If your business or organisation has a turnover greater than 3 million per year the significant changes that were made to the Australian Privacy Act on 12 March 2014 are likely to apply to your organisation. A compliance program should be implemented to ensure any personal information that is used or disclosed by the organisation is appropriately protected.

The reforms implemented 13 new Australian Privacy Principals, with substantial changes being made to the principles surrounding direct marketing and cross border disclosure of information.  Additional changes to the Act implement changes to the credit reporting regime that will be particularly relevant to insurers if they undertake online credit reference checks on insureds or other individuals.

Relevantly, the application of the Act pertains only to personal information.  It does not extend to the use and disclosure of business data. 

A number of key elements need to be considered by insurers, insurance brokers and reinsurers.  They are:

  • If you collect personal information (which is any information that could disclose the identity of an individual – name, email address, telephone number, residential address) the Privacy Act will be applicable to you.
  • The notification and consent requirements dictated by the privacy principles needs to be implemented.  Are your insureds aware of the use you will make of their information and the way in which you will disclose it? 
  • Is any personal information being disclosed to overseas entities?  If you use the cloud where is the server located? Do you exchange information with a head office overseas? If so, have your insured received relevant notification of that fact?  Have you compelled the overseas recipient of the information to comply with the Australian Privacy Principles?
  • Do you undertake credit searches in relation to insureds or other parties? If so, have you received express written consent from the party in question to undertake those searches?
  • Have your staff been trained in relation to the security measures that need to be taken to protect personal information?
  • Are you and your staff aware of the penalties for breaching the privacy legislation?  Those penalties are up to $1.7 million for businesses and $340,000 for individuals.
  • If you utilise credit reference facilities, are you aware that in 12 months’ time you may need to be a member of an External Dispute Resolution Scheme?
  • Do you have a formal privacy policy available online and for inspection upon request?  Does that policy address each of the 13 privacy principles?
  • Do your contractors, suppliers and other parties who you may provide personal information to, or receive personal information from, give warranties they have and will comply with the Australian Privacy Act?
  • Do you have an internal privacy compliance program and an agreed privacy process that will be undertaken to deal with disputes? 
  • If you, or any party you release information to, is engaged in direct marketing of your goods and services (or the goods and services of a third party), have you received express consent from the person to use their information for this purpose?  If not, do any of the exemptions under the Act apply?

Consent has always been a necessary element in relation to any privacy dispute.  Insurers must ensure that their practices and processes incorporate procedures through which consent of individuals is received confirming they are aware of the purpose for which the information is collected and the use and disclosures that may be made of it.

Given the size of the fines that the Australian Information Commissioner is able to impose, and the greater public and legal awareness of the privacy rights of individuals, it is essential that all insurers, underwriters, brokers, investigators, claims managers and any other party involved in the industry are aware of, and take steps to comply with, their obligations under the Act.