Three insurance firms have been fined by Singapore's privacy watchdog so far this year for inadvertently disclosing policyholders' insurance documents to the wrong people.
Aviva, NTUC Income Insurance Cooperative and AIG Asia Pacific Insurance have been fined $30,000, $10,000 and $9,000 respectively by the Personal Data Protection Commission (PDPC).
All three cases involved lapses in printing and posting documents containing personal data.
Aviva faced the heaviest penalty as it had been fined for similar lapses last October.
The insurance sector made up three out of eight cases so far this year which have resulted in the commission dishing out fines.
They prompted it to release an advisory yesterday which spells out the safeguards companies must have in place when handling documents containing personal data. They include performing test runs when printing, as well as mandating a second layer of random checks by a supervisor when putting letters in envelopes.
Aviva's latest offence came about when it sent four underwriting letters meant for four different clients to one of them - in one single envelope. The documents contained each client's full name, residential address, policy details and the sum assured.
The lack of additional checks was consistent with the "systemic problem" found last October, when Aviva was fined $6,000 for inadvertently disclosing a policyholder's insurance documents to the wrong person. In issuing the fine this time around, the PDPC said: "The organisation failed to conduct a more thorough review of its internal departments... that are subject to the same vulnerabilities and risk similar failures as the prior incident."
NTUC Income's offence involved 426 policy letters containing the names, residential addresses and policy details of clients. A staff member had mistakenly printed two different policy letters to different individuals - one on each side of a sheet of paper - and mailed the letter to one of the individuals.
Again, checks were not made to prevent the inadvertent data leak.
In AIG's case, a wrong facsimile number - that of retailer Tokyu Hands - was printed on the policy renewal notices issued to policyholders. The renewal notices contained the names, addresses and policy details of clients, and had fields for the clients to update their personal data, including payment details.
Up to 125 renewal notices intended for AIG could have been mistakenly sent by clients to Tokyu Hands. "There was no check to verify that the facsimile numbers were up to date," the PDPC said.