The insurance sector makes up three out of eight data protection breach cases which resulted in Singapore's Personal Data Protection Commission (PDPC) imposing financial penalties this year.
Three insurers were fined by the PDPC for disclosing customer personal data to the wrong parties via hard copy documents. The PDPC has since issued a guide to assist organisations and print vendors to put in place adequate measures in their printing processes to protect personal data against unintended disclosure.
Penalties of $30,000, $10,000 and $9,000 were imposed on Aviva, NTUC Income and AIG respectively for “failing to make reasonable security arrangements to prevent the unauthorised disclosure of customers' personal data”.
The details on the cases were published on the PDPC's website recently.
For Aviva, it is a second case within a period of 12 months. The latest offence was due to a staff member sending four underwriting letters meant for four different customers in a single envelope. This meant that one of the customers received the personal data of three others, which included their full name, residential address, policy details and the sum assured.
PDPC said, in explaining the grounds of its decision, that investigations revealed there were no processes in place to prevent such lapses other than the organisation’s reliance on its staff to perform duties diligently. The lack of processes for additional checks (such as a basic check to see if the number of letters sent out corresponded with the number of underwriting letters scheduled to be sent out on that day) was “disappointingly similar” to the prior incident last October, when Aviva was fined S$6,000 (US$4,480) for inadvertently disclosing a policyholder's insurance documents to the wrong person.
NTUC Income’s offence involved unauthorised disclosure of personal data of over 200 individuals due to lapses in its largely automated printing process for policy letters. It had sent a batch of 426 letters to print, which included premium reminder, policy cancellation and non take-up letters, and the printer operator had selected duplex instead of the usual single-sided format for printing.
As a result, two different policy letters meant for two different customers were printed on each sheet of paper resulting in one customer receiving the personal data of another. There were no checks to prevent such errors.
AIG’s offence, meanwhile, involved an incorrect facsimile number used by the insurer on some of its renewal notices. That wrong fax number—belonging to retailer Tokyu Hands—meant that names, addresses and policy details of some AIG customers were faxed to the retailer instead of the insurer.
“The incorrect facsimile number was (fortuitously) corrected when the organisation conducted a standardisation exercise on its system to ensure that the same contact information was provided across the organisation’s different forms for different products,” noted the PDPC.
Even then, AIG did not realise there was an error in the number previously provided, but became aware only after receiving notice from Tokyu Hands that the latter had been receiving the renewal notices. For the six-month period that the lapse went undiscovered, between 25-125 notices could have been sent to Tokyu Hands.
Following these lapses, the PDPC issued an advisory last week to assist organisations and print vendors on safeguards to protect personal data during printing. Its “Guide to Printing Processes for Organisations” can be found here.