Information Commissioner Christopher Graham has told the BBC than an investigation has been launched into claims made by the Daily Mail newspaper that the details of millions of people's pensions are being sold to fraudsters and cold-calling firms.
The Pensions Regulator, the Financial Conduct Authority and the police are being contacted by the ICO which can fine companies up to £500,00 for unlawfully obtaining or accessing personal data. Data on salaries, investment values and pension size are being sold for as little as 5p without their knowledge claimed the Mail report, which has come out ahead of new rules that pensioners and those around a decade before retirement will be able to access their full pension pot from 6 April.
Daily Mail reporters claiming to be from a cold-calling company were offered information on 15,000 people without any checks being made on who they were and why they wanted the data.
The data was said to be gathered from the details in mortgage application forms but was not clear whether it had been gathered legally when people gave away information unwittingly, or illegally by passing on for purposes for which it was not intended. It is not necessarily illegal to sell data lists when people have given away information freely.
One commentator on the BBC website said, “Personally I believe that it's the people who hold the information on us (legitimately) are the ones who should be held responsible. After all you can expect crooks to behave like crooks and deal with them accordingly but those who are lax with our info also deserve punishment.”
Steve Eckersley, the head of enforcement at the ICO was reported by various news websites as saying: “It suggests a frequent disregard of laws that are in place specifically to protect consumers. We will be launching an investigation immediately... (to see if there are) any breaches of the Data Protection Act or Privacy and Electronic Communications Regulations.”
Under the Data Protection Act there is no specific exemption from registration relevant to the processing of personal data for pension purposes. There is an exemption from registration where the processing is only of manually-held personal data.
Commenting on the breach, Sian John, chief security strategist EMEA, Symantec said in a public statement: “The non-consensual sale of private financial information highlights a blatant disregard for the privacy and security of people's data. Our research recently found 72 percent of European consumers think it's unfair that companies are making money from their personal information and with today's findings, it is likely that this feeling will increase.
"If businesses are going to continue collecting, using and selling people's sensitive personal information, they must be more transparent about how this data is being used and the steps that have been taken to secure it. Consumers are increasingly aware of the value of their information, with 63 percent of European consumers valuing their data at over €1,000. They are also taking steps to protect their online privacy with one in three people surveyed providing fake information to companies.
"Today's report highlights the growing need for businesses to be more transparent about how they use and store people's information. If they don't, it is only a matter of time before customers migrate to those organisations and services which will keep their data secure and be open about how it is being used.”
Separately, last week the ICO fined the Serious Fraud Office £180,000 after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people involved in the case.
The Serious Fraud Office's investigation focused on allegations that senior executives at BAE Systems had received payments, including two properties worth over £6 million, as part of an arms deal with Saudi Arabia.
Between November 2011 and February 2013, when returning evidence, the witness was sent over 2,000 evidence bags. In total, 407 of these bags contained information about third parties including bank statements showing payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and passport details.
ICO deputy commissioner and director of data protection, David Smith, said: "This was an easily preventable breach that does not reflect well on the organisation (SFO). All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people's information continue even after their investigation has concluded.”