Phoenix Life Limited · DRN-6200079

The complaint Mrs D complains about Phoenix Life Limited trading as Standard Life (“SL”). She’s concerned about SL sending correspondence with her personal information to the wrong address where it was accessed by a third party. She doesn’t think SL has done enough to compensate her for the distress and inconvenience it caused. What happened The facts and chronology of this complaint are known to both parties and don’t appear to be in dispute, so I won’t detail every event or communication here. However, I’ve read and considered everything that’s been provided by both parties. Mrs D holds an Active Money Personal Pension (AMPP) with SL, which was set up in August 2025. On 2 September 2025, SL issued three letters to Mrs D at the incorrect address (“address Q”). The first letter included Mrs D’s plan number and the death benefit amount used from her late husband’s pension to set up her policy. It confirmed that details of Mrs D’s drawdown payment would be sent under separate cover. While SL’s first letter named Mrs D as the intended recipient, its second letter was addressed to “Name Unknown”. Amongst other things, the letter confirmed how much Mrs D had withdrawn from her policy, the full account number for where the funds had been paid, and the name of the bank she held her account with. SL’s third letter was again addressed to “Name Unknown” and confirmed how much Mrs D had taken as income. As there was no indication of who two of the three letters were for, address Q’s occupant opened them. And, using the information enclosed, they were eventually able to identify where Mrs D lived and deliver the letters to her. Following this, Mrs D contacted SL to complain about what had happened. SL raised a data breach on the same day and wrote to Mrs D at her correct address, confirming it had updated its records with her correct address. SL later considered Mrs D’s complaint and sent its final response. In summary, it said: • An administrative error had caused Mrs D’s correspondence to be sent to the wrong address. Specifically, the wrong postcode had been keyed into its system. • It was very sorry that Mrs D’s address hadn’t been checked before correspondence was sent. • A data breach had been logged, which it would ensure was correctly reported. • In recognition of the distress and inconvenience it caused – and to cover the cost of a credit reference agency (CRA) subscription which it advised Mrs D to use so she could check for any unusual financial activity – it offered £500 compensation.

-- 1 of 4 --

Unhappy with SL’s response, Mrs D asked our Service to consider the matter. One of our Investigators considered the complaint and agreed that SL’s errors had caused Mrs D considerable distress and inconvenience. But as she thought SL’s offer was fair, she didn’t recommend that it do anything further. Mrs D disagreed and, in brief, made the following comments: • She understood that mistakes happened, but it was negligent of SL not to check the right address was being used after its system flagged “Name Unknown” as the intended recipient of its letters. • Noone seemed to appreciate how much of her personal information had been disclosed. This had caused her significant anxiety and panic. • In UK Courts, judges often passed sentences based on what could’ve happened as opposed to what actually happened. Although no financial damage had been caused, and she didn’t anticipate this happening, she was conscious that her identity could’ve easily been stolen. She’d been left feeling unnecessarily exposed by what happened. • She didn’t want a CRA subscription as her bank already provided this free of charge. As no agreement could be reached, the complaint was passed to me for a decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m upholding Mrs D’s complaint in part. I’ll explain why. But before I do, I should emphasise that while I’ve taken note of the correspondence and arguments made by both parties, I’ve limited my response to the issues I consider to be central to this complaint. That’s to say whether given what happened, SL has taken appropriate steps to put matters right. Originally, in addition to her concerns about SL sending letters to the wrong address, Mrs D complained about how she’d been taxed on a withdrawal she’d made from her plan. However, as Mrs D has since discussed the tax issue with HMRC and confirmed she’s satisfied that it’s now resolved, I haven’t considered it further. Turning now to Mrs D’s main concerns – SL’s failure to send letters to the correct address and keep her personal information safe. Financial businesses are covered by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). These laws set out the responsibilities of businesses like SL when they handle their customers’ personal information. Amongst other things, they’re required to use the information in a way that is adequate, relevant and limited to only what is necessary. They’re also obligated to handle personal information in a way that ensures appropriate security, including protection against unlawful or unauthorised access. SL doesn’t dispute that failings in the way it handled Mrs D’s personal information resulted in a DPA breach. However, as our Investigator explained, it’s not the function of our Service to make findings of non-compliance with data protection rules – that function belongs to the Information Commissioner’s Office (ICO) which Mrs D can complain to if she wishes to. Instead, our Service can consider whether SL has acted fairly and reasonably in the circumstances of this complaint. And, unlike the ICO, I’m able to award Mrs D compensation for any distress and inconvenience she’s suffered because of SL’s actions.

-- 2 of 4 --

Thankfully, there’s no indication that Mrs D’s fund has been affected by what happened, so I’m satisfied that she hasn’t suffered a financial loss. Accordingly, I’ve focused on the non- financial impact of SL’s actions on Mrs D. SL’s obligations and the standards it’s required to meet when dealing with customers are set out in the Financial Conduct Authority’s (FCA) Handbook under the Principles for Businesses (PRIN). Of relevance in this case is PRIN 2.1.1 which states that a firm must conduct its business with due skill, care and diligence; take reasonable care to organise and control its affairs responsibly and effectively; pay due regard to the interests of its customers and treat them fairly. Based on what I’ve seen and taking into account the above, I think it’s clear that the service SL provided fell considerably short of what Mrs D should’ve been able to expect in the circumstances. The available evidence doesn’t demonstrate that SL took sufficient care and had appropriate regard for Mrs D’s interests, so I can understand why she feels so let down. When Mrs D’s policy was set up, the incorrect postcode was keyed into SL’s system, which prepopulated the wrong address for her profile. This meant that when SL generated three letters to be sent to Mrs D, all were automatically prepopulated with the wrong address, and two showed “Name Unknown” where the Mrs D’s name should’ve been. SL confirms that when Mrs D’s policy was set up, the address the system prepopulated for Mrs D’s profile with should’ve been checked against her original application to ensure it was correct – clearly this didn’t happen. It’s also said that after Mrs D’s income was paid, its confirmation letter should never have included full details of the bank account the funds had been paid into. Although, as Mrs D accepts, mistakes happen, I’m satisfied that that what happened was entirely avoidable – there were clear opportunities for SL to identify and rectify its errors. I have no doubt that Mrs D was shocked to discover that SL had sent letters about her policy to the wrong address on three occasions. This alone would’ve been worrying. But learning that the letters included information such as her plan number; plan value; the amount she’d withdrawn; her bank’s name; and the full account number for where her AMPP funds had been paid, would’ve been deeply concerning and disturbing. Even more so when it was an unknown third party – the occupant of address Q – who, after opening Mrs L’s letters, notified her of SL’s mistake. Mrs D says she’s felt very exposed since SL’s errors came to light. She’s also explained that she developed Shingles shortly after the incident and experienced anxiety and depression which she was prescribed medication for. Taking account of all the facts in this case, I think it’s right that Mrs D is compensated for the distress and inconvenience that SL has caused her. In recognition of this, SL offered £500 compensation, but Mrs D doesn’t think this is sufficient. She’s said that in UK Courts, judges often pass sentences based on what could’ve happened as opposed to what actually happened. So, given how severe the consequences could’ve been if address Q’s occupant hadn’t been honest enough to return SL’s letters to her, and what she’s read online about the levels of compensation usually paid for data breaches, Mrs D thinks SL should pay more compensation. I think it’s important to emphasise that our Service isn’t a court of law – we’re a free and informal alternative. And while we take into account the legal position, we aren’t bound by it. The law requires us to decide each case based on our existing powers. Our Service is set up under the Financial Services and Markets Act 2000. Paragraph 228(2) states that:

-- 3 of 4 --

“A complaint is to be determined by reference to what is, in the opinion of the ombudsman, fair and reasonable in all the circumstances of the case.” Because of this we don’t necessarily reach the same outcome as a Court might in every case. Any compensation award is made to ensure it is a fair reflection of the impact the business’ error has caused. But it is not punitive, as we do not have the power to punish a business. Deciding on the compensation for distress or inconvenience isn’t something we take lightly – it’s not an exact science. However, what we recommend is in line with our approach to ensure that all our customers are treated fairly. We publish guidance on what levels of compensation are typically considered fair on our website. Considering the impact of what happened and the level of upset and concern Mrs D has experienced; I’m satisfied that SL’s offer of £500 is fair and in keeping with the level of awards our Service would usually recommend for an error which has caused considerable distress as has been the case here. I’m also pleased to learn that Mrs D’s correct address was updated soon after she made SL aware of its error, and that prompt action was taken to report what had happened. Mrs D has referred to the possibility of financial crime and identity fraud after what happened, but while I understand her concern, my role is to decide on fair compensation. And with that in mind, I can only compensate Mrs D for what the evidence shows actually happened, rather than what could potentially have happened if things had been worse. As it stands, I think it’s unlikely that someone looking to commit such fraud would have returned the letters to Mrs D at her correct address. So, I think the likelihood of Mrs D being the victim of financial crime here is quite limited. Mrs D has also said that she doesn’t anticipate this happening as her bank manager has increased security on her accounts, and she has access to a CRA free of charge through her bank. While I recognise Mrs D’s strength of feeling about this matter and I don’t underestimate the sincerity with which she brings her complaint, I think the £500 SL offered was fair, so I won’t be directing it to pay more. My final decision For the above reasons, my final decision is that I uphold Mrs D’s complaint in part. As I find Phoenix Life Limited’s (trading as Standard Life) offer of £500 compensation fair, I direct it to pay this to Mrs D if it hasn’t already done so. Under the rules of the Financial Ombudsman Service, I’m required to ask Mrs D to accept or reject my decision before 30 April 2026. Chillel Bailey Ombudsman

-- 4 of 4 --