(AAB APPEAL NO.54/2015)
Whether an insurance company had taken all reasonably practicable steps in safeguarding the security of its customers’ personal data – the Appellant had never received her insurance policy – the Appellant’s signature on the acknowledgement receipt of insurance policy was suspected of being forged – the security measures adopted by the insurance company were examined under the requirements of DPP4
Coram:
Mr Liu Man-kin (Presiding Chairman)
Mr Kwok Sze-chung (Member)
Ms Yuen Miu-ling (Member)
Date of Decision: 13 September 2016
The Complaint
In August 2014, the Appellant took out an insurance policy through an insurance agent of an insurance company. As the Appellant had not received her insurance policy, she made enquiries with the insurance company in 2015, and was informed r that she had already signed the acknowledgement receipt of the insurance policy on 22 September 2014. The Appellant suspected that someone had forged her signature on the acknowledgement receipt, and her personal data might have been accessed by unauthorised persons due to the inadequacy of security measures adopted by the insurance company. Hence, she lodged a complaint with the Commissioner against the insurance company.
The Commissioner’s Decision
The insurance company explained its usual practice to the Commissioner:
(a) An insurance policy would be delivered to the relevant branch office by internal mail after it was issued, and the secretary or assistant of the branch office would then acknowledge receipt before passing it to the relevant insurance agent. The agent would deliver the insurance policy to the customer by hand, by registered mail, or by courier, and request the customer to acknowledge receipt of the insurance policy.
(b) At the same time, the insurance company would send a notice to the customer by ordinary mail, informing him that the insurance policy was issued and reminding him to contact the Customer Service Hotline of the insurance company if he did not receive it within nine days from the issuance date of the notice.
The Appellant stated that she had not received the said notice from the insurance company.
The Commissioner found that the insurance company had taken all reasonably practicable steps to ensure that its insurance policies were properly delivered to its customers. According to the procedures, an insurance agent was required to deliver the insurance policy to his customer by hand, by registered mail, or by courier and to request the customer to acknowledge receipt. The additional step to send out the said notice to customers by ordinary mail was a precautionary measure to ensure that the customer would call the Customer Service Hotline for enquiries if he did not receive the insurance policy. It was a very rare case that (i) the Appellant received neither the insurance policy nor the notice; (ii) someone had forged her signature on the acknowledgement receipt; and (iii) the insurance company had not realised this until the Appellant lodged the complaint. That being the case, the insurance company had not contravened the requirements of DPP4.
The Appeal
The AAB agreed that DPP4 requires data users to take only all reasonably practicable steps to ensure (but not fully guarantee) that personal data held by them are protected against unauthorised or accidental access, processing, erasure, loss, or use. Although the insurance company could not ascertain who signed on the acknowledgment receipt and when it was signed, one could not then conclude that the insurance company had contravened DPP4, without first examining its security mechanism.
After examining the security mechanism of the insurance company, the AAB was of the view that its procedures met the requirement of “reasonably practicable” under DPP4. In particular, the AAB had taken into account that steps (a) and (b) above were handled by different staff of the insurance company to ensure the delivering of insurance policies to customers and allowing them to enquire their delivery at the earliest possible time.
The AAB agreed with the Commissioner that based on the written reply from the insurance company as well as its production of the copy acknowledgement receipt and notice, on a balance of probabilities, the insurance company did deliver the insurance policy and notice in accordance with its established procedures.
The AAB’s Decision
The appeal was dismissed.
(Uploaded in March 2019)