Australia’s most important legal framework around privacy, The Privacy Act 1988, is currently under review.
Details of any proposed changes to the legislation won’t be finalised for some time, however, it’s clear from the most recent discussion paper that it will likely have far-reaching impacts for the insurance industry.
Webinar to highlight review impacts
Like any organisation that collects and uses large volumes of customer data, insurers must comply with the legislative framework or risk being penalised.
Unlike other industries, however, any changes to Australia’s Privacy Act will likely have implications for the products they sell, particularly those insurers that offer cyber cover.
On 15 June, ANZIIF is hosting a webinar, ‘Impacts from the Privacy Act Review’, which brings together two experts from complementary fields to share their insights.
Jonathan Cohen, a principal at Taylor Fry, leads advanced analytics projects requiring broad stakeholder engagement across several industries including insurance, where he helps insurers to use their data more effectively.
Alison Baker, a partner — employment and privacy at Hall & Wilcox, has 20 years’ experience advising clients in the private and public sectors on compliance with the complete Australian privacy and data protection legal framework.
We asked them both to outline what we know about the review so far and why certain changes could spell significant limitations for the way insurers use customer data.
How data is collected and used
Insurers collect data through a range of touchpoints, including policy information, claims, website activity, call centre interactions and, increasingly, through digital apps such as loyalty programs.
‘They’re looking to use data to improve operations such as customer service, targeted marketing and fraud detection as well as decisions on pricing and underwriting,’ Cohen says.
‘[Insurers] understand that smart use of data can give them a competitive edge, especially now that customers expect seamless digital interactions whenever they’re online.’
The current legislation generally permits these kinds of activities as long as the company issues a privacy statement explaining how the data will be used. However, three areas of proposed change could impose new limitations.
Strengthening consent requirements
Under the current Privacy Act, insurers need permission to collect and use personal data, particularly outside contract performance.
‘Originally, the proposed changes included a compulsory opt in for all personal information but there’s evidence that very few people would [opt in],’ Cohen says.
‘When Apple gave customers the choice of opting in to cross-app tracking, where one app tracks behaviour across others, fewer than 10 per cent gave permission.
'The information collected across different trackers creates the foundation for the machine learning and AI models that target digital marketing, so this would have a huge impact on advertising.’
A more recent discussion paper eased back slightly, proposing instead that providers make it very easy for consumers to opt out.
‘It takes a lot of data to build and fine-tune these models so, while this would help, there would still be an impact,’ Cohen says.
‘Either way, the compliance burden would increase, because when you have permission to collect data from some customers and not others, you’re in a very different situation from one where all of your data is subject to the same restrictions.’
What counts as personal information
Under the current legislation, companies can only collect personal information that is considered reasonably necessary for their functions or activities. They must also delete or destroy the information when it’s no longer needed.
‘Proposed changes would expand what is considered to be personal information,’ Baker explains. ‘The more this expands, the more data held by organisations will fall within the coverage of the Privacy Act, so organisations will need to do more to ensure they comply.’
At the moment, personal data covers any information about an individual or an individual who is reasonably identifiable from information, including name, phone number and residential address.
‘This could be expanded to include online identifiers such as IP addresses and location data, and also inferred data,’ Cohen says. ‘This is information about everything from health status to political affiliation that a company can infer from data collected from multiple sources such as social media.’
The right to erasure
The European Union’s General Data Protection Regulation (GDPR), which was enacted in 2018, includes a ‘right to erasure’ — the right for individuals to have their data erased under certain circumstances. The review of Australia’s Privacy Act proposes a similar right.
‘Organisations would then need to take more steps to assess what data they’re holding, why they have it and whether they need to act on any requests from individuals to delete or destroy their data,’ Baker says.
Cohen anticipates complications for insurers, particularly when it comes to pricing models.
‘One requirement is to delete information no longer needed for its original purpose,’ he says.
‘The problem is that all models include a lot of historical data, including that which is collected from former customers. In the extreme, removing this would reduce an insurer’s ability to develop fundamentals such as good pricing models.
'Then there’s the question of whether you would need to delete information from [models] you’ve already built, or even [delete] the models themselves. This wouldn’t be easy — and building any model is a very costly and lengthy exercise.’
Cyber in the spotlight
Of all liability products, cyber security insurance will be most affected by changes to the Privacy Act.
‘Expanding what counts as personal information would increase the volume of information held by those insured that is subject to penalties,’ Cohen says.
‘Penalties are also set to rise. The maximum for serious or repeated breaches of privacy could increase from about A$2 million to the greater of A$10 million, three times the benefit obtained from any misuse of information or 10 per cent of the organisation’s annual domestic turnover.
'This would have a serious impact on pricing and underwriting in an environment where, following a significant rise in ransomware over the past two years, cyber insurers are already increasing prices, limiting cover and raising deductibles.’
Where to now?
The federal government closed its discussion paper to submission in January 2022.
‘We’re waiting now to see a final report,’ Baker says. ‘Evolution of privacy law generally gets bipartisan support so the review is likely to go ahead whoever wins the federal election.
'However, the government would need to create a bill and then put that to parliament so there’s still a way to go.’
Cohen says he was surprised that while three of the four major banks and the Insurance Council of Australia lodged submissions to the review, we didn’t see any from any of the large insurers.
‘It seems that the banking industry is looking at this more closely than insurers,’ he says. ‘This webinar will highlight the review’s importance for insurers and aims to help put it on the industry’s radar.’