The Financial Conduct Authority (FCA) was forced to remove data from its website after it inadvertently shared confidential information as part of a response to a freedom of information (FOI) request.
The FOI was published in November 2019 and related to the nature of complaints made against the FCA and handled by its complaints team, between 2 January 2018 and 17 July 2019.
“The publication of this information was a mistake by the FCA,” it admitted.
“As soon as we became aware of this, we removed the relevant data from our website. We have undertaken a full review to identify the extent of any information that may have been accessible.
“Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data.”
The watchdog said that, in most instances, people could only access information relating to the name of the complainant.
Troubled waters
But, in some cases, a complaint description as well as the individual’s address, telephone number and other personal and sensitive data were openly accessible.
“Where this is the case, we are making direct contact with the individuals concerned to apologise and to advise them of the extent of the data disclosed and what the next steps might be,” the FCA added.
“No financial, payment card, passport or other identity information were included.
“We have taken immediate action to ensure this cannot happen again. We have referred the matter to the Information Commissioner’s Office.”
The breach could mean that the FCA may have contravened the European Union’s general data protection regulation (GDPR) and/or the UK’s Data Protection Act, which could see the watchdog hit with a fine of either up to €10m (£8.3m, $10.8m) or 2% of its annual turnover.
On top of that, the regulator would need to compensate any individual that has suffered “material or non-material damage as a result”, according to the European regulation.
