Two guidance notes of relevance to the insurance industry were issued recently. In September this year, the Office of the Commissioner of Insurance Hong Kong ("Insurance Commissioner") issued the "Guidance Note on Outsourcing" (GN14) ("Outsourcing GN", available here) to provide guidance for authorised insurers in managing the risks associated with outsourcing, as well as setting out the supervisory approach taken by the Insurance Authority ("IA") in respect of such outsourcing arrangements.
This was followed in November by a guidance note issued by the Hong Kong Privacy Commissioner for Personal Data (the “Privacy Commissioner”), “Guidance on the Proper Handling of Customers' Personal Data for the Insurance Industry” (the “Privacy GN”, available here), to provide the insurance industry with practical guidance on how to comply with the Personal Data (Privacy) Ordinance Cap. 486 (the "PDPO") when collecting and using personal data of customers.
We highlight below the major recommendations discussed in the Privacy GN. Our Newsflash relating to the Outsourcing GN may be accessed here.
GUIDANCE ON THE HANDLING OF PERSONAL DATA BY INSURERS
The number of complaints filed with the Privacy Commissioner involving insurance companies has risen in recent years. This, along with the fact that insurance companies maintain large customer databases, and frequently conduct direct marketing activities, has led to the Privacy Commissioner issuing the Privacy GN.
The Privacy GN provides practical guidance to the insurance industry on how to comply with the PDPO. The Privacy GN amalgamates recommendations contained in a number of previous guidance notes and codes of practice which apply to all industries and sectors, and distils them to provide a comprehensive summary of data protection issues relevant to the insurance industry.
Personal Information Collection Statements
Data users are required to provide the following information to data subjects, on or before the time of collection of personal data: (i) whether it is obligatory or voluntary for them to provide the data (and the consequences of failing to do so); (ii) the purpose of collection of the data; (iii) any potential transferees; and (iv) details about the rights of the data subject to access/correct the data.
The Privacy GN recommends setting the above information out in a personal information collection statement ("Collection Statement") attached to documents used by insurers to collect personal information (e.g. insurance application form or claim form), or otherwise provided to the customer prior to collecting the data (e.g. using a recorded message when data is collected via the telephone). Where the Collection Statement is provided verbally, it is recommended that a written version of the Collection Statement is sent to the customer as a follow-up. The Collection Statement should be easy to read and locate (e.g. in a stand-alone section, with a prominent heading, in a font size that is easy to read and in simple language).
Insurance companies may collect personal data for different purposes in different situations (e.g. personal data obtained in an insurance application form may be used for a wider range of purposes than data obtained in a claim form (where the purpose may be confined to assessing the particular claim)), and care should be taken to ensure that the Collection Statement used in each situation is tailored accordingly.
Where there is repeated collection of personal information from a customer for the same purposes within 12 months from the time that the Collection Statement is notified to the customer, it is not necessary to provide another copy of the Collection Statement. However, a further copy of the Collection Statement should be provided if data is collected 12 months after the initial notification, even if the purpose of collection is the same.
HK ID numbers and copies
Insurance companies must ensure that they comply with the "Code of Practice on the Identity Card Number and other Personal Identifiers", issued by the Privacy Commissioner in December 1997 (available here) when collecting HK ID numbers and copies. HK ID numbers and copies may be collected in the following situations:
- ID number may be collected where it is necessary to enable the correct identification of the customer, to prevent detriment to any person (other than the insurance company) or to safeguard against damage or loss on the part of the insurance company (e.g. where necessary to ensure that a claim is paid out to the correct person).
- ID card copy may only be collected where authorised by law or to provide proof of compliance with a statutory requirement (e.g. in order to prove compliance with antimoney laundering legislation requiring insurance companies to verify the identity of customers).
Companies are required, on the first time that they use customer data for direct marketing purposes, to inform the customer that they may opt out from receiving marketing materials at any time. The Privacy GN refers insurance companies to the "Guidance Note on the Collection and Use of Personal Data in Direct Marketing", issued by the Privacy Commissioner on 18 October 2010 (the "DM Guidance Note", available here) and the "Code of Practice on Personto- Person Marketing Calls", issued by the Hong Kong Federation of Insurers on 5 January 2011 (available here), and makes a number of recommendations including:
- When making cold calls to potential customers, insurers must ensure that the use of customers' personal data for such purposes is covered by (or directly related to) the purpose for which the data was collected, and that customers are informed of their right to opt-out.
- Opt-out lists should be properly managed to ensure that contact is not made with a customer who has previously opted-out.
- Personal data should not be obtained from public registries or databases (e.g. government databases) for marketing purposes by misrepresenting the reason for obtaining the information.
Under the amendments to the direct marketing provisions of the PDPO which are set to come into effect next year (tentatively 1 April 2013) ("Direct Marketing Amendments"), data users will be required to provide the following additional notification to their customers/potential customers before using personal data for direct marketing:
- their intention to use customers' data for direct marketing purposes (and that they cannot do so without consent);
- the categories of data that will be used for such purposes;
- the goods/services that may be marketed;
- the transferees of the data (if applicable); and
- the fact that the data may be sold or otherwise transferred for gain (if applicable),
("Direct Marketing Notification").
The Direct Marketing Notification will usually be contained in the Collection Statement notified to customers at the time of collection of the personal data. The DM Guidance Note will be updated to provide guidance on how the Direct Marketing Amendments may be complied with prior to these amendments coming into force.
Insurance companies should implement data retention policies to ensure that data is not kept longer than necessary for the purpose for which it was collected, or in order to satisfy any statutory requirements and applicable guidelines (e.g. retention requirements under anti-money laundering legislation). Such policies should also apply to the company's insurance agents and representatives.
Generally speaking, personal data should not be retained by insurance companies for longer than 7 years after the end of the business relationship. However, shorter or longer retention periods may be justified in certain circumstances (e.g. where an unsuccessful insurance application involves a monetary transaction, the retention period should generally not exceed 7 years, but where no monetary transaction is involved, the retention period generally should not exceed 2 years). Insurance companies should avoid applying rigid retention policies to all personal data in all circumstances. Where personal data no longer needs to be retained it should be securely destroyed/deleted (or otherwise rendered anonymous) in accordance with the "Guidance Note on Personal Data Erasure and Anonymisation" issued by the Privacy Commissioner on 11 January 2012 (available here).
Insurance companies regularly engage private investigators to investigate suspicious claims. It is important for insurance companies to note that they will remain liable for the acts of private investigators they engage to investigate insurance claims. With this in mind, steps should be taken to ensure that such investigators do not contravene the PDPO (it will not be sufficient to have agreements in place with investigators requiring them to comply with relevant laws, and practical guidelines should also be implemented to ensure compliance with the PDPO).
Insurance companies should ensure that their private investigators do not use unlawful or unfair means to collect data on behalf of an insurance company (e.g. hacking into computers or stealing documents) and that they only collect information absolutely necessary for the purpose of carrying out the investigation (e.g. unrelated information regarding a customer's private life should not be collected). Covert surveillance techniques would usually not be considered as fair means of collection, however, this may be justified in certain circumstances.
Access, storage and handling of personal data by staff and agents
Insurance companies may incur liability for the acts of other kinds of agents, such as insurance agents and representatives when providing insurance services on a company's behalf, as well as acts of IT contractors, marketing agents or loss adjustors when acting under the authority of the company. Adequate security safeguards and protections should be implemented to ensure the protection of personal data held by insurance companies (including their staff, agents and representatives), taking into account the degree of sensitivity of the data and the seriousness of potential harm that may result from its misuse. The Privacy GN contains a number of recommended security measures, including:
- Implementing procedures and policies for handling of personal data by staff and agents; and conducting regular training on personal data handling and protection;
- Restricting access to personal data on a "need-to-know" basis;
- Requiring staff/agents to sign a confidentiality statement with respect of personal data accessed as part of their employment/agency;
- Selecting reputable contractors which offer sufficient security guarantees; ensuring that protections are built into the contract with such contractors; and providing clear instructions as to the use, transmission, storage and destruction of personal data by contractors;
- Implementing adequate IT security measures (e.g. password protection and encryption);
- Displaying a prominent warning message upon access to the customer database stating that information may not be exported or saved without authorisation; and
- Ensuring the secure destruction of files containing personal data (e.g. shredding hard copy files, and thoroughly erasing electronic copies).
Insurance companies should refer to the "Information Leaflet: Outsourcing the Processing of Personal Data to Data Processors", published by the Privacy Commissioner on 27 September 2012 (available here) and the Outsourcing GN (discussed in a separate Newsflash which can be accessed here) for more information regarding the use of third party data processors, and the "Guidance Note on the Use of Portable Storage Devices", published by the Privacy Commissioner on 31 October 2011 (available here) for a discussion of the data protection issues associated with storing personal data on portable storage devices.
Data access requests
Customers have the right under the PDPO to be informed whether insurance companies hold personal data about them (e.g. in application forms, claim forms, medical report, risk assessment questionnaires etc.), and if so, to access/correct such data. Such requests can also be made by a "relevant person" on behalf of the customer (e.g. a person authorised in writing by the customer, a parent of a customer aged under 18 years, or a guardian of an incapacitated customer). Insurance companies should refer to the "Guidance Note on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users" published by the Privacy Commissioner on 26 June 2012 (available here) when handling data access requests.
Data access/correction requests should be complied with within 40 days of receipt, unless one of the exceptions set out in the PDPO apply. For example, an insurance company may refuse to comply with a data access request where this would involve the disclosure of personal data of another person, but this will not apply where such data may be removed/redacted (e.g. an insurer generally may not refuse to provide a preinsurance medical report to a customer on the grounds that it contains the personal data of the examining doctor, as the insurer may redact or remove such personal data prior to supplying the report to the customer).
Other practical tips for complying with the PDPO
The Privacy GN recommends that insurance companies should take a number of additional steps to ensure compliance with the PDPO, including:
- Evaluating whether it is necessary to collect each category of personal data (e.g. it may not be necessary to collect medical data relating to an old knee surgery when assessing a claim for surgery to remove tonsils);
- Ensuring that customer address data is kept up to date to avoid accidental disclosure of personal data to third parties;
- Conducting staff training to ensure that personal data is not used for a purpose other than the purpose of collection without prescribed consent from the relevant customer; and
- Ensuring that personal data is not shared as part of case studies used for internal training purposes.
Implications for the insurance industry
A breach of the Privacy GN does not of itself constitute a breach of the PDPO, but this may be used as evidence against a company in the event of an investigation by the Privacy Commissioner. Following the amendments to the PDPO which took effect on 1 October 2012, the Privacy Commissioner's enforcement powers have been enhanced. Previously the Commissioner was only able to issue an enforcement notice following an investigation where the contravention was continuing or likely to be repeated. This is no longer the case and the Privacy Commissioner is now empowered to issue an enforcement notice in all cases where a contravention has been found, irrespective of whether evidence exists to indicate that the contravention is continuing or is likely to be repeated. The Privacy Commissioner has been active recently in using these enhanced powers.
The fact that the Privacy Commissioner has issued a guidance note specifically relating to the insurance industry is a likely indication that he intends to pay close attention to this industry in the future. Insurance institutions are advised to conduct a comprehensive review of their data protection policies, procedures and practices to determine whether they comply with the requirements set out in the Privacy GN (e.g. revising personal information collection statements, forms used to collect personal data, retention policies, security measures, direct marketing activities etc.).
Insurance companies should tailor their Collection Statements to reflect the particular circumstances of collection. For example, personal data obtained in an insurance application form may be used for a wider range of purposes than data obtained in a claim form (where the purpose may be confined to assessing the particular claim). While it may seem burdensome to create different versions of a Collection Statement for different forms, this can be advantageous as it may result in shorter legal terms being inserted on some forms.
The fact that companies will be liable for the acts of their insurance agents, representatives and contractors means that greater care should be taken by insurance companies when entrusting the collection/processing of personal data to such third parties. It is important that agreements are put in place with such third parties requiring them to comply with the provisions of the PDPO (and indemnifying the insurance company in the event of misuse). Care should be taken when selecting such third parties, and only companies that have suitable policies and procedures in place for the protection of personal data should be selected.