Disclosure of clients' personal data by insurance agent

A husband and wife planned a trip together with a friend. The three of them took out travel insurance at the same insurance agency at the same time. The couple had not filled in the address column on the insurance proposal forms. The person handling the forms did not try to ascertain their address but simply put the friend's address on their forms. He later put the three policy documents in one envelope and mailed them to the friend, expecting the friend to pass on the documents to the couple. The couple were dissatisfied that the agency entered a wrong address on their policy documents, and that the documents containing their personal data were exposed to their friend, and possibly other people. They complained to the PCPD.

The insurance agency accepted what they had done was in breach of the data protection principles. They issued a revised set of guidelines to the staff, emphasizing that customers' personal data must be accurately recorded, and that insurance documents should be dispatched to customers in separate sealed envelopes marked "Private & Confidential". The case was settled by mediation.

The Commissioner's views on the matter

DPP2(1) provides that data users must take all reasonably practicable steps to ensure that personal data are accurate having regard to the purpose for which they are to be used. The insurance agency should have contacted the complainants to obtain their address, instead of just making use of the address of a third person for the sake of convenience. Furthermore, DPP4 provides that personal data held by a user must be protected against unauthorized or accidental access, processing, erasure or other use. In this respect, the insurance agency should either send the policy documents directly to the insured or, if the documents were to be routed through a third party, seal them in a separate envelope, so as to avoid accidental disclosure of the contents.