The FSA has come under fire from the Complaints Commissioner for a data blunder that could have led to sensitive and confidential information about its Keydata investigation being released to the public.
The FSA is currently at an advanced stage of its investigation into Keydata and its directors following the firm’s administration in June 2009 and subsequent client losses which has seen the Financial Services Compensation Scheme (FSCS) agree to pay out up to £400m.
The Complaints Commissioner has recently published two complaints relating to the delivery of the FSA’s preliminary investigation report into Keydata, containing 5,000 pages, to Keydata director Mark Owen and head of compliance Peter Johnson last August.
The courier delivered the package, containing confidential information stored on unencrypted discs, to a neighbour of Owen’s between 10pm and 10.30pm on August 31. Money Marketing, Fundweb’s sister-publication, understands the neighbour lives half a mile away from Owen and does not know Owen personally.
In his reply to Owen, Complaints Commissioner Anthony Holland writes: “The FSA’s actions allowed itself to be placed in a position where the unencrypted discs could have been passed to a third party and the confidential and sensitive information about a potentially high-profile case could have been released to the media. I have to bear in mind how the FSA has dealt with firms who have lost sensitive and confidential material. I also must ask how the FSA would have responded had the person under investigation either lost the material or released it to the media.”
Holland said delivery of such confidential material after 10pm came close to breaching the right to privacy. The FSA apologised for the mistake and has since amended its processes.
Johnson received his investigation report after 9pm. The FSA was told to make an unconditional apology to his family for the timing of the delivery and the manner in which the original complaint was dealt with. The FSA says it sent the documents late in the evening so that recipients would be given a full 28 days to respond to the investigation reports. It says it regrets its policy of encrypting data was not followed.