Privacy update: N v Private Insurer

By Mark Sammut and Amanda-Jane Lovering.

Key Points:
Authorities allowing insurers and financiers to collect and disclose personal information should not be drafted too widely.

It is common practice for insurers to require an insured to sign an authority allowing them to collect and disclose the insured's personal information so a claim can be assessed. However, because of a recent decision of the Federal Privacy Commissioner, N v Private Insurer [2004] PrivCmrA 12, financiers as well as insurers must ensure such authorities are not drafted too widely.

The National Privacy Principles ("NPPs")

The NPPs were introduced on 21 December 2001 by the Privacy Amendment (Privacy Sector) Act 2000 (Cth), as a means of protecting an individual's personal information from disclosure by private sector organisations with a turnover of more than $3 million, including insurers and banks. If an organisation fails to comply with an NPP, the aggrieved individual may claim damages from the non-complying organisation.

Facts of the case

The complaint was over an authorisation clause in an insurance contract that made broad statements regarding the collection and disclosure of information for the purpose of assessing a claim.

The complainant alleged that the form was too broad, in that it:

• allowed for the collection of personal information from third parties that was not necessary for the determination of the claim;
• allowed for the disclosure of personal information to types of organisation that were not made known to the individual; and
• was open-ended, with only one form required to be signed for the collection of information from any and all third parties.

Insurers and those in the banking and finance industry can glean a number of important points from the Commissioner's decision which upheld the complaint.

Is the collection for a legitimate purpose?

NPP 1.1 provides that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

The Commissioner considered the wording contained in the insurer's authority to determine whether it complied with NPP1.1. The insurer's form stated: "I authorise any medical attendant consulted by me or any hospital attended by me, to divulge to [the insurer] or any legal tribunal, any health or other information acquired with regard to myself."

The Commissioner concluded that the wording contained in the insurer's authority was at odds with NPP1.1 as it:

• did not limit the scope of the information to be provided by third parties to that which would be relevant to the claim; and
• did not limit the period within which the insurer would collect the information.

To remedy its non-compliance with NPP 1.1 the insurer amended its authority to:

• provide a list of the organisations from which the insurer may obtain information;
• remove the words "any legal tribunal" in order to narrow the scope of the organisations to which such information could be disclosed;
• specify the purpose for which the insurer requires the information, by inserting the words: "which is necessary to properly assess my entitlement under this policy or plan"; and
• specify that the authority for release of the personal information is valid only while the entitlement to a claim is assessed.

Who is the information to be disclosed to?

NPP 1.3(d) requires that "at the time of, or before the information is collected, the person must be made aware of… the purpose for which the information is collected and the organisations or types of organisations that the information is usually disclosed to."
In considering whether NPP 1.3 applied to this situation, the Commissioner once again looked to the wording of the authority. The authority stated that:

"I understand that [the insurer] may be required to submit all documentation to a Mediator, Solicitor, Complaints Resolution Tribunal or Court or to any other person necessary for claims determination purposes including the Trustees of any Superannuation Plan."

The Commissioner concluded that the words "to any other person necessary for claims determination purposes" failed to adequately identified the type of organisation to which the information could be disclosed. On this basis, the insurer deleted the above words from the authority.

Is one form sufficient?

The complainant also argued that a single signed authority to access personal information was insufficient to allow the insurer access to all such information held by all third parties.

The Commissioner decided that pursuant to NPP 10.1(e) there is no obligation to adopt such an approach.

Lessons to be learnt

This decision clearly indicates that the NPPs have wide ranging implications for insurers and organisations within the banking and finance sector. The facts on which the above case was decided, indicate that prudent insurers, and other organisations within the banking and finance industry generally, should review the documentation they use to obtain and disclose personal information to ensure it:

• only requests authority to collect personal information that is necessary for the determination of the individual's claim; and
• only discloses personal information to organisations that the individual is aware of or ought to reasonably expect the organisation to disclose such information to.
  

For further information, please contact Mark Sammut.