As the world shifts toward the fundamentals of transparency, security, and accountability, the protection of data and the Right to Privacy become increasingly important. Data Protection laws and regimes are drawing lots of attention from stakeholders across the globe, and several industries and sectors are being directly affected by the implementation and acknowledgment of data protection laws.
One such sector which is taking this beating is the Insurance Industry. Data Protection regulations are creating a significant impact on the insurance sector due to the large amount of personal data and sensitive personal data processed by insurers.
In India, the very recent incident that happened with the Indian Railway Catering and Tourism Corporation (“IRCTC”), ticketing, catering, and tourism services provider for railways, wherein it temporarily suspended the services of Bajaj Allianz and Liberty General Insurance, raised the eyebrows of the stakeholders.
This comes after IRCTC discovered a vulnerability on insurers’ websites that puts passengers’ personal data at risk. The vulnerability called Insecure Direct Object Reference (“IDOR”) allowed anyone to acquire the information of the passengers such as the name, journey details, phone number, gender, and age along with the name of the passenger’s nominee for insurance pay-out, and all this without putting any checks and balances on the entity accessing, collecting, storing or analysing such data.
The said data breach has been discussed in detail in our recent blog: IRCTC takes down Bajaj Allianz and Liberty General Insurance from its Platform for Data Privacy Issues
Therefore, given such a concerning position of the Insurance Sector when it comes to Data Protection, this Article aims at analysing the position of the Indian Data Protection regime on the issue of Data Protection by the Insurance Industry.
REGULATORY NORMS ON DATA PRIVACY IN THE INSURANCE SECTOR IN INDIA
The Union Government formed a Committee of Experts to deliberate on a data protection framework in 2017, a month before the Supreme Court issued its verdict in Justice K.S. Puttaswamy (Retd.) v. Union of India, AIR 2017 SC 4161 (hereinafter referred to as “Puttaswamy Case”). The Union Government came out with the Personal Data Protection Bill, 2019 and referred it to a 20-member Joint Parliamentary Committee (hereinafter referred to as “Committee”). This Committee finally released its report, which included the Draft Data Protection Bill for 2021 (hereinafter referred to as “the Bill”), after nearly two years.
In absence of this Bill being an enacted legislation, it becomes important to understand and place reliance on the statutes and rules that are currently in place and applicable. Here, the Information Technology Act, 2000 (hereinafter referred to as “IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011 (hereinafter referred to as “SPDI Rules”) lay out India’s overall data protection framework.
Additionally, the Insurance Regulatory and Development Authority of India (hereinafter referred to as “IRDAI”) has prescribed an additional framework for the protection of policyholder information and data, which must be followed in addition to the general framework under the IT Act.
The IRDAI has made it necessary for all insurance companies to secure and maintain the confidentiality of all the data that they gather in the regular course of their business. Some of the key data protection regulations that apply to the insurance sector are listed below:
1. IRDAI (Maintenance of Insurance Records) Regulations, 2015 – The Regulation 3(3)(b), 3(9); stipulates that the insurers shall ensure that the data collected is kept in data centers that are maintained and located in India. This data generally contains the information related to the policies taken by the insured, the claim records etc., even in the electronic form. And it is to be ensured that; the system in which these are contained should be reinforced with adequate security features.
2. IRDAI (Health Insurance Regulations), 2016 – According to Regulation 35(c); insurers, third party administrators and network providers (for instance, the hospitals) are bound by the provisions and guideline prescribed by IRDAI.
3. IRDAI (Protection of Policyholders’ Interests) Regulations, 2017 – By the virtue of Regulation 19(5); unless the authorities established by statute legally compel the insurers to disclose some information, they are mandated to assure total confidentiality of policyholder data.
4. IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017The Regulation 12 of the said Regulations impose a duty on the insurers to see to that the data given to outsourcing service providers remain confidential; and that the outsourcing service provider has adequate security framework for protection of the data. Also, it is ensured that it is retrieved with no further use of the same from the service provider once the outsourcing agreement is terminated.
5. Regulatory Framework Governing Insurance Intermediaries – All the participating intermediaries in the insurance sector are also generally in the possession of the data of the users, as they act as the facilitator between the customers and insurance companies. Hence, even they are bound by the guidelines and regulations of the IRDAI for maintaining the security of confidential data in their possession.
Interestingly, the IRDAI (Third Party Administrators – Health Services) Regulations, 2016, prohibit the third-party administrators to share data and personal information about the consumers that they receive for the purpose of servicing insurance policies or claims.
However, disclosure of such data can be done before any Court of Law, Tribunal, Government, or the IRDAI, if they are compelled by law, after taking due consent of the provider of such data.
DATA PRIVACY CONCERNS FOR INSURANCE
1. Data Portability
One of the biggest challenges that the insurance industry might face is the concept of data portability. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Thus, the data subjects have a right to transmit that data to another controller. This right stems out of the idea of ‘consent’, which is a pivotal aspect in the area of data privacy.
Insurers must not only develop processes to supply personal data to data subjects and competitors in an appropriate and secure manner within the specified time but also, they must implement processes to receive personal data from competitors. The receiving insurer is also responsible for ensuring that the personal data obtained is both necessary and not excessive for the processing purpose.
Any personal data received that has no connection to the new processing’s purpose should not be kept or processed. Portable data processing should be limited to the related product or policy. The challenge here for the insurance company being that there may be different types of data that are relevant and not excessive for the different policies.
Consent is proving to be one of the most difficult aspects for the insurance industry, particularly when it comes to the processing of personal and sensitive personal data. Consent cannot be assumed; it must be freely given, explicit, informed, unambiguous, and positive, with no undue influence. This becomes very technical and tedious just not for the insurers, but also for the insured.
Health information is considered sensitive, although gathering it is evidently necessary for underwriting and performing a variety of insurance contracts. Hence, the handling of health information becomes very tricky, and its processing without breaching data privacy norms becomes a challenge.
Another difficulty with consent arises when personal data is currently being processed for minors and parental approval is the only legal basis for processing.
Lastly, one of the major challenges emerging in the insurance industry is that of third-party transparency. Meaning that data is not always just buy the insurer, even certain third-parties and intermediates are involved in the transmission, acquiring, possessing, and processing of customer’s data. Hence, all the data protection obligations imposed upon the insurer have to be imposed upon such third-parties. Thus, ensuring the compliance of data protection by third-parties becomes very difficult. Given these challenges, it is important to understand what might be its solutions.
Insurers may discriminate data in the issuance of insurance contracts and risk pricing. This is especially relevant in terms of genetic data. Genetic data may be used by an insurer to refuse insurance to a particular person. The Right to Privacy should be expanded in order to safeguard a person’s sensitive personal data such as health or genetic data.
The Delhi High Court in the case of United India Insurance Company Limited v Jai Prakash Tayal, (2018) 247 DLT 379, emphasized the need for a framework to ensure confidentially of genetic information and prevent genetic discrimination.
It was observed that insurance companies cannot use genetic disorders as a general exclusion in insurance contracts under the guise of freedom to contract. After this decision, IRDAI directed insurance companies to not include genetic disorders as one of the exclusions while granting health insurance policies. However, there is still no framework to ensure the confidentiality of such data.
3. Data theft
If the personal and sensitive data received from customers are not properly encrypted and secured, the same can be misused to inflict harm on such individuals.
- Financial loss
Data theft leads to the exploitation of data in order to financially harm individuals. With new technologies, it has become even easier to fraud people.
- Risk of Reputational Damage
A customer’s information may be accidentally used in a way that harms their reputation. This is especially true for health information.
PROPOSED SOLUTIONS FOR THESE CONCERNS
The following are the solutions that the insurance sector should adopt in order to ensure smooth compliance with the data protection norms and regime. They are:
i. The customers should be given the right to get information of the status of the processing of their data, and to seek the grounds for which their data is being processed and till what extent. A form or policy can be issued by IRDAI that all the insurance companies have to give their customers every time they seek a policy, and such a form shall illustrate the rights of the customers pertaining to the data and all the ancillary things associated with data protection.
ii. The customers should be given the chance to access information of the entities who are accessing their data and the right to see the identity of the data fiduciaries with whom their personal data has been shared, as well as the categories of personal data shared with them, all in one place.
iii. The nominee/legal heir/legal representative shall also be given the same rights as that of the data subject.
iv. The customer should be given the option to delete the data or reduce the amount of data that is being shared.
v. The insurance sector shall adopt a common template of seeking consent from their customers over their data.
vi. Hefty fines for non-compliance to be imposed upon the third-party entities involved.
vii. A specific regulation shall be introduced for governing Data Portability.
The underlying objective of all the aforementioned regulations is to encourage good data practices and retain customer trust in the insurance businesses. Instead of treating it as a mere compliance task, companies should welcome the newly introduced regulations as a great opportunity for them to win customer trust and gain competitive advantages.
Though insurers may be acutely impacted by the upcoming Bill or any other Data Privacy Regulation, their path to compliance is similar to any other impacted sector: revisiting systems and processes to assess readiness for compliance with any legislation and ensuring the incorporation of mechanisms to fill any compliance loopholes.
This goes on to show that insurance companies have to be more aware of and in control of the data they process and share, and they have to be answerable as to why are they sharing such data, with whom they are sharing, what is the utmost need to access and/or retain such personal data. Accountability should be kept in place for dealing with the issue of use and sharing of the data acquired by the insurer with a third-party.
– Team AMLEGALS assisted by Mr. Alay Raje (Intern)
For any query or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org