Data Protection & Privacy in the Insurance Sector
The digital revolution in India has disrupted the business environment in all industries and the insurance industry is no exception. Digitization enhances efficiency and reduces the cost of transacting business however there remain several challenges to the adoption of emerging technologies such as disruption to the traditional insurance ecosystem, uncertain consumer adoption, return on investment and data privacy and security.
Emerging technologies usually deal in customer data which can be used to drive insights related to historical health issues and behavioural patterns of customers. Increasing regulations related to customer personal data around the globe and in India will continue to pose additional challenges for insurers and insurance providers alike.
The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) set out the general framework with respect to data protection in India.
However, given the nature of the business of insurance companies and intermediaries, the Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which is required to be followed in addition to the general framework under the IT Act.
Regulatory Framework Governing Insurance Companies
The IRDAI has made it mandatory for all the insurance companies to ensure the protection and maintenance of confidentiality of all the information that they have collected. Below are some of the relevant data protection regulations applicable to insurance companies:
- IRDAI (Maintenance of Insurance Records) Regulations, 2015 – Pursuant to Regulation 3(3)(b), 3(9) insurers are required to ensure that: The system in which the policy and claim records are maintained has adequate security features, and the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India.
- IRDAI (Health Insurance Regulations), 2016 – Pursuant to Regulation 35(c) insurers, third party administrators (TPAs) and network providers (i.e., hospitals) are required to comply with data related matters as may be specified in guidelines prescribed by the IRDAI (if any).
- IRDAI (Protection of Policyholders’ Interests) Regulations, 2017 – Pursuant to Regulation 19(5) insurers are required to maintain total confidentiality of policyholder information unless it is legally necessary to disclose the same to statutory authorities.
- IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 – Pursuant to Regulation 12 insurers are required to ensure that the:
- The outsourcing service provider has adequate security policies to protect the confidentiality and security of policyholder information;
- Information and data parted to outsourcing service providers remain confidential; and
- Customer data is retrieved with no further use of the same by the service provider once the outsourcing agreement is terminated.
Regulatory Framework Governing Insurance Intermediaries
Intermediaries in the insurance sector such as – brokers, individual agents, corporate agents, third party administrators (TPAs), surveyors, loss assessors, and web aggregators – serve as a bridge between customers and insurance companies, by facilitating the process for selection and purchase of insurance products and assisting in the servicing of policies and assessment of claims.
Therefore, intermediaries are also bearers of confidential information and thus are subject to obligations relating to data protection and preservation of confidentiality prescribed by the IRDAI.
Whilst each intermediary is subject to its own regulations and code of conduct as set out in the table hereinbelow, the provisions in relation to data protection of the policyholder are common for all intermediaries. Inter alia, they prescribe that insurance intermediaries –
- Treat all information supplied to them by prospective clients as completely confidential to themselves and to the insurer(s) to which the business is being offered
- Take appropriate steps to maintain the security of confidential documents in their possession, including by way of restricting access to such information, execution of confidentiality undertakings, etc.
While a similar regime has been prescribed for insurance surveyors and loss assessors, the extant regulations permit surveyors and loss assessors, as an exception, to disclose information pertaining to a client, employer or policyholder to any third party, only where necessary consent has been obtained from the interested party.
It is however clear that the surveyors and loss assessors are prohibited from using (or appearing to use) any confidential information to their personal advantage or to the advantage of a third party.
Specifically, in relation to TPAs, the IRDAI (Third Party Administrators – Health Services) Regulations, 2016 (TPA Regulations) requires the TPAs to not share the data and personal information of customers received by them for servicing insurance policies or claims.
A limited exception to this rule has been carved out for disclosure of confidential information to any court of law, tribunal, government or the IRDAI in the event of any investigation being carried out (or proposed to be carried out) against the insurer, TPA or any other person or for any other reason.
The aforesaid exception is similar to the carve-out under Rule 6 of the SPDI Rules, which permits government agencies mandated under law to obtain information (including sensitive personal data or information) for specified purposes, without obtaining the prior permission of the provider of such information.
Insurance Regulatory Sandbox
A ‘Regulatory Sandbox’ is a testing environment created by the relevant regulatory authority to provide market players with an opportunity to safely and securely execute and test their innovative products, services, business models and delivery mechanisms, in an orderly manner, which aims at protecting the customers and at the same time safeguarding the interest of the stakeholders.
Shortly after the issuance of the RBI Regulatory Sandbox, on 18th May 2019, the IRDAI issued the “Draft Insurance Regulatory and Development Authority of India (Regulatory Sandbox) Regulations, 2019” (IRDAI Regulatory Sandbox).
The objective of the IRDAI Regulatory Sandbox is to create a balance between the orderly development of the insurance sector on one hand and protection of interests of policyholders on the other, while at the same time facilitating technological innovation by way of relaxing provisions of any existing regulations framed by the IRDAI, for a limited scope and limited duration.
On approval of an application, the IRDAI chair may relax the applicability of one or more provisions of any regulations, guidelines or circulars requested in the application, subject to the conditions for approving the application or any other conditions which the chair deems necessary.
The Regulatory Sandbox Regulations expressly state that no relaxation will be granted in relation to the Insurance Act 1938 or the Insurance Regulatory and Development Authority (IRDA) Act 1999.
The underlying objective of the regulation is to encourage good data practices and retain customer trust in the insurance businesses. Instead of treating it as a mere compliance task, companies should welcome the newly introduced regulations as a great opportunity for them to win customer trust and gain competitive advantages.
Though insurers may be acutely impacted by the regulation, their path to compliance is similar to any other impacted sector: revisiting systems and processes to assess readiness for this regulation and investing in filling gaps.
Tags: Data Protection, information technology act 2000, insurance industry, personal data protection, data protection act india, information technology act, sensitive personal data, data subject rights, insurance sector, data protection act, data privacy act, personal data protection act, data protection law, data privacy, data security