was an isolated case, due to human error.

“Feedback has been provided to the individual involved for training and development purposes.”

The error comes at a time when companies are having to pay more attention than ever before to the data they hold and how they handle it.

The General Data Protection Regulation, which came into effect last year, gave the Information Commissioner’s Office greater powers to tackle data breaches.

For example, in the most serious cases, companies can now be fined up to £20m or 4 per cent of annual worldwide turnover, whichever is greater.

Before GDPR, the ICO could only fine up to a maximum of £500,000.

An ICO spokesperson said: “Organisations must make sure they handle people’s personal information securely in line with data protection law.  Where they don’t we have powers to take action.

“Depending on the specific circumstances of a case, this can range from issuing practical advice to the organisation, requesting information from them, carrying out an assessment or, in the case of serious breaches, a fine.”

It is understood neither client wanted to pursue the matter further.

Laura Dean, operations manager at Balance Wealth Planning, said: “The security of someone’s financial data is incredibly important. People are very private about their finances and rightly so.

“Even more care and attention should be taken when dealing with sensitive information, such as someone’s financial position, as the implications of a breach could be quite serious for the party involved.”

Source