Privacy Law and Policy Reporter
These principles were issued by the Insurance Council of Australia in August 1998. They contain an almost unchanged version of the Privacy Commissioner’s National Principles (February 1998 version), with associated compliance mechanisms, using the existing infrastructure of the Insurance Enquiries and Complaints Ltd (IEC). The IEC Board has accepted the additional role, and set up the Privacy Compliance Committee, and businesses in the insurance industry have been invited to adopt the principles and sign on to the compliance and complaints scheme. Some details of the compliance and enforcement scheme remain unclear and will be reported when further explanation is available (Editor).
The general insurance industry has followed closely the calls for reform of Australia’s privacy laws. We are aware of the increasing importance of privacy issues to individuals and the community. We are conscious especially of individuals’ concern for the protection of their personal information.
The general insurance industry in Australia comes from a culture of privacy. Reflecting the heritage and traditions of our industry’s development in Europe and North America, our standards derive from a background of dealing with sensitive personal and commercial information since the 17th century.
There is no public perception or suggestion that the insurance industry abuses this trust.
We are aware of concerns expressed about the magnitude of information databases maintained by the insurance industry. But these reflect the potential of our information technology, rather than the ethos and integrity of our business standards and customer relationships.
We have responded positively to most of the views and recommendations expressed variously by Federal and State Governments, and the Federal Privacy Commissioner. Above all, the insurance industry is concerned that Australia’s privacy regime should follow a consistent national approach, free of State and Territory variants which have confused interpretation in the past and added significantly to compliance costs.
In the absence of Commonwealth privacy legislation for the private sector, the Federal Government encourages business to develop voluntary codes of conduct to meet privacy standards.
In this spirit these Information Privacy Principles have been adopted by the general insurance industry. They set the standards by which our industry will collect, use, store and dispose of the personal information of its private customers. They reflect the view that privacy standards are best achieved by self-regulatory and voluntary means.
These principles explain how our industry deals with privacy complaints and how individuals can gain access to their personal information held by organisations. They closely follow the guidelines established in the National Principles for the Fair Handling of Personal Information introduced by the Federal Privacy Commissioner in February 1998.
The principles are intended to apply to companies in the conduct of their business as general insurers. It is intended that implementation of these principles will maintain awareness of individuals privacy across the general insurance industry. Although no specific redress is provided, the principles require participating organisations to establish internal and external dispute handling procedures and organisations may be penalised if they fail to meet the requirements.
The principles do not apply to information collected and used by organisations in the course of worker’s compensation and compulsory third party (bodily injury) motor vehicle insurance. In these classes of business, the principles governing the collection, use and disclosure of personal information are, in all cases, prescribed by existing legislation in each State and Territory.
[The principles are identical to those in the Privacy Commissioner’s February 1997 National Principles for the Fair Handling of Personal Information (see (1998) 4 PLPR 167) with one exception — the Anonymity Principle has been omitted, on the grounds that it is not an option in the conduct of insurance business. To save space, these sections are not included in this reprint.]
Each organisation will have a fully documented internal process for dealing with a privacy complaint between the individual and the organisation, the individual and the organisation’s agent or the individual and the organisation’s investigator, assessor or loss adjuster. This process will be readily accessible by individuals without any charges imposed by the organisation. The internal process will provide a fair and timely method of handling privacy complaints. The organisation will establish procedures for the monitoring of complaints that are referred to this process.
The organisation will have brochures available providing general descriptive information on:
(a) the procedures for dealing with a privacy complaint by the organisation;
(b) the time within which a privacy complaint will normally be handled by the organisation; and
(c) the fact that the privacy complaint will be handled by an officer of the organisation with appropriate powers to deal with the complaint.
Where an organisation receives from an individual a written request for the resolution of a privacy complaint or a request for a response from the organisation in writing in relation to the complaint, the organisation will reply promptly to the individual and, if the complaint is not resolved in a manner acceptable to the individual, the organisation will provide:
(a) where appropriate, the general reasons for that outcome; and
(b) information on the further action that the individual can take.
Where an individual remains dissatisfied with an organisation’s handling of a privacy complaint the organisation will provide the individual with information on how to take the complaint to the Privacy Compliance Committee.
An organisation will provide full assistance to the Privacy Compliance Committee in investigating any complaint referred, and will accept the determination of the Privacy Compliance Committee in resolving the complaint.
Insurance Enquiries and Complaints Ltd (IEC) will be responsible for monitoring compliance with the General Insurance Information Privacy Principles (the Privacy Principles).
The Privacy Compliance Committee will be a committee of the IEC made up of a general insurance industry representative, a consumer represent-ative and an independent chair.
An organisation will ensure that it:
(a) implements appropriate systems and documentation for the organisation to comply with the Privacy Principles; and
(b) prepares an annual report to IEC on the operation and compliance with the Privacy Principles; and
(c) monitors privacy complaints and compliance with the Privacy Principles.
(a) IEC may periodically review compliance of the Privacy Principles by an organisation and in the event of non-compliance the organisation will take all reasonable steps to ensure procedures are established to ensure compliance. Organisations will co-operate with the staff of IEC in such a review and provide information about any alleged non-compliance and the procedures adopted by the organisation to comply with the Privacy Principles.
(b) The Privacy Compliance Committee will receive complaints about alleged non-compliance with the Privacy Principles by organisations. The Privacy Compliance Committee will consult with organisations in respect of the alleged non-compliance and make recommendations if necessary for the organisation’s compliance with the Privacy Principles.
IEC will publish the names of participants in the Privacy Principles and an annual report reporting on the operation of the Privacy Principles including compliance.
IEC will publish and make available to consumers the names of organisations who have adopted the Privacy Principles and information about the requirements of the Privacy Principles.
If the organisation does not comply with IEC’s request to remedy the non-compliance and prevent a recurrence, then IEC will notify the Privacy Compliance Committee.
If the Privacy Compliance Committee is of the view that there is a material breach of the Privacy Principles by an organisation and the organisation has not taken all reasonable steps to ensure that procedures are established to stop the breach recurring, it may give notice to the organisation that it proposes to impose sanctions on the organisation for non-compliance of the Privacy Principles. A copy of the notice will be sent to the chief executive officer of the organisation.
The organisation will have an opportunity to make representations to the Privacy Compliance Committee in respect of any such breach and the Privacy Compliance Committee will not proceed to impose sanctions on the organisation for at least 20 business days from the date of the notice.
Before imposing any sanctions on an organisation, the Privacy Compliance Committee must have regard to:
(a) the objectives governing the Privacy Principles;
(b) the severity of the breach of the Privacy Principles and the appropriateness of the sanction.
The Privacy Compliance Committee may impose one or more of the following:
(i) a requirement that particular rectification steps be taken by the organisation in accordance with a specified timetable and imposing a timetable for rectification;
(ii) a requirement that a compliance audit be undertaken; and
(iii) a recommendation to the Board of IEC that the organisation be named in the annual report as not having complied with the Privacy Principles and setting out the nature of the non-compliance.
[Note: The Insurance Council has made it clear publicly that the Compliance Committee may, where appropriate, require the payment of compensation, although this is not expected to be common.]
The Privacy Compliance Committee may report to the Board of IEC in respect of its activities but it will not disclose the name of an organisation who is alleged to have breached the Privacy Principles or on whom sanctions have been imposed unless it recommends that the organisation be named in the annual report or unless the organisation consents.
An organisation who is sanctioned under the Privacy Principles may request that the sanctions be reviewed by the Board of IEC and in that case, if the Board considers that there are grounds for review, the Board may refer the matter to the Privacy Compliance Committee for reconsideration.
The Privacy Compliance Committee may report to the Board of IEC any failure by an organisation to comply with a sanction imposed on it and recommend action to be taken by IEC and that the organisation be named in the annual report as having failed to comply with the sanction.
Upon the recommendation of the Privacy Compliance Committee, the Board of IEC may determine to name an organisation in the annual report as having failed to comply with the Privacy Principles and set out in the report the nature of the non-compliance.
IEC may take such steps as it believes appropriate to enforce any sanctions imposed by it or the Privacy Compliance Committee and may report such a matter to the Federal Privacy Commissioner.
[Note: Associate Editor Nigel Waters has been appointed by Insurance Enquiries and Complaints Ltd to the Privacy Compliance Committee set up under these Principles. The other members are independent chairman Richard Viney from Victoria, and Robert Drummond from the Insurance Council of Australia.]