Companies found to have breached data protection laws by selling people’s pension pot details face fines of up to £500,000, the information commissioner has warned.

Christopher Graham said claims that millions of individuals’ data is being sold and ending up in the hands of criminals were “very serious”. An investigation has been launched by the privacy watchdog into the allegations published by the Daily Mail.

The newspaper reports that pensioners’ salaries, the value of their investments and the size of their pensions are being sold for as little as 5p without their consent. The financial details are allegedly being bought by fraudsters and cold-calling firms. 

The paper said its undercover reporters were sold the pension details of 15,000 people without any checks being made on who they were and what they wanted the data for.

Responding to the claims, Graham told BBC Radio 4’s Today programme: “I think it is very serious and we have immediately launched an investigation.

“We are in touch with the pensions regulator, the Financial Conduct Authority and the police because this looks like a very serious breach of the Data Protection Act. If it is, then the companies involved are facing serious civil monetary penalties of up to half a million pounds.

“If we establish that it is criminal activity by individuals, then they are in deep trouble, too.”

The investigation comes ahead of pension reforms which come into force on 6 April, which will give savers the chance to access their full retirement funds.

Experts at the Information Commissioner’s Office (ICO) have previously warned that the pension reforms could result in a flood of scams on the scale of “the next PPI scandal”.

Steve Eckersley, head of enforcement at the ICO, described the revelations as “very worrying indeed”. He said: “It suggests a frequent disregard of laws that are in place specifically to protect consumers.

“We are aware of allegations raised against several companies involved in the cold-calling sector, and will be making inquiries to establish whether there have been any breaches of the Data Protection Act or Privacy and Electronic Communications Regulations.

“The ICO has powers to issue companies with fines of up to £500,000 for the most serious breaches of the Data Protection Act, while we can also pursue criminal prosecutions around unlawfully obtaining or accessing personal data.”

An ICO spokesman said it appeared that some firms were getting their hands on pension details because some people do not read the terms and conditions of contracts they sign, leaving them open to having their personal data accessed.

He said it appeared that some companies were getting and selling on the information unlawfully. Some details appear to have been stolen, while other firms appear to have kept personal information when they should have deleted it.

Discussing the pension reforms, Eckersley said: “The information we have been shown supports the work we’ve been doing to target the shady industry that operates behind the nuisance of cold calls and spam texts.

“We are already aware of the potential for a huge spike in the number of scam texts and calls linked to pensions when the law changes in April, and have already taken action against a company that was sending out misleading messages.

“What we have seen here confirms those fears. Personal data is such a valuable asset, particularly financial information. The worst-case scenario here is this information getting into the wrong hands and being used to target individuals at a critical point in their financial lives.”

The shadow work and pensions secretary Rachel Reeves said: “Today’s revelations are shocking. This is further evidence of the government’s total failure to protect more than 300,000 savers who could start accessing their pensions in just over a week’s time.

“Ministers have ignored warning after warning about the threats to savers from fraudsters, but they must now act quickly to protect people from these serious threats to their hard-earned retirement income.”

Source: The Guardian