The Privacy Act 1988 is Commonwealth legislation which regulates the manner in which certain organisations collect, use and disclose personal information.
Compliance with privacy legislation is mandatory for insurance companies.
It is also mandatory for certain types of companies including health service providers, credit reporting agencies and any company that has an annual turnover of at least $3 million.
Privacy law dictates what type of information companies can collect about you and how they can use it.
Insurance companies collect your personal information to perform the services they provide. This includes evaluating your application for insurance and any claim you make. Typically, insurance companies collect information such as your name, age, date of birth, address and contact details. If you have pre-existing medical conditions, they may also ask you to provide health data.
An insurance company can use your information in any way which could be reasonably expected. This could include providing data to and/or requesting data from associated entities including hospitals, emergency assistance providers, claims handling entities, investigators and legal advisers.
The key here is that your information can only be used for purposes connected to the services the company provides to you. It cannot sell your data or use your information for any purpose that is not related to the issue and management of your insurance policy.
At any time, you can ask a company to tell you what information it holds on file about you. The company must action this request in a reasonable fashion. This is generally considered to be no longer than 30 days. In some instances, the company can decline this request. Examples of situations in which a company can decline your request to obtain access to your data include the following:
- Where it reasonably considers that giving access would pose serious threat to the life, health or safety of any individual or public.
- Where providing access would cause an unreasonable impact on the privacy of others.
- Where the request is frivolous or vexatious.
- Where the information relates to legal proceedings (actual or anticipated) between you and the company.
- Where the company has reason to suspect that unlawful activity has occurred and that providing the requested information would unduly prejudice its position.
Where a company refuses to give access to the personal information it holds on file about you, it must provide its reason in writing. The company must also provide you with information about how you can make a complaint.
Privacy legislation gives individuals more control over the way their personal information is handled. But, it can be a double-edged sword, particularly if you want someone to liaise with the company on your behalf.
Remember, the company is legally obliged to protect your privacy and so this often means that a company is unable to discuss your situation with another person – even if you have asked that person to contact the company on your behalf.
Let’s look at a few examples.
John is travelling overseas and his backpack has been stolen. His phone and laptop were in the backpack so it is not easy for him to call his insurance company. John asks his Mum to call the insurance company to notify the loss and ask how the insurance company can help him.
Unfortunately, because John is an adult, the insurance company cannot legally discuss John’s policy with his mother. At best, it can enter into “In Principle” discussions about how the policy would generally respond to a theft situation. However, the company representative cannot provide John’s mother with any information about John, the type of policy he has and how it can help him.
Madelaine is in rural China. She is worried that her insurance policy may have lapsed. Madelaine manages to get a WhatsApp message to her boyfriend in Australia and asks him to contact the insurance company to find out when her policy will end. Unfortunately, the insurance company does not have Madelaine’s authority to liaise with her boyfriend about her policy and the enquiry is not able to be satisfied.
Situations like these can be overcome with a little advance preparation.
The simplest way to avoid the frustration of someone not being able to manage your policy on your behalf while travelling is to pre-authorise them to do so. This simply means contacting the insurance company before you travel and asking them to note that you authorise your Mum / Dad / partner / friend or whoever you want to act on your behalf. The insurance company will probably look to confirm your identity before accepting this authorisation but the mechanism to do this does exist. It is a simple solution to a frustrating problem and ensures that you can get information and help in situations where you may not be easily contactable while travelling.