Privacy watchdog fines three insurers, highlights serious lapses in new advisory

Aviva, NTUC Income Insurance Co-operative and AIG Asia Pacific Insurance have been fined $30,000, $10,000 and $9,000 respectively by the Personal Data Protection Commission (PDPC).
Aviva, NTUC Income Insurance Co-operative and AIG Asia Pacific Insurance have been fined $30,000, $10,000 and $9,000 respectively by the Personal Data Protection Commission (PDPC).PHOTOS: REUTERS, FACEBOOK/INCOME, FACEBOOK/AIG

SINGAPORE - Three insurance companies have been fined by Singapore's privacy watchdog so far this year for inadvertently disclosing policyholders' insurance documents to the wrong people.

Aviva, NTUC Income Insurance Co-operative and AIG Asia Pacific Insurance have been fined $30,000, $10,000 and $9,000 respectively by the Personal Data Protection Commission (PDPC).

All three cases involved lapses in printing and posting documents containing personal data.

Aviva faced the heaviest penalty as it was fined for similar lapses last October.

The insurance sector makes up three out of eight cases so far this year which have resulted in the commission dishing out fines.

They prompted it to release an advisory on Thursday (May 3) which spells out the safeguards companies must have in place when handling documents containing personal data.

They include performing test runs when printing as well as mandating a second layer of random checks by a supervisor when putting letters in envelopes.

 
 

Aviva's latest offence came when it sent four underwriting letters meant for four different clients to just one of them. The documents contained each client’s full name, residential address, policy details and the sum assured.

The lack of additional checks was consistent with the "systemic problem" found last October, when Aviva was fined $6,000 for inadvertently disclosing a policyholder's insurance documents to the wrong person.

In issuing the fine this time round, the PDPC said: "The organisation failed to conduct a more thorough review of its internal departments... that are subject to the same vulnerabilities and risk similar failures as the prior incident."

NTUC Income's offence involved 426 policy letters containing the names, residential addresses and policy details of clients.

A staff member had mistakenly printed two different policy letters to different individuals one on each side of a sheet of paper, and mailed the letter to one of the individuals.

Again, checks were not made to prevent the inadvertent data leak.

In AIG's case, a wrong facsimile number - that of retailer Tokyu Hands - was printed on the policy renewal notices issued to policyholders.

The notices contain the name, address and policy details of clients, and have fields for the clients to update their personal data including payment details. Up to 125 renewal notices intended for AIG could have been mistakenly sent by clients to Tokyu Hands.

"There was no check to verify that the facsimile numbers were up to date," the PDPC said.