1. Objectives of this policy
This policy sets out the way we handle personal information. It explains the sort of personal information we collect, hold and use and how we might disclose this information. We believe it is important we protect personal information we receive in accordance with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth).
2. Types of Personal Information we might collect
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. This includes but is not limited to an individual’s:
- Date of birth
- Marital status
- Occupation and past occupations (includes place of occupation)
- Financial status (salary, assets )
- Contact details (including telephone, facsimile and e-mail)
- Driver’s or pilot’s licence details
- Car or aeroplane registration
- Bank account details
- Credit card details
- Passport details
- Tax file number*
- Medicare number
- Centrelink customer reference number
*Tax file numbers are subject to “special” rules. We comply with the relevant guidelines issued by the Australian Privacy Commissioner. These are available from the Office of the Australian Information Commissioner’s (OAIC) website: www.oaic.gov.au
Sensitive information is a class of information that is a subset of personal information and is considered as particularly private. It means personal information which is also information or an opinion about an individual’s:
- Racial or ethnic origin
- Political opinions
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual orientation or practices
- Criminal record
In addition, sensitive information means an individual’s health information and the individual’s:
- Genetic Information (that is not otherwise health information)
- Biometric information (that is to be used for automated biometric verification or biometric identification)
- Biometric templates
We will only collect personal information (other than sensitive information) about you where the information is reasonably necessary for the activities or functions we undertake with or for you and/or as otherwise permitted by the Privacy Act. These activities and functions usually involve the purchase of an insurance policy and/or the settlement of an insurance claim or activities associated with the issuing of an insurance policy or paying a claim, such as reinsurance, loss investigation and/or adjustment. This may require us to collect personal information such as your name, age, gender and your employment details. If you are applying for a job with us, we may need personal information such as your qualifications and past occupations. If you are providing a personal guarantee to us related to a surety bond, we may need information about your financial status.
We will collect sensitive information about you if you consent and the information is reasonably necessary for the activities or functions we undertake with or for you and/or as otherwise permitted by the Privacy Act. These activities and functions usually involve the purchase of an insurance policy and/or the settlement of an insurance claim or activities associated with the issuing of an insurance policy or paying a claim, such as reinsurance, loss investigation and/or adjustment. This may require us to collect sensitive information such as your health information. If you are applying for a job with us or if you are providing a personal guarantee to us, we may need sensitive information such as details of any criminal record.
There may also be circumstances where we collect sensitive information without your consent, if permitted under the Privacy Act. Broadly, this includes circumstances which relate to:
- A legal requirement
- A serious threat to your or another’s life, health or safety
- Suspected unlawful activity or serious misconduct
- Locating a missing person
- Exercise or defence of legal or equitable claims g. to establish the validity of your insurance claim
- Confidential alternative dispute resolution processes
- Health information under the circumstances set out in the Privacy Act
In any of these circumstances we will only collect, hold and disclose this sensitive information in accordance with the Privacy Act.
3. The purposes for which we collect your personal Information
We would usually only collect your personal information for one or more of the following purposes:
- To establish and administer a customer relationship with you
- To assess your suitability for a job with us
- To assess your financial status where you are providing us with a personal guarantee
- To provide you with products or services you request such as issuing an insurance policy and assessing/paying a claim on that policy
- To process payments, such as premiums you pay us and policy or employment benefits we pay you
- To monitor or evaluate products or services you purchase or might like to purchase from us
- To gather and aggregate information for statistical, prudential, actuarial or research purposes
- To take measures to detect and prevent fraud
- To comply with our legal obligations
- To resolve a complaint you have made
- For purposes of internal or alternative dispute resolution processes
If we want to collect information for purposes other than those named above we will advise you of the reason we are collecting the information.
We will not generally adopt government related identifiers (such as Medicare numbers, driver licence numbers) as our own identifiers. We may however, use such identifiers where permitted under the Privacy Act. For example, assisting us in identifying you where this is reasonably necessary.
4. How we will collect personal information
Under the Privacy Act, we may only collect personal information by lawful and fair means.
We will collect your personal information directly from you unless doing so is unreasonable or impracticable or you would expect us to collect the information from the nominated third party. For example, where you authorise a representative e.g. an insurance broker, a financial planner, a legal services provider or an agent or carer providing services to you to deal with us on your behalf, we may collect your personal information from your representative.
We might collect your personal information when you or your representative:
- complete a proposal form for an insurance policy
- complete a claim form to lodge a claim
- provide information through our web site
- provide information over the telephone
- provide information in an e-mail
- provide information by post
- provide information by facsimile
- lodge a job application with us
- provide a personal guarantee to us
There may also be occasions when we collect your personal information from a third party or publically available source. This will only be where it is unreasonable or impracticable for us to collect directly from you. Such sources include:
- An underwriting agent
- Your employer
- Your accountant
- A credit reporting body
- Your doctor
- Other medical providers
- A loss investigator
- A loss adjuster
- Insurance References Services (IRS) through their policy and claim database
- A witness to an incident
- Another insurer
- A referee for a job application
- Social media such as Facebook
If you provide personal information to us about another person, particularly if you are acting on behalf of someone else, we proceed on the understanding that in collecting the information you have complied with Australian Privacy Principle 5 Notification of the Collection of Personal Information. Where sensitive information is involved, we proceed on the understanding that you have obtained the person’s consent to collection of the information, or you were otherwise able to collect the information under the Privacy Act. If you have not done, or will not do, either of these things, you must tell us before you provide the relevant personal information to us.
Where we have collected personal information, we may hold it:
- In our electronic environment
- In a paper form in a file
Your personal information will only be available to members of our staff who require access for one or more of the purposes we have disclosed. For example, to our claims team when you make a claim under an insurance policy or our surety team if you are providing a personal guarantee or the appropriate managers if you are applying for a job. How we might disclose your information to a third party is outlined in section 6 of this policy.
In some circumstances, we will deal with you without you having to identify yourself, or where you adopt a pseudonym in your dealings with us. For example, this would apply where you access general information on our products and services through our website or making initial enquiries about a job we are advertising. However, in most cases it would be impracticable for us to provide the product, service or information you require or consider your application for a job with us unless we have identified you. For example, an insurance contract is provided in accordance with the Insurance Contracts Act 1984 which requires both parties to act in good faith and disclose facts pertinent to issuing an insurance policy or paying a claim.
In some circumstances we may also be required or authorised by law to identify you, for example anti-money laundering laws which require us to sight and record details of certain documents in order to meet the standards set under those laws.
5. Unsolicited Information
6. Use or disclosure of your information
We will normally only use personal information for the particular purpose for which it was collected. This would usually involve the purchase of an insurance policy and/or the settlement of an insurance claim, or activities associated with the issuing or administrating of an insurance policy or paying a claim, such as reinsurance, loss investigation and/or adjustment. If you apply for a job with us, the information will be used in the consideration of your application. If you are providing a personal guarantee, we will use the information to assess your financial status.
We may also use personal information for a secondary purpose, but only with your consent or as otherwise permitted under the Privacy Act. For example, where you would reasonably expect us to do so and the secondary purpose is related (or, in the case of sensitive information, directly related) to the primary purpose.
The following are examples of when we might disclose your personal information and to which business partners:
- Getting external assistance or advice, for example from Insurance Reference Services, in assessing whether we might, issue and at what price we might issue you an insurance policy or pay your claim
- When gathering information about an insurance claim made by you
- When a product is provided or supplied by or through a third party g. an underwriting agency
- When dealing with an insurance broker acting on your behalf
- When dealing with an agent employed by you
- When dealing with a carer working for you
- When dealing with other insurers
- When dealing with reinsurers
- When dealing with actuarial advisors
- When dealing with a loss investigator
- When dealing with a loss adjuster
- When dealing with legal providers
- Lead generators and/or data analysts for the purposes of suggesting insurance products to you
- When dealing with our auditors to ensure the integrity of our operations
- If required to do so by regulatory bodies or government agencies
- When the information concerns a missing person
- When required or authorised by law
- Where it involves suspected unlawful activity e.g. a fraudulent claim
- For legal or equitable claims g. to establish the validity of your claim
- Internal or alternative dispute resolution processes
- Where we believe its disclosure would lessen or prevent serious and imminent threat to your life, health or safety, or a serious threat to health or public safety
- For permitted health reasons as set out in the Privacy Act
7. Whether we are likely to disclose personal information to overseas recipients
We do not normally send information out of Australia but we may disclose your personal information to a reinsurer or other business partner who is based overseas. These reinsurers or other business partners are usually based in the USA, Canada, Bermuda, Europe (including the United Kingdom), Singapore and Hong Kong but may be any country in the world. The types of personal information we may send to them would usually be associated with an insurance policy you have with us or a claim you are making on an insurance policy such as, name, address, date of birth, occupation, financial status or if a claim is for personal injury, your health details.
We may use your information for marketing but only as permitted by the Privacy Act.
9. How we maintain and protect your personal information
We will take reasonable steps to ensure that personal information we collect, hold, use and disclose is accurate, up-to-date, complete and relevant.
We are committed to keeping secure the personal information provided to us. We take all reasonably necessary steps to protect the personal information we hold about you from misuse, interference and loss and from unauthorised access, modification or disclosure. We have a range of practices and policies in place to provide a robust security environment. We will ensure the ongoing adequacy of these measures by regularly reviewing them. Our security measures include but are not limited to:
- Ongoing education of our staff as to their obligations with regard to your personal information
- A data security management policy and processes
- A data breach notification management policy and processes
- Employing physical and electronic means including access controls to protect against unauthorised physical access
- Requiring our staff to use passwords when accessing our systems
- Monitors locking if not used for more than 20 minutes
- Only allowing nominated members of staff access to some electronic records. E.g. only claims staff can access claims related personal information
- We store all electronic records on our own dedicated servers
- We back up our data daily to minimise any chance of data loss
- Employing firewalls, intrusion systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems
- Entering into confidentiality agreements with employees and third parties e.g. any underwriting agents we allow to accept business on our behalf, where we act as an agent for another insurer/reinsurer or reinsurance treaties
- Providing Lockable secure storage for physical records containing personal information
- Security cameras in our head office recording persons in the common areas of all floor and entering and leaving the building
10. How you may access and if necessary correct the personal information we hold about you
You are generally entitled to access the personal information we hold about you. If you wish to access this information we ask that you put this in writing as this will help identify you and assist us in identifying your policy and/or claim number(s) and/or the type of information you wish to access.
We will respond to your request for access as soon as possible (we aim to do so within 30 days) and are required to do so within a reasonable period. The time we need to process your request will depend on the type of information you have requested. There may be circumstances where you are not entitled to access the personal information, such as where:
- It may infringe unreasonably on the privacy of others
- It would involve evaluative information generated in connection with a commercially sensitive decision making process
- It relates to existing or anticipated legal proceedings between us and would not be accessible in those proceedings
- It may cause a serious and imminent threat to the life, the safety or the health of an individual
- The request is vexatious or frivolous
- Access would reveal the intentions of Assetinsure in relation to negotiations with you in such a way as to prejudice those negotiations
- Access would be likely to prejudice an investigation of possible unlawful activity
- You are a current or former employee and we are able to rely on the “employment records” exemption under the Privacy Act
- Giving access would be unlawful
If we are not able to give you access to the personal information we hold about you we will give you reasons as to why we are unable to provide you with access.
11. How you may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint
If you believe we have made an error or breached this policy and/or the Privacy Act please make a complaint to our Privacy Manager:
By post at: Assetinsure Pty Ltd, PO Box R299, Sydney, NSW 1225, or By email at: firstname.lastname@example.org, or
By phone on: (02) 8274 2898
Our Privacy Manager will review your complaint, consider the facts and aim to resolve the complaint to your satisfaction as quickly as possible. This process must be completed within 30 calendar days.
If you are not satisfied with our review, you may take your complaint to the Australian Financial Complaints Authority (AFCA) which is a recognised external dispute resolution scheme. We can provide you with contact details for AFCA.
Lastly, the Office of the Australian Information Commissioner also has the power to investigate complaints and recommend appropriate action to remedy your complaint. You can contact the Commissioner on 1300 363 992, by post, to the Privacy Commissioner at, GPO Box 5218, Sydney 2001 or by email on email@example.com.
12. How we de-identify or destroy any personal information held by us when we no longer require it
We do not believe that there is a time when we can safely say we no longer need to hold your personal information. Insurance claims can be made many years after a policy has expired or a claim can be reopened many years after it was originally closed. For example, for an injury occurring to a child, a claim could be made up to at least 24 years after the injury occurred. For some types of insurance the claim is made on the date it is discovered not when the injury or action occurred. This could conceivably be in 40 or 50 years-time.
The Federal Insurance Regulator, the Australian Prudential Regulation Authority and potential claimant’s expect insurers to be able to pay all valid claims whenever they are made. We could not say with certainty we could do this if we destroyed or de-identified any of the personal information we hold.
We take the precautions outlined in section 9 for all personal information we hold regardless of how old it is.
13. Links to other web sites
Our website may contain links to websites that are not owned or controlled by Assetinsure. Whilst such links are provided for your convenience, you should be aware that the information handling practices of the linked websites might not be the same as ours.
14. Review of this policy and processes
This policy will be annually reviewed with the current policy available on our website.