Guidance on proper handling of customers' personal data for the insurance industry in Hong Kong

23 November 2012

Marcus Vass, Pearl Lam

Personal Information Collection Statement (PICS) 

A PICS should contain: (1) a Purpose Statement stating the purposes of collecting the data; (2) a Transferee Statement stating the classes of persons to whom the data may be transferred; (3) the consequences of customers failing to supply the data; and (4) the customers’ rights of access to and correction of their data. The provision of a written PICS is recommended. If data is collected for the same purposes and a PICS has been given to the customer in the immediate past 12 months, it is not necessary to provide him/her with the same PICS again.

Collection of customers’ medical data

The collection of medical data should not be excessive and the means of collection must be fair and lawful. Obtaining information by deception or misrepresentation would not be considered fair means of collection of data.

Collection of Hong Kong Identity Card (HKIC) number and copy

The circumstances listed in paragraph 2.3.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers (PI Code) regarding when a data user may collect a customer’s HKIC number is particularly relevant to insurance transactions. Insurance institutions (II) must comply with paragraph 3.2 of the PI Code and may only collect HKIC copy where the collection is authorised by law or to provide proof of any statutory compliance.

Engagement of private investigators in insurance claims

Under section 65(2) of the Personal Data (Privacy) Ordinance (PDPO), an insurer may be held liable for the acts of the private investigator appointed by it. A private investigator must use fair and lawful means in collecting personal data and the data collected must not be excessive. Obtaining information covertly is generally not considered fair means of data collection. Active measures, such as practical guidelines, should be taken to prevent the investigators from contravening the requirement in the PDPO.

Collection and use of personal data in direct marketing

II should ensure the means of collection are lawful and fair. In addition, they should ensure that the use of the personal data for the intended marketing activities is within the original purposes of use of the data. Otherwise, prescribed consent for the intended change of use must be obtained from the customers beforehand. “Bundled consent” would not be accepted as a valid or effective prescribed consent for any change of use of personal data. For personal data extracted from public registers or directories, II should ensure that the permitted use of the personal data includes the intended marketing use.

Retention of customers’ personal data

II should devise and implement clear privacy policies and practices to ensure the data are erased after the purposes of collection have been fulfilled. II may generally retain personal data of customers for not more than seven years after the end of the business relationship. II should also establish policies and practices in relation to the retention of customers’ personal data by their insurance agents or representatives.

Use of customers’ data for internal training

Any sharing of the data amongst the staff or insurance agents or representatives of the II should be avoided unless it is necessary for the purposes of providing insurance services to the customer concerned and on a “need-to-know” and “need-to-use” basis. During staff training, II and their trainers should not share any information that may enable identification of the customers or beneficiaries.

Access to, storage and handling of customers’ personal data by staff and agents

The security level of safeguards implemented by II should reflect the sensitivity of the data and the seriousness of the potential harm that may result from a security breach. The Privacy Commissioner recommended security measures to ensure integrity of staff and agents of II.

Handling of data access requests 

A data access request may be made by the individual himself or by a relevant person. No excessive fee should be charged for complying with a data access request. If data access request is refused, II should inform the inquirer of the refusal and the reasons for refusal within 40 days after receiving the request.

For further information please contact:

                                 Pearl Lam's Image

Marcus Vass                                  Pearl Lam
Partner                                         Associate