Independent Financial Advisers oblivious to data protection

Who has the most information about you, as an individual?

• your doctor?
• your lawyer?
  
• your bank manager?
• the HMRC?
• your local council?

No - it is likely to be an Independent Financial Adviser. If you consider what is "personal data" (see the ICO Web pages) then the IFA pretty much ticks off more data categories than any other professional relationship in your life except for UK Gov vetting. Classification of personal data is not listed, but is classified by asking 8 questions:

1. Can a living individual be identified from the data? Yes, all forms carry name, address, date of birth and often National insurance Number. IFA's will also ask for proof of identity such as bank cards, passport, drivers licence. For regulatory reasons, all of this information is stored by the IFA.
2. Does the data 'relate to' the identifiable living individual, whether in personal or family life, business or profession? Again, yes it does. Joint Life cover and family health schemes will typically hold data about family members and the business that the policyholder works in.
3. Is the data 'obviously about' a particular individual? Yes, it has to be!
4. Is the data 'linked to' an individual so that it provides particular information about that individual? Yes, quotes, policy numbers, national insurance numbers, passports, bank account details all help link and identity an individual. These are all needed for commencing many policys. Often bank details are used for some types of investments.
   
5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? Yes, policies with Life Cover options will have varying costs depending on the health, location of their home address. Income will play a part in pensions and other investments such as bond products.
6. Does the data have any biographical significance in relation to the individual? yes, in particular medical history reports for health cover will cover the individual in detail. Income history, previous addresses and knowledge of past and current financial products build a picture of the individual. Even, for some individuals, country of residence (for tax purposes) adds more colour to the picture.
   
7. Does the data focus or concentrate on the individual as its central theme? Yes, pretty much all products concentrate on the individual - particularly once anti-money laundering legislation came in.
8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity? Yes, for example a rejection for life cover on medical grounds could have an impact. As would knowledge of an individuals financial situation. Especially for targeted identity theft etc.
   

So given that IFA's have ticked all the boxes for data categories deemed 'personal' by the ICO, then surely the must have stringent measures in place for data security?

Well no, actually they don't.

Larger firms and the product providers (Aviva, L&G, Prudential, Standard Life etc etc) will have strict enforcement of data security - but the majority of IFA's are independent and will operate as a small business with no formal IT strategy and no formal training on data security. Many IFA's will buy laptops from retail stores like PC World and Dell retail online and configure them themselves. They are also using Blackberry's and Apple iPhones with no knowledge of how data is secured or not. Potentially - all of your data is being stored on unencrypted, unsecured devices.

The FSA regulates IFA's but it is my view that many IFA's play lip service to the "regulated by" statement on their business cards. It is only a matter if time before the FSA gets some teeth and in combination with the ICO (which will soon be allowed to prosecute) will close down IFAs that have non-existent security.