The Financial Conduct Authority (FCA) has revealed that it recently inadvertently published confidential information relating to complainants on its website. This appears to be a “personal data breach”, as defined in the General Data Protection Regulation (GDPR) and the FCA has accordingly notified the Information Commissioner’s Office (ICO).
The Telegraph reports that the data of around 1600 people was involved, and that it was online between November 2019 and this month. It consisted of names, and in some instances addresses, telephone numbers and “other information” relating to those who complained to the FCA between January 2018 and July 2019, and was contained in a response to a request made to the regulator under Freedom of Information (FOI) laws.
It is not immediately apparent how the incident occurred: the risks of inadvertent disclosure when dealing with FOI requests are well understood, and, indeed, the ICO was moved to issue guidance in 2018 on “How to disclose information safely” after a number of prior incidents of similar errors.
A “personal data breach” (defined in Article 4.12) in itself is not an infringement of GDPR, but what the ICO will investigate now is the extent to which the FCA complied with its obligation (under Articles 5.1.f and 32) to have appropriate security measures in place. If the ICO finds that the FCA failed to do so, then the former has the power under Articles 58 and 83 of GDPR and section 155 of the Data Protection Act 2018 (DPA) to issue an administrative fine, to a maximum of €20m or 4% of global annual turnover (whichever is higher). Furthermore, the possibility of individual compensation claims being brought under Article 82 of the GDPR and section 168 of the DPA also exists.
The FCA indicates that it is not contacting all of the people whose data was compromised (only those where there was “additional confidential information” in addition to names). Although this may be in line with GDPR’s obligation only to notify data subjects of a “personal data breach” in high risk situations, it seem highly likely that it could now lead to enquiries, and subject access requests under Article 15 of GDPR, from anyone who has raised a complaint with the FCA over the relevant period.