White & Case LLP - Publications - UK FSA Imposes Substantial Fine for Disclosure of Personal Data

Services	Sectors
Antitrust Asset Finance Banking Canada Capital Markets Climate Change Commercial Litigation Data Privacy Employment & Benefits Financial Restructuring and Insolvency India Indonesia Intellectual Property International Arbitration International Trade Israel Korea Latin America Mergers & Acquisitions Private Clients Pro Bono Project Finance Real Estate Sovereign Wealth Funds Sovereigns Spain Taiwan Tax White Collar	Communications and Media Construction Environmental Funds Islamic Finance Mining and Metals Oil & Gas Pharmaceuticals and Healthcare Power Sourcing & Technology Transactions

North America	Latin America	Europe		Asia	Middle East/Africa
Los Angeles Miami New York Silicon Valley Washington, DC	Mexico City Monterrey São Paulo	Almaty Ankara Berlin Bratislava Brussels Bucharest Budapest Düsseldorf Frankfurt Geneva Hamburg	Helsinki Istanbul London Milan Moscow Munich Paris Prague Stockholm Warsaw	Beijing Hong Kong Shanghai Singapore Tokyo	Abu Dhabi Doha Johannesburg Riyadh

UK FSA Imposes Substantial Fine for Disclosure of Personal Data

April 2007
Financial Services Advisory Update, Vol. 4, No. 3
Suzanne Innes-Stubb

Click here for complete newsletter

Enforcement action is heating up in the UK relating to unlawful disclosures of personal information. In February, the UK Financial Services Authority imposed a fine of £980,000 on the Nationwide Building Society for the unlawful disclosure of confidential customer data held on an employee's laptop computer which was stolen from his home. The theft of the laptop was reported promptly. However, the employee did not inform Nationwide that his laptop contained extensive customer information until he returned from a three-week holiday and, during this time, Nationwide took no steps to investigate what information the laptop contained.

Under Section 206 of the Financial Services and Markets Act 2000, the FSA has considerably greater powers to impose fines for breach of its regulatory principles than the UK Information Commissioner's Office (ICO) does in respect of infringement of the UK's Data Protection Act, which is why the job of policeman in this case appears to have been left to the FSA. Nationwide was found to have breached Principle 3 of the FSA's Principles for Business, which states that a firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems. Inadequate training on data security was also a ground of criticism.

It is worth noting that the penalty would have been as high as £1.4 million had Nationwide not agreed to settle at an early stage of the FSA's investigation, thereby qualifying for a 30 percent discount under the FSA's executive settlement procedures.

The lessons from this case are clear: ensure adequate, specific training on data security; promptly check the contents of any lost or stolen laptop or other business equipment; and settle early to benefit from a substantial reduction in fine. The FSA's decision can be found here.

Separately, the ICO has also taken action against financial institutions recently, requiring 11 banks and building societies, as well as The Post Office and the Immigration Advisory Service, to sign formal undertakings to comply with the UK Data Protection Act. The ICO found that these entities has each discarded personal information in refuse containers outside their offices, in some cases enabling extensive customer profiles to be reconstructed from the documents in question. While the ICO lacks the FSA's power to impose immediate fines, breach of these undertakings could ultimately lead to prosecution by the ICO and the imposition of fines by the courts.

This newsletter may include links to websites other than the White & Case website. White & Case LLP has no responsibility for any websites other than its own, and does not endorse the information, content, presentation or accuracy, or make any warranty, express or implied, regarding any other website.

The White & Case Financial Services Advisory Update is prepared for the general information of our clients and other interested persons. It should not be acted upon in any specific situation without appropriate legal advice.

This newsletter is protected by copyright. Material appearing herein may be reproduced or translated with appropriate credit.