Oct 13 2017 | by OrionW
OrionW summarises the enforcement actions of Singapore’s Personal Data Protection Commission (PDPC) against an entity and an individual operating in the insurance industry for breaching their data protection obligations under the Personal Data Protection Act 2012 (PDPA).
The complainant held an insurance policy with AIA. When applying for the policy, the complainant had provided his name, address, NRIC number, contact details, occupation and various other personal particulars (Personal Particulars) to AIA.
In the application form, the complainant agreed that AIA could:
release to any medical source or insurance office any relevant information concerning the complainant at any time; and
use and/or disclose any information to independent third parties with regard to any matters pertaining to the application or policy.
The complainant later made a claim under the policy. In the claim form the complainant submitted to AIA, the complainant provided his policy details, his Personal Particulars and his bank account information (i.e., the bank’s name and branch, the bank account number and the account holder’s name) (Bank Account Details) to allow direct crediting of claims.
In the claim form, the complainant agreed that AIA could disclose the complainant’s personal data for purposes described in the “AIA Personal Data Policy”. That Policy set out the following scope of consent:
Personal data of the insured may be disclosed to “medical sources and insurance organisations”.
The types of personal data that may be collected, used or disclosed include the insured’s “personal particulars such as NRIC numbers, passport numbers, contact details, addresses, date of birth, occupation, photographs and marital status” and “financial information such as income, bank account numbers, CPF statements, bank statements”.
The personal data may be collected, used or disclosed to “assess, process, administer, implement and effect the requests or transactions” or for the purposes of “assessing, processing, settling, authenticating and investigating claims”.
According to the complainant’s claim, AIA had communicated with the complainant’s chiropractor to obtain further medical information about the complainant. In its communication, AIA disclosed certain pages of the claim form to the chiropractor, which showed the complainant’s Bank Account Details.
PDPC’s Enforcement Action
The PDPC found AIA in breach of section 18 of the PDPA because the disclosure of the complainant’s Bank Account Details was not relevant or necessary to the request for the medical report and thus not for “a purpose that a reasonable person would consider appropriate in the circumstances”.
The PDPC issued a warning to AIA after taking into account the following considerations:
The key point to note from this decision is that organisations need to ensure that, even where they have apparently obtained consent, the disclosure of personal data to a third party must be for a purpose that has a reasonable connection to the purpose previously identified to that data subject. The PDPA requires that any collection, use or disclosure of personal data must be for a purpose that a reasonable person would consider appropriate in the circumstances.
The respondent, Ang, was a financial consultant with Prudential Assurance Company (Pte) Ltd (Prudential). Prudential engaged Ang as an independent contractor, not an employee. During his engagement, Ang came into possession of his clients’ Prudential folders which contained sensitive personal data.
After Ang ceased working for Prudential, he disposed of the Prudential folders by leaving them beside the rubbish bin at the car-park of a housing estate. The folders, which contained 13 Certificates of Life Assurance and two letters addressed to two of the policy-holders, included the names, NRIC numbers, and other personal data of 12 policy-holders.
Ang confirmed that he had disposed of the folders at the location where they were found by the complainant. However, he claimed that he had placed the documents in a plastic bag and disposed of the bag in the rubbish bin.
PDPC’s Enforcement Action
The PDPC found Prudential not responsible or liable for the proper disposal of the folders or the data breach that occurred. The PDPC found that Prudential had reasonable polices in place which dealt with proper and secure disposal of clients’ policy documents, which required financial advisors to return client data to Prudential when they ceased being financial advisors or, alternatively, to dispose of personal data properly and securely (e.g., by shredding).
These policies were communicated to financial advisors through appropriate channels. Further, upon accepting Ang’s resignation, Prudential had issued a letter specifically requiring him to “return all monies, documents and other effects and property belonging to [Prudential] including such property containing consumer information ….” However, Ang failed to do so.
The PDPC found that Ang was acting as an “organisation” for the purposes of the PDPA in respect of the personal data contained in the Prudential folders. As he had obtained the personal data during the course of his work as a financial consultant and as an “organisation” under the PDPA (i.e., not in a personal or domestic capacity), he had an obligation under section 24 of the PDPA to protect the personal data whilst with Prudential and after he left Prudential.
Ang’s mode of disposal was found to be wholly inadequate as the documents were left in their original readable form and anyone could have easily opened the plastic bag to access the contents of the documents, including the sensitive personal data of the policy-holders. Furthermore, the plastic bag did not secure the documents but merely concealed them, which was considered insufficient due to the presence of sensitive personal data.
Ang’s manner of disposal was also inappropriate given the sensitivity of the information in the documents and in the knowledge that he had the means to dispose of the documents securely by utilising the “locked console boxes” specifically provided by Prudential to its agents and financial consultants for the secure shredding of unwanted documents.
Ang was thus found to be in breach of section 24 of the PDPA by failing to take reasonable security measures to protect the personal data in his possession and/or under his control.
The PDPC imposed a penalty of S$1,000 on Ang after taking into account that the personal data contained in the 13 certificates and two letters was sensitive data but that the documents were not disposed of in a high traffic area such as a busy street or a shopping mall.
The decision highlights the following points for organisations to bear in mind:
obligations to protect personal data do not necessarily fall away when a contractor’s engagement is terminated;
organisations which put in place reasonable measures to try to ensure their contractors protect personal data in their possession can escape direct liability for breaches of the PDPA by those contractors, but they may still incur reputational damage; and
when disposing of personal data held on physical media such as paper, consider shredding or incineration to ensure its proper disposal when no longer required.
 The definition of “organisation” under the PDPA expressly includes “any individual”.