A former financial consultant was fined $1,000 for breaching data protection laws by disposing of clients' insurance policy-related documents in a rubbish bin in a residential estate.
The Commissioner for Data Protection had launched a probe after receiving a complaint on Oct 10 last year that Prudential folders were recovered from a bin at a multistorey carpark at Block 821A, Jurong West Street 81.
Ang Rui Song admitted he had disposed of the folders containing data belonging to a dozen insurance policyholders, claiming he did so at the clients' request and had placed the documents in a plastic bag before throwing it into the bin.
The data included names, identity card numbers and sums assured, among other things. Ang had possession of his clients' folders while he was a financial consultant with Prudential Assurance Company. But by the time he dumped them, he had already left the firm.
In decision grounds issued on Monday, the Commissioner made clear that Prudential was neither to be blamed nor held responsible for the data breach that occurred or the way the documents were disposed of in the incident. "Prudential had reasonable policies in place which dealt with proper and secure disposal of clients' policy documents," wrote the Commissioner.
He noted that Prudential policies required the return of client data to the insurer when individuals cease being financial advisers. Alternatively, the company requires them to dispose of the data securely - for instance, by shredding.
Ang, as a financial adviser, was an independent contractor and not a Prudential employee under the engagement terms, noted the Commissioner. Before leaving Prudential, he was told to return the documents to it but had failed to do so. When asked why he did not use the locked console boxes for shredding provided by Prudential, Ang said the boxes were in the Prudential main office while he was working at the branch office.
The Commissioner rejected this, ruling Ang's disposal method "inappropriate given the sensitivity of the information found in the documents". In imposing the $1,000 penalty, the Commissioner took into account the sensitive nature of the data contained in the 13 insurance certificates and two letters found. But he also noted that the documents were "not disposed of in a high traffic area such as a busy street or shopping mall".
The Commissioner stressed that "organisations should take a very serious view of any instance of non-compliance under the Personal Data Protection Act" and will not "hesitate to take enforcement action".