ICO launches investigation into firms sharing personal data: liability and insurance implications for professionals

United Kingdom


Recent revelations that personal pension information is finding its way into the hands of fraudsters and cold calling companies, underlines the need for companies to be aware of their potential exposures to data theft, and to consider to what extent further insurance coverage is needed in the light of this.


The Information Commissioner’s Office (“ICO”) has announced that it has launched an investigation into allegations that personal data relating to millions of people’s pensions were available for sale.

A report in a national newspaper has claimed that several companies had sold financial and other personal data relating to people’s pensions to fraudsters and cold-calling firms, without the knowledge of the individuals concerned.

Pension reforms, in effect since 6 April, give pensioners the freedom to spend their pension pots as they wish, rather than be compelled to buy an annuity. As a consequence, organisations controlling their personal data, including financial information and sensitive personal data relating to medical conditions, are now at heightened risk of a cyber-attack or some other security failure because these individuals are now highly attractive targets for people trying to persuade them to spend pension monies on non-standard or unsuitable products.

Legal Issues

Although it is unclear exactly how the personal data of individuals mentioned in the article was obtained, such information is highly likely to have been obtained unlawfully, in breach of the Data Protection Act 1998 (“DPA”). SIPP administrators, Independent Financial Advisers (“IFAs”) and pension trustees alike should be aware, since they may face sanctions from the ICO and also be liable to pay compensation to an individual who has suffered damage or distress as a result of a breach.

The DPA sets out a number of data protection principles to which a data controller (which could be an individual or a company) must adhere when processing personal data. Whilst compliance with all of the principles is important, three of the principles appear to be most relevant here.

The first data protection principle requires data controllers to process personal data fairly and lawfully, and in particular that at least one of the conditions for processing set out in the DPA is satisfied. These conditions include where processing is necessary for the performance of a contract to which the data subject is a party, where processing is necessary for the purpose of pursuing the legitimate interests of the data controller, or where the individual has given his consent to the processing, none of which would apply in this case.

Conditions for the fair processing of sensitive personal data, which would include any information relating to the health of individuals collected by a SIPP administrator or IFA in order to price an annuity for a potential customer, are even more stringent, so that if data relating to individuals’ pensions has been sold to a third party without the individuals’ explicit consent, this may have been in breach of the first data protection principle.

The second data protection principle requires that personal data be obtained only for one or more specified and lawful purposes and that it should not be further processed in any manner incompatible with that purpose or purposes. Although data obtained from an individual for the purpose of assessing their eligibility or suitability for a pension product may well have been obtained lawfully in the first instance, most likely with the explicit consent of the individual, passing this data to a third party is likely to contravene the second data protection principle, as doing so may not be compatible with the purposes for which the data was originally collected.

In addition to breaches by companies or unscrupulous employees deliberately selling personal data to third parties, organisations who have had the personal data of their customers stolen via hacking or cyber-attacks may still be caught by the DPA.

The seventh data protection principle requires data controllers to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to such data. Although the requirement is not absolute, and regard must be had to the cost of implementing such measures, if it can be shown that an organisation has failed to take appropriate steps to ensure the adequate security of its computer systems against hackers or cyber-attacks, they are likely to have breached principle seven and may be exposed to potential sanctions from the ICO and/or claims from individuals who have suffered damage or distress as a result.


SIPP administrators, IFA's and pension trustee companies will hold coverage in respect of professional liability to clients arising out of negligence in their performance of professional services (as defined in the policy).

Significant issues will arise:

  • as to whether the cover extends to liability arising from the unlawful release of personal data, particularly if this is not held in conjunction with the performance of a professional service;
  • as to whether the policy responds where the release was deliberate and/or dishonest;
  • as to cover for the cost of dealing with the ICO on data protection issues;
  • as to cover for the cost of notifying other clients of a breach when a failure of security has been discovered;
  • as to cover for the cost of ICO sanctions; and
  • as to cover for the cost of ensuring that the breach is remedied and a recurrence prevented.


Although the facts surrounding the newspaper story are unclear and the matter is subject to further investigation by the ICO and the police, the story highlights the need for IFAs, SIPP administrators and pension fund trustees alike to ensure that they have appropriate measures in place to safeguard their customers’ personal data.

We are also advising clients to check their liability cover with their brokers, and to consider the possibility of taking out specific coverage for the costs of, and costs consequential upon, a cyber-attack or a security failure.