CASE STUDY 2/99
Life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures
The complainant was a long-standing customer of a particular life insurance company. One of the company's representatives, who had in the past been dealing with the customer's affairs, left the company to join a different company in the same line of business. He subsequently called to the complainant and asked her if she would like to transfer her policies to the company he now represented, or take out new policies with this company. The complainant said that she did not have documents relating to her existing policies to hand. At this, the representative opened his laptop computer and accessed details of her existing policy, notwithstanding the fact that he now represented an entirely different insurance company.
The customer was very unhappy that confidential personal data relating to her insurance were still available to an ex-employee of her insurer who now worked for a competitor. She took the matter up with her insurer but was not satisfied that the breach of confidentiality was treated with the seriousness it deserved. She then wrote to me to complain about the matter.
Section 2(1)(d) of the Data Protection Act, 1988, provides that -
Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of [personal data] and against their accidental loss or destruction.
I wrote to the complainant's insurer and asked them to comment on the case in the light of this provision. I also asked the company to provide further details on the background to the case and to outline its security arrangements.
The company responded by explaining that the nature of its business (with a direct sales force operating at locations nation-wide) required that the company's field representatives should have access to client information on laptop computers. Representatives were under clear instructions that, if they left the company's employment, they should return all company records and documents to their immediate supervisor. Supervisors were under instruction to ensure that this happened. The company said that in the case of the former employee involved in this case, these procedures had not been complied with. Numerous attempts had been made to recover the laptop and the client data from the former employee. However he did not return phone calls or meet with company officials. Attempts to recover the client data were ongoing, according to the company, at the time of the events giving rise to the complaint.
With regard to the requirement to keep personal data secure, the company said that it had put new procedures in place, so that client data would automatically be erased from laptop computers every six weeks, unless a representative's authorisation was renewed. When these matters were explained by my Office to the complainant, she was reassured that the company was now taking its data protection obligations as regards security seriously and that, accordingly, breaches of confidentiality of the kind she had encountered were unlikely to recur.
In my view, this case illustrates the need for data controllers to have firm and enforceable procedures in place to ensure that they do not lose control of personal data, for which they are legally responsible, on the departure of any of their employees. Provision for the automatic deletion of records, of the kind now put in place by the company, may have a useful part to play in such arrangements.