Outcomes - Selected Case Summaries



Financial service provider neglects to update their paper files

Informal Resolution | 31 January 2022

Two individuals opened a joint investment account with a local financial planner. One of the account holders sold his interest in the investment account to the other and notified the data controller. In response, the data controller updated its electronic system, but did not update its paper-based filing system to reflect the change. A new staff member assigned to the investment account, erroneously used the outdated information in the paper file to review the account and contact third parties. In doing so, the staff member shared personal data belonging to the account holder with the previous account owner, causing a personal data breach.

We investigated the matter and recommended that the data controller: (1) implement better controls to ensure that data held on all filing systems are up to date; (2) ensure that all employees routinely receive data protection training relevant to their job functions; and (3) publish an internal written policy or procedure on how staff process personal data in the course of an investment portfolio review.