17 October 2017
A | A
    Print
  

Data protection, privacy & security feed-image   

Aviva fined $6,000 for data breach

Straits Times
13 Oct 2017
Irene Tham

Insurer Aviva has been fined $6,000 for lapses that resulted in the inadvertent disclosure of a policyholder's insurance documents to the wrong person.

This is the second fine the insurance industry has attracted from the Personal Data Protection Commission (PDPC) in two months.

The commission was alerted to the breach in November last year, after the complainant received another policyholder's letters in his mail.

The letters contained confidential information including the policyholder's name, address, policy type, Central Provident Fund account number, contact number, date of birth and employer. The name and date of birth, among other details, of the person's dependant were also disclosed.

After an investigation, PDPC found a "systemic problem" with the way Aviva sent follow-up letters to its policyholders.

The staff member assigned to process these letters was the only one checking the letters before mailing them out.

There were no additional checks following the processing, printing and sorting of documents to ensure that the right documents were sent to the intended recipients.

The absence of a second layer of basic checks "amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data", said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday.

As such, Aviva was found to have breached the Personal Data Protection Act, which requires organisations to put in place adequate security measures to protect consumers' personal data.

Organisations flouting the Act, in force since July 2014, can be fined up to $1 million.

When contacted, an Aviva spokesman said: "We view customer data protection seriously. This was an isolated incident. We have since taken steps to ensure the process is more robust."

In August, a former financial consultant with Prudential Assurance was fined $1,000 for improperly disposing 12 policyholders' documents containing personal data such as names, NRIC numbers and insurance coverage details.

The former financial consultant had put the files in a plastic bag and simply dumped it at the second level of a multistorey carpark in Jurong West in October last year, thus subjecting the policyholders to data leaks.

In its advisory guidelines, PDPC had recommended that paper containing personal information be shredded into small pieces and not dumped in unsecured bins.

Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be erased using specialised software to avoid accidental data leaks.


The absence of a second layer of basic checks "amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data", said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday.

Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.

Aviva Ltd [2017] SGPDPC 14

Editor's Note: The PDPC decision [2017] SGPDPC 14 is by Tan Kiat How and not Yeong Zee Kin.