• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
  • Government work
  • Health
  • Insurance
    • Checklist
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Contacts
• Glossary

Checklist

For more information on what all organisations need to do, see our general checklist in the compliance section. Some particular steps we'd suggest for insurers are:

• To start with:

• decide whether there is an approved privacy code you could subscribe to as an alternative to the NPPs and if so, which one is most appropriate
• review whether the information you usually collect is really necessary for your purposes - you can't collect information "just in case".

• You should:

• review all forms used for collecting information:

• state specifically what information is needed and not needed (eg tax file numbers) and discourage unnecessary additions and attachments.
• consent for collection and use of sensitive information must be informed and specific. Consent forms for the collection, use and disclosure of information (including by surveillance) should be included in proposals, renewals and claim forms. These forms should give sufficient detail about the purposes of collection, how it will be used and who it will be disclosed to and should be signed by the insured.
• should your forms include an opportunity for policyholders to convey a wish not to receive direct marketing communications?

• work out how you will deal with unnecessary information that you will inevitably collect
• review procedures used and develop collection statements for when information is collected in person, by telephone, email or the internet
• in regard to investigation of claims, assign responsibility and create procedures for determining when and how it is appropriate to use surveillance and other investigation methods.

• Review how you use and disclose information:

• limit access by staff and service providers to sensitive information
• determine what are reasonable steps to ensure that personal information is accurate at each stage of collection, use and disclosure
• identify transactions requiring international data flows and ensure safeguards are in place which conform to the privacy legislation
• identify related bodies corporate and review your current arrangements for sharing information with them
• assign responsibility and create procedures for access and correction requests
• fix an appropriate fee to cover the reasonable cost of providing information on request.

• Review your arrangements with service providers (such as call centres, mailing houses and claims handlers, insurance agents, brokers, investigators etc) to ensure that they must comply with privacy obligations and that you have the right to monitor compliance.
• Review your complaints handling procedure to include privacy complaints.

Don't forget the corporate parts of your organisation. You need to ensure that you comply in full in respect of personal information held about all individuals such as employees of your suppliers and service providers, not just policyholders.