skip to content
To provide their services, most organisations need to collect and keep a wide range of information about their customers. And together, financial businesses deal with an enormous amount of data and details – relating to the financial activities and personal circumstances of most people in the UK.
Some of this information is necessarily going to be sensitive. So it’s understandable that some people may be extremely worried at the prospect of it being passed on without their knowledge or agreement – whether that’s deliberate or accidental on the business’s part.
Each year we receive a number of complaints from people who are worried that a business might have misused their personal information. People point to a range of consequences, from embarrassment that others have found out about their financial difficulties to actually being threatened with physical harm – for example, because their address has been wrongly revealed.
In some cases, people tell us they believe a business has breached the Data Protection Act. We (and often the business when they’re investigating the complaint) generally refer these cases to the Information Commissioner’s Office (ICO), which is responsible for establishing whether there’s been a breach of the law.
On the other hand, we can help people to understand exactly how any breach happened – and the impact on the individual customer involved. We’ll decide whether the business failed in their general duty of confidentiality to their customer. And if they did, we’ll consider whether they could have known the effect this would have.
Because of the personal nature of the information involved, people often feel very strongly that we should punish businesses that have acted wrongly. We’re careful to explain that it’s not our job to fine a business. Our job is to help a business make up for both the financial and non-financial consequences of any error, including any upset someone’s experienced as a result. While the ICO is responsible for fining organisations that breach data protection law, it can’t compensate their individual customers.
Mr N applied for a credit card in his local bank branch. When he didn’t hear anything after two weeks, he phoned the bank to check on his application.
The bank told Mr N they’d written to him the day after he’d visited the branch to ask for some more information. When they confirmed the address they held for Mr N, it seemed they had his neighbour’s address – and had sent the letter there.
Mr N corrected his address and asked the bank to resend their letter. After a few days, it hadn’t arrived – and again, it turned out the letter had been sent to his neighbour.
Mr N then cancelled his credit card application and made a complaint. He told the bank he’d previously been assaulted by his neighbour – and was extremely concerned that the neighbour would misuse the information in the letter the bank had sent out.
The bank didn’t agree that they’d done anything wrong, saying they’d written to the address that Mr N had given them. But Mr N maintained he’d given them the correct address – and brought his complaint to us.
We needed to understand how the bank’s letters had ended up being sent to the wrong address.
We checked the application form, but found the handwriting very difficult to read. We confirmed with Mr N that it was his own handwriting. But given how difficult it was to read, we thought that the bank should have realised how easily a mistake could have been made and double-checked Mr N’s address before sending anything out.
Mr N also told us he’d phoned the bank to tell them what had happened – so it was clear that the bank had been given the chance to correct Mr N’s address. And they’d still gone on to resend the letter to the wrong address. The bank checked the letter they’d sent – and confirmed that it would have contained some sensitive information.
So it was clear that sensitive information had been sent to Mr N’s neighbour – but we needed to look at the impact that this had actually had. Mr N told us he had a very bad relationship with his neighbour. He’d been assaulted a few months previously and the police had been involved. He was very worried that his neighbour might now have his financial details and use these against him in some way.
Given the circumstances, we thought that the bank could’ve prevented the sensitive information being sent to Mr N’s neighbour. While Mr N hadn’t lost any money, we told the bank to pay him £200 to reflect the stress and upset their mistake had caused and checked that the bank now had the correct address. Mr N’s bank also agreed to help him monitor his credit file to make sure there were no problems after his neighbour had seen his details.
As Mr M arrived home from work, he was told by a neighbour that a debt collector had been asking after him. He then found that the debt collector had left a note on his front door, explaining they’d visited about arrears on his loan.
Mr M complained to the loan provider, saying he was very embarrassed that his neighbour now knew he was in debt – and that this had been displayed in a note for anyone to see.
The loan provider apologised and offered to reduce Mr M’s arrears by £25. But Mr M didn’t feel this made up for the embarrassment of having people know about his financial circumstances – so he brought his complaint to us.
The loan provider had accepted that their debt collector shouldn’t have left the note. But to decide whether they’d done enough to put things right, we needed to understand what the impact had been on Mr M.
Mr M sent us the note – and a photo he’d taken of it pinned to his door. The note included specific details about how much he owed – and it had been clearly visible. Mr M said that one of his neighbours had read the note and talked to the debt collector. He said that when this neighbour was telling him about the debt collector’s visit, some of his other neighbours were nearby and could have overheard.
Mr M told us he was extremely embarrassed by what had happened – and was now worried about bumping into his neighbours.
We pointed out to the loan provider that industry guidance for debt collection clearly states that companies shouldn’t disclose debt details to third parties. In our view, while the debt collector hadn’t given any details directly to Mr M’s neighbours, the fact they’d left the note clearly visible on his front door meant they’d breached this guidance.
The incident had been very upsetting for Mr M – and we agreed that the loan provider hadn’t fully recognised the impact on him. We told them to increase their offer to £400, to better reflect the worry and embarrassment their actions had caused.
Mr H lived with his partner, Miss A, and their children. The mortgage on their house was in Mr H’s name. He’d been having problems keeping up with his repayments for some time, but hadn’t told Miss A he was significantly in arrears.
Worried that their home would be repossessed, Mr H asked Miss A if she could make a repayment. Mr H called the mortgage company to make the payment and Miss A gave her payment details over the phone. During the call, the mortgage company told Miss A the account was significantly in arrears and by how much.
A few days later Miss A left Mr H and moved away with their children. Mr H complained to the mortgage company, saying they shouldn’t have given Miss A details about the mortgage and the arrears.
Mr H believed that Miss A wouldn’t have left him if she hadn’t known about his money problems. He said that he now had to travel a long way to see his children and didn’t have Miss A’s income to help with daily expenses, making his financial position even worse.
The mortgage company apologised for giving out the information – but didn’t agree that they were responsible for Miss A leaving Mr H. Mr H then contacted us, saying he didn’t feel the mortgage company appreciated the consequences of their mistake.
Mr H was adamant that if the mortgage company hadn’t told Miss A about the mortgage arrears, she wouldn’t have left him.
We could see that Mr H and Miss A’s relationship had ended shortly after Miss A had found out about the arrears. But that didn’t mean we could say for sure that this was the reason she’d left him.
So while the mortgage company had clearly made a mistake, we didn’t think it would be fair to blame them for Mr H’s underlying financial problems. And since the mortgage company hadn’t known that Mr H was keeping information from Miss A, we didn’t think they could have anticipated that the couple would have split up if the arrears had come to light.
However, we pointed out to the mortgage company that they had made a serious error in disclosing sensitive information to a third party. Whether or not this was responsible for his relationship breaking down, it had caused him a considerable amount of stress and embarrassment.
When we explained the impact this had on Mr H, the mortgage company offered to pay him £450 to recognise the upset they’d caused. And after talking things through with Mr H, he said he recognised that his family troubles were more down to his own difficult financial situation – and agreed that £450 fairly reflected the mortgage company’s mistake.
After their sister died, Mrs G and her brother, Mr P, were appointed joint executors of the estate. Mrs G’s sister had left her the proceeds of an investment bond – which she’d put towards the cost of her sister’s husband’s care.
Over the next few months, Mrs G and her brother were involved in a dispute over their sister’s estate. During this time, Mrs G’s brother’s solicitor wrote to the bond provider, arguing that the brother was entitled to a share. The bond provider replied that the bond had already been cashed in.
When Mrs G found out about the bond provider’s contact with her brother’s solicitor, she made a complaint. She said that since the bond had been intended for her alone, the provider shouldn’t have disclosed any details to a third party. She said that her brother claimed he hadn’t known she’d cashed the bond – and he was now taking court action against her.
The bond provider replied that they’d checked with their lawyers before passing information to the brother’s solicitor. Still unhappy, Mrs G contacted us – saying the provider had breached data protection rules and should pay her court costs.
complaint not upheld
We told Mrs G that we could consider what impact the bond provider’s actions had had on her. And – when she asked for a regulatory investigation – we explained the role of the information commissioner in looking into whether there had been a breach of data protection rules.
Mrs G told us that – even if the bond provider had been allowed to pass on information to her brother’s solicitor – she felt she should have been told in advance. She said if she had been, she would have asked the provider not to reply.
Mrs G said she’d incurred significant legal costs, which she felt were a result of the provider passing on the details.
We asked to see a copy of the bond provider’s letter to the brother’s solicitor. We couldn’t see that they had provided specific details about the bond. They’d only replied that it was now closed. And the fact the brother’s solicitor had written to the bond provider – quoting the policy number – indicated that it already formed part of the ongoing legal dispute between Mrs G and her brother.
It also appeared that legal proceedings were already planned at the time the bond provider sent their letter to Mr P’s solicitor. In light of this, we thought that it was most likely that what had happened to the bond would have come up as part of the proceedings. So even if the bond provider hadn’t replied at all, Mrs G would still have been in the same position – having to explain what had happened to the investment.
We recognised that both the dispute with her brother and the complaint against the bond provider had been upsetting for Mrs G. But given everything we’d seen, we didn’t think the bond provider’s actions had disadvantaged her – so we didn’t think it was fair to tell them to pay compensation.
Mr O and his wife had taken out a mortgage endowment policy – but split up before the mortgage and the policy matured.
Concerned that his wife, Mrs O, would try and cash in the policy, Mr O got in touch with the investment provider. He told them not to agree to any requests from Mrs O to transfer the policy to her name only – and to send any letters about the policy to his new address.
But Mr O later received an email from his wife – while they were trying to sort out their joint arrangements as part of their separation – saying that she’d surrendered the policy herself. Mr O complained to the investment provider, pointing out that he’d given them specific instructions, and that he’d now lost his half of the money.
The investment provider apologised for the mistake, but said that Mrs O had told them that she’d already effectively given Mr O half the value of the endowment. The provider said there was nothing else they could do – and suggested Mr O raise the matter as part of any divorce proceedings in court.
Unhappy with this response, Mr O complained to us.
We asked the investment provider why they’d surrendered the policy with just Mrs O’s signature. They told us that when Mrs O had written to them she’d put “we”, rather than “I”, in the letter – so they’d assumed she’d had Mr O’s consent as well.
When we asked the provider what they’d done after Mr O had told them about the separation, they told us they’d put a note on their internal system.
It was clear that the investment provider had made an error. They accepted that they shouldn’t have surrendered the policy without also having Mr O’s consent.
Mr O had told the investment provider he wanted them to compensate him by paying him what the policy would have been worth at the end of its term – rather than when his ex-wife surrendered it. But we explained that, because we couldn’t say exactly what the policy would have been worth in the future, we’d only tell the investment provider to pay Mr O what he should have got when his ex-wife surrendered it. The provider also offered Mr O £150 for not handling his concerns as well as they could have.
Mr B and his partner had insured their cars together on one policy. When the couple split up, Mr B contacted the insurer to update his details and switch to his own policy.
About a month later, the insurer wrote to Mr B to say they hadn’t been able to set up the new direct debit for him – and asked him to contact them to confirm his payment details.
When Mr B phoned the insurer, he found out that the insurer still had his ex-partner’s email address as the contact for his account – and that a copy of the letter about the direct debit had been sent to her email address.
Mr B complained. He told the insurer that during a previous argument, his ex-partner had damaged their house. And now she had his new address from the email, he was concerned that she could do the same again – or cause other problems for him and his new partner.
The insurer apologised for the mistake and offered Mr B £100 to make up for the upset they’d caused him. But Mr B felt there had been a serious breach of confidentiality. He asked for £2,000 compensation and for the insurer to waive the rest of his premiums for the year.
When the insurer wouldn’t change their position, Mr B complained to us.
complaint partially upheld
We explained to Mr B that we couldn’t fine the insurer for any “breach of confidentiality” – but that the Information Commissioner’s Office would be able to look into his concerns.
Instead, we told Mr B that we would consider whether the insurer had dealt with his complaint fairly – and whether the compensation they’d offered was reasonable.
Mr B told us that the reason he was so worried about his ex-partner finding out his new address was because they’d had serious domestic issues. He said his ex-partner was violent and had recently been admitted to a psychiatric hospital.
When we spoke to the insurer, they said Mr B had told them when he contacted them to change his policy details about previous incidents between him and his ex-partner. They explained that they’d checked if she’d been in contact – or had taken any action – after they’d mistakenly sent the email. Mr B had told the insurer that he hadn’t heard from his ex-partner since then.
Mr B hadn’t reported any domestic incidents to the police – either before or after the insurer’s mistake. And we didn’t think that Mr B’s ex-partner’s mental health difficulties necessarily meant she was likely to cause harm to Mr B.
While Mr B hadn’t been hurt, it was clear the insurer’s mistake had caused him a significant amount of upset and stress. We told the insurer that, based on everything we’d seen, we thought compensation of around £500 was more appropriate.
ombudsman news gives general information on the position at the date of publication. It is not a definitive statement of the law, our approach or our procedure.
The illustrative case studies are based broadly on real-life cases, but are not precedents. Individual cases are decided on their own facts.