Skip to content

Case Notes

Case Notes

This case related to DPP2 - Accuracy and duration of retention of personal data

Case No.:2018C07

An insurance company issued a letter to an invalid address reported by the customer – DPP2(1)

The Complaint

The complainant was a customer of an insurance company. He was dissatisfied that after he had made a change of address request to the company, the insurance company still issued a letter to his invalid address to confirm the said request.

Outcome

The insurance company stated that it was its usual practice to confirm customers’ change of address requests by sending letters to both the new and former addresses. Such practice was designed for fraud prevention, and avoiding change of address requests being made by third parties without the knowledge of the customers.

After the PCPD’s intervention, the insurance company revised its practice. Whenever it received address update requests, instead of using the former addresses, the insurance company would contact the customers by other means, such as SMS to confirm the requests. Besides, the insurance company undertook not to issue letter to the complainant’s former address.

Lesson learnt

For protection of customers’ personal data, the insurance company took steps to confirm address update requests. The initiative was well intended. However, sending letters containing personal data to invalid addresses entailed certain security risks. The act also fell short of the customers’ privacy expectation.

Nowadays, it is common for customers to provide mobile numbers and email addresses for contact purpose. Sending letters to former addresses is no longer the only means by which insurance companies can confirm address update requests with customers. If insurance companies simply follow past practices, and fail to adapt to change of times by adopting technology to facilitate data protection, it would be difficult for them to gain the customers’ trust.

Data users should regularly review their personal data protection measures. When handling personal data, organisations should take into account the perspectives of themselves and the customers, explore alternative measures that can better protect personal data as well as comply with the requirements under the Ordinance, so as to develop data protection mechanisms that cater to today’s needs.

(Uploaded in August 2020)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :