All images are of AAR staff and partners
Allens Arthur Robinson
Privacy homeOverviewNPPs & codesComplyingLegislation & linksIndustriesNews
Home »  Industries »  
Print Version
Or use advanced search
Introduction
Credit providers
Government work
Health
Insurance
Checklist
Media
Superannuation
Telecommunications
Telemarketing
 Feedback
 Contacts
 Glossary


Insurance

Who is affected and how?

The insurance industry is subject to the private sector privacy regime. Insurers need to obtain personal information, including health information (involving tricky areas like genetic privacy and sale of health records), in order to be able to rate and underwrite risks. General and life insurers obtain, hold and use significant amounts of personal information about their policyholders. Life insurers are particularly affected because of the essentially personal nature of the information submitted by policyholders. 

Insurers dealing with sensitive information, especially health information, need to comply with the higher standards imposed by the regime's special protection for health information.

The private sector privacy regime also affects other organisations that work with the industry, such as:

  • insurance agents; 
  • brokers; 
  • loss assessors; 
  • providers of outsourcing services such as claims handlers; 
  • mailing houses; 
  • call centres; 
  • reinsurers may also be affected: if they receive personal information during the course of their business - for instance about policyholders - then they'll be affected. 

Some of these other organisations may be small businesses who trade in personal information and so are not exempt. Small business operators that are otherwise exempt may see advantages in opting-in.

Insurers cannot avoid their privacy obligations by outsourcing and may be liable if agents and service providers (even those who claim to be exempt as small business operators) fail to comply with the privacy legislation. Insurers must include provisions in agency and service contracts requiring agents and service providers to comply with their own and the insurer's privacy obligations. They should also monitor performance to ensure compliance in practice.

In addition to internal management issues, insurers need to consider how the privacy regime affects the risks that they insure. For example, they need to:

  • ensure the wording of their policies addresses the cost of claims that can be made against policyholders for compensation, expenses and other sanctions for breach of the privacy provisions; and
  • consider whether new types of cover for privacy breaches need to be developed.
To toptop of page

What about insurance codes?

Insurers are bound by the NPPs unless they have adopted an approved privacy code. Either way, a breach gives rise to a breach of the Privacy Act and there are sanctions for non-compliance.

The general insurance industry was the first industry to have an approved privacy code approved by the Commissioner - see the General Insurance Information Privacy Code. The Code is administered by the Insurance Council of Australia (ICA). Complaints and disputes are handled by the Insurance Ombudsman Service.

Despite the essentially personal nature of the information which life insurers customarily collect from policy holders and prospective policy holders, there do not appear to have been any industry-wide moves to formulate either privacy principles or an approved privacy code for the life insurance industry.

To toptop of page

Workers' compensation and motor vehicle insurance

The General Insurance Information Privacy Code does not apply to information collected and used by insurers in the course of workers' compensation or compulsory third party motor vehicle insurance. The principles governing the collection, use and disclosure of personal information in those classes of business will be affected by existing State and Territory legislation as well as the Privacy Act.

To toptop of page

Investigation and surveillance

Private investigation including surveillance is a necessary part of an insurer's methods for collecting information in relation to claims. Concerns have been expressed as to whether such methods are still permissible as literal compliance with every aspect of the NPPs seems impossible without defeating the purpose of these investigation. However the Commissioner's guidelines state that in some circumstances, including investigating fraud and other unlawful activity, covert collection of personal information by surveillance and other means would be fair. 

Insurers need to review their investigation processes and ensure that:

  • employees with an appropriate level of authority make the decision to carry out an investigation;
  • the investigation is carried out by investigators with proper credentials who demonstrate that they understand all relevant laws, not just privacy;
  • the investigator is instructed specifically as to what is/is not required from the investigation;
  • careful thought is given as to when it is practicable to disclose to the person under investigation that personal information has been collected;
  • the privacy requirements about collection of information about a person from third parties are considered as they apply to the particular circumstances;
  • the right of access by the person under investigation to the information collected including information in the hands of the investigator is considered in the particular circumstances (is the investigator exempt or does the investigator have the benefit of the same restrictions on the right of access as the insurer?).
To toptop of page

State legislation may apply

State or Territory legislation (such as the Victorian Health Records Act 2001 and the ACT Health Records (Privacy and Access) Act 1997) may apply to health records held by organisations in the insurance industry in addition to the NPPs or the General Insurance Information Privacy Code and may create additional compliance obligations.

For more, see our State legislation page. 

To toptop of page

What should I do?

We've put together a checklist to help you establish compliant procedures. You should review your information handling practices periodically because products and processes change over time.


Allens home | Privacy home | Top of page | Disclaimer | Privacy | Sitemap
Allens Arthur Robinson - a leading international law firm
© 2008 Allens Arthur Robinson, Australia | contactus@aar.com.au

 Allens Arthur Robinson - Clear Thinking