Aviva Singapore fined for leaking client data

Firm penalised for “systemic” failure, after it sent policyholder’s details to the wrong person

Aviva Singapore fined for leaking client data

Insurance News

By Gabriel Olano

Aviva Singapore has been fined after sending a policyholder’s confidential details to a different person.

The company was fined SGD6,000  by the Personal Data Protection Commission (PDPC). The incident was reported to the PDPC in November 2016, after the complainant received another policyholder’s insurance documents in his mail.

Confidential information, such as the policyholder's name, address, policy type, social security number, contact number, date of birth, and employer, were revealed in the mailed documents, as well as their dependent’s name, date of birth, and other details.

This is the second insurance-related case handled by the PDPC in recent months, according to the Straits Times.

The PDPC’s investigation revealed that there was a “systemic problem” in Aviva’s system of sending follow-up letters to its policyholders. The employee that was in charge of processing the letters was the only one checking them before they were sent out.

There were no additional checks in place to confirm if the documents would be mailed to the right people, the investigation said.

The PDPC concluded that Aviva breached the Personal Data Protection Act, which mandates that organisations must institute measures to protect their clients’ personal data. Organisations that violate the act could be fined up to SGD1 million.

When approached for comment by ST, a spokesperson for Aviva said: “We view customer data protection seriously. This was an isolated incident. We have since taken steps to ensure the process is more robust.”

In August, a former agent for Prudential Assurance was fined SGD1,000 for improperly disposing documents containing insurance information of 12 policyholders. The documents were placed whole in a plastic bag then thrown in a garbage bin in a parking building.

PDPC guidelines state that paper documents containing personal information must be shredded and not thrown into unsecured garbage bins. Likewise, electronic storage devices such as hard disks and USB drives must be erased using specialised software to avoid sensitive data from falling into the wrong hands.

Related stories:
Companies affected by cyber breaches could face regulator’s review
Giant international insurer suffers Singapore cyber breach
Former Prudential employee fined for dumping client documents in trash

Keep up with the latest news and events

Join our mailing list, it’s free!