Privacy Law and Policy Reporter
Alan Mason is Chief Executive of Insurance Council of Australia. This article is an extract from a speech on ‘Insurance and E-Commerce’ given to the Australian Insurance Institute Conference in Brisbane in July 2000.
Ten years ago we were grappling with our first efforts at self-regulation, and much of what we learned then is still useful today.
Our first steps into self-regulation came from the growing pressure for an alternative system to meet consumer complaints about the ways insurance companies rejected claims. There was no way outside the legal system for either claimants or their insurers to find redress, and that avenue was too expensive for many individuals.
The Insurance Council of Australia (ICA) began seriously exploring its options during the late 80s, and swiftly came to the conclusion that anything it could come up with to meet community concerns would be cheaper, more efficient and more effective for the industry and its customers than any arrangement developed through legislation.
It would also enable the industry to learn from any mistakes or trends that were revealed, and that feature has been shown to be very valuable.
The Claims Review Panel system that eventuated is a very good example of how the ICA identified a problem that was the result of a growing trend and acted to find a solution that suited all parties. Insurance Enquiries & Complaints (IEC) is seen today as a world leader in alternative dispute resolution.
It’s easy to forget 10 years after IEC was formed that its birth was anything but easy. There was a great deal of resistance, from both within and without, to the concept of the insurance industry handling its own complaints. There was also considerable media opposition, and consumer groups lobbied hard to have the government set up its own complaints process.
I think the development of IEC and the way we adapted it to meet emerging needs has taught us the value of continuous consultation with crucial groups such as community leaders and the Federal Government. The growth in mutual understanding and support between the industry and consumer leaders over the intervening period has been very positive.
The lessons learned through IEC were too valuable to ignore. It taught us a lot about what is and what is not acceptable behaviour, and gave us the confidence to strike out independently again to formulate an industry-wide Code of Practice.
The Code benchmarks performance for the industry. It sets standards of best practice, and has helped to transform service into a marketing tool. Under the Code, much of the disputes and complaints load is put back on to the companies for attention and resolution. This forces service and consumer consciousness to the forefront. Service is now seen as a matter of competitive advantage. Where matters can’t be resolved in the company, IEC is there to provide a safety net for the consumer.
Armed with the success of the complaints review system and the Code of Practice — both of which are able to adapt to changing community standards — we were confident we had a framework that could work to help us meet future challenges.
The issue of privacy has been at the heart of the insurance industry for some 300 years, but privacy emerged as an issue when industries made their first steps into the use of new technology. That involved the simplified retrieval of customers’ information, and moves to use customer databases to enhance marketing opportunities.
Armed with the clear understanding obtained from our research of the community’s attitude that its personal details should stay personal, we began examining the issue of privacy and the need for protocols to control the way our industry should use such information.
Let me illustrate. One of the most far reaching developments in financial services marketing over the past few years has been the practice known as ‘database mining’. To put it simply, the information the consumer provides for one purpose is broken down into its constituent parts and used for many additional purposes.
For example, the information I give to my bank to finance a new loan — necessary to meet the demands of my hedonistic lifestyle! — enables the bank to place me in a number of possible scenarios. My salary details give the bank the information necessary to send me suitable investment proposals. My address, marital status and other details help the bank to draw up a strong profile on me and my likely investment, spending and financial needs. This gives the bank the opportunity to propose new loans, investments, life and general insurance arrangements, superannuation proposals and so on. They will be strategically directed to me during the course of the year.
Without principles that spell out how far they can use this information, there would be an opportunity for the bank to sell specific parts of that information to third parties.
It’s not just the banks, of course. Any company holding personal information about individuals is able to dissect the information you give it and use it for a number of other purposes. How many people carefully study an innocuous document like a hire-purchase agreement, which will contain in it a requirement for the customer to specifically forbid the information to be used for additional purposes, buried in the body of a sea of type?
The ability to mine the database of the customer and use the information for many other marketing purposes — such as ‘spamming’ — has been a major driver behind the integration of financial services companies. The customer database is a very large part of a merger target’s value.
The ethical questions surrounding such matters may escape some eager marketing professionals, as well as the accountants who understand the value of the information their company holds in its database. The most important question is: who owns the right to information about our personal lives?
Privacy has rapidly become a global issue. In the United States, for example, the internet’s largest advertising placement company, DoubleClick, has purchased a vast database that contains the personal details and buying habits of millions of consumers. It plans to merge this with information it already secretly collects about internet users as they visit websites.
Lawmakers in the US have also expressed concern at the failure of some 16 states to enact any kind of internet data protection measures. Telecos, banks, and — unfortunately — insurance companies are the main villains.
American telephone companies are selling their databases to banks, and the banks are in turn selling information to third parties from their credit card databases, which give incredibly accurate information on individuals’ spending habits.
In those 16 states (which include New York) consumers do not have to be asked if they approve of their information being used for other purposes. It will be, and they have no rights at all to keep their information private. That will cause enormous complications for federal legislators working on privacy standards under the Gramm-Leach-Bliley Act (the American version of the CLERP reforms).
Like Australia, the US is relying in the first instance on voluntary compliance with privacy standards. Individual companies are being counselled to set up their own privacy programs with strong compliance measures. Whether that will be enough to keep Congress at bay remains to be seen.
ICA realised several years ago that privacy laws were inevitable, and we should pre-empt the legislators. Experience has shown that federal laws covering such a generic issue are unlikely to address the unique needs and character of the general insurance industry.
But beating the government to the draw wasn’t our main intention. Let me make it plain why the industry went to the trouble of drawing up a set of principles.
For a start, this approach is in line with the industry’s ongoing commitment to provide consumers with transparent services that allow them to deal with insurers with complete confidence. While the interests and confidence of our customers is of paramount importance, we also use technology as a major weapon against fraud.
But we recognise that the industry holds an enormous amount of personal data about individuals. There are more than 37 million policies in force and more than 3 million claims every year. To avoid that personal information being used for inappropriate purposes, we needed a set of protocols that the whole industry could follow. Those protocols would have to be in line with the aspirations of the community as well as any future legislation, but also allow the industry to carry out its business and anti-fraud activities effectively.
The privacy principles drawn up by the ICA were launched by the Federal Attorney-General in August 1998. They were the first formulated in Australia, and pre-empted federal government legislation by nearly three years.
The National Privacy Principles espoused by the Federal Government include a best practice model for business intended to build consumer sovereignty in e-commerce and the Federal Privacy Commissioner’s own National Principles for the Fair Handling of Personal Information, which closely shadow the insurance industry principles. We follow the central requirement that personal information may not be used for any secondary purpose without the consent of the individual.
The Privacy Amendment Bill, which brings the private sector under the same rules that have applied to the public sector since 1998, was introduced into Parliament in April. Now organisations and industries which handle personal information must either develop their own privacy codes or in default follow the National Privacy Principles.
The best practice model discussed by the Minister today is the tool that was needed to show not just what good privacy practices are, but how to achieve them [the model referred to is the Federal government’s Best Practice Model for E-Commerce — see <http://www. ecommerce.treasury.gov.au/html/ecommerce.htm>]. They’ll go a long way to simplifying the matter for many businesses, and further bolster consumer confidence in the use of electronic business to consumer transactions.
It’s worth noting that the model also states the need for privacy principles to be applied not just to dealing with consumers, but also with other businesses. And it includes encourage-ment for foreign companies trading into Australia to also adopt proper privacy practices.
The best practice model follows the Government’s general principle that online information should be as secure as it is in an offline environment. They’re an essential aid for any company or industry setting up its own privacy rules and, as pioneers in this area, we recommend them.
We’re encouraged by the fact that the best practice model embraces the concept of industry self-regulation as the ‘best way’ to achieve the Government’s objective in developing Australia as a centre of excellence in consumer sovereignty and electronic commerce.
Certainly there’s nothing in the model that will disturb insurance professionals. Our industry’s principles cover how insurance companies may collect, use, store and dispose of the personal information of their customers. Put briefly, they should only collect information that is necessary for its legitimate functions or activities, and it should be collected in a fair and unobtrusive way, with the knowledge of the customer.
To ensure employees in the industry understand the thinking behind the principles, rather than just seeing them as a set of rules that apply to people further up the line, we contracted the Insurance Institute to put together a one day training program that included a number of scenarios designed to stimulate discussion on what’s right and what’s wrong.
As insurers develop new approaches to marketing and customer relations, the need for strong, easily understood and easily enforced privacy principles will become more obvious.
The question is: if the information isn’t going to go outside the company, is there really anything wrong with that? And the answer is, of course, that personal information must be handled at all times in a completely confidential manner.
Under the principles the customer has to be told of the purposes for which the information is to be used, who is likely to see it, and how the customer can gain access to it. Insurers must also explain the consequences of withholding any relevant information. If there is no trust, how can we expect the policyholder to be totally honest? The principle of utmost good faith remains paramount.
An insurance company or organisation is also only allowed to use personal information for secondary purposes if it is related to the primary purpose, or the customer has consented to the information being used for the secondary purpose.
The principles are administered in the same way as the industry’s very successful Code of Practice; that is, through the IEC. A board representing the industry and consumers, with an independent chair, is able to monitor the behaviour of signatory companies and apply effective sanctions if the need arises.
The industry system works within the rules laid out in the Federal Privacy Commission, which has wide ranging correctional powers. I don’t, however, foresee a point where punitive action against an insurer would be necessary. Insurers have built up a reputation for complete discretion since the 17th century. The need to protect the privacy of our clients is not a new concept to us. Sometimes that need extends to the people who aren’t even our customers.
On present evidence the insurance industry’s three year old Privacy Principles could be said to be well ahead of their time.
Alan Mason, Chief Executive of Insurance Council of Australia.