Skip to content

Case Notes

Case Notes

This case related to Customer data

Case No.:2012C07

An insurance company should not grant indiscriminative access rights to policy-related data to former insurance agents of insurance customers

The Complaint

The Complainant was a policyholder of an insurance company (“the Company”) and had instructed the Company to discharge Agent A as her insurance agent. However, the Complainant continued to receive promotional materials from Agent A under the Company’s name. The Complainant therefore complained against the Company for allowing Agent A, who was no longer her insurance agent, to continue to access and use her policy-related personal data.

In response to the PCPD’s enquiry, the Company explained that it was its practice to allow former insurance agents (who had first signed the customer up with the Company) and their supervisors to access customers’ policy-related personal data from the Company’s customer database in order to follow-up with policy-related matters.

Outcome

The Commissioner held that it was reasonably practicable for the Company to arrange disclosure of relevant policy-related data only when such needs arise, and that the Company’s granting of indiscriminative access rights to policy related data to insurance agents and their supervisors of former customers under the circumstances of the case had violated DPP3.

The Company accepted the Commissioner’s recommendations and undertook to review its access-rights mechanism, remove the access right of former insurance agents and their supervisors, and allow only current insurance agents and their supervisors to access and use the personal data of their policyholder customers. The Company also issued notices to all of its insurance agents to put into effect this instruction.

uploaded on web in January 2014


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :