City regulator FCA admits losing thousands of sensitive documents

Regulator forced to admit to multiple data breaches following Freedom of Information request

City regulator the Financial Conduct Authority (FCA) has admitted to losing confidential documents on up 2,000 financial-sector workers after the organisation accidentally published their personal details.

The regulator, which takes a conservative view on banks using cloud services on data protection and security grounds, but which uses cloud services itself, has been forced to admit that it has not taken the kind of care of personal data that it expects of the organisations it regulates.

The lapses were revealed following a Freedom of Information request by The Times newspaper.

"In March 2015, files related to regulatory action being taken against a firm were lost on FCA premises. Only five months later, more "enforcement-related papers" were lost outside the regulator's offices by an external contractor. The documents were not recovered in either case," reported The Times, which uncovered a string of data protection blunders by the Agency.

The organisation also sent personal details of a City worker to the wrong company - personal details that included date of birth and national insurance number, as well as their name and address.

Andrew Tyrie, chairman of the Treasury Select Committee of the House of Commons, was scathing. He told The Times: "Our financial services watchdog should be holding itself to the standards it expects from industry," adding: "Everyone makes mistakes, [but] FCA seems to be making more than its fair share."

The FCA claimed that it has not been sanctioned by the Information Commissioner's Office (ICO), the data protection regulator, as a result of the breaches and added: "None of the breaches identified resulted in any detriment to either firms or individuals."

However, critics pointed out that section 348 of the Financial Services and Markets Act 2000 is supposed to protect information received by the FCA about the affairs of any person from disclosure - while section 352 makes such unauthorised disclosure by FCA staff a criminal offence.