http://www.pcpd.org.hk/english/publications/files/gn_insurance_e.pdf



Similar documents
Use or Transfer of Personal Data for Direct Marketing

GUIDANCE NOTE ON OUTSOURCING

Personal Data (Privacy) (Amendment) Ordinance Use and Sale of Personal Data for Direct Marketing.

Freshfields Bruckhaus Deringer Changes to unfair trade practices law in Hong Kong. Summary

The Cloud and Cross-Border Risks - Singapore

Dismissing senior executives in China

CITY UNIVERSITY OF HONG KONG

Outsourcing. FSA Regulated firms (including offshore outsourcing) Contents. March 2004

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

Insurance and reinsurance news

This form may not be modified without prior approval from the Department of Justice.

Directors remuneration

New EU rules on bankers pay (including the bonus cap)

How To Protect Your Personal Data In The United Kingdom

HIPAA BUSINESS ASSOCIATE AGREEMENT

Cloud Computing: Legal Risks and Best Practices

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Statement of Guidance: Outsourcing All Regulated Entities

(a) the kind of data and the harm that could result if any of those things should occur;

Cloud Computing. Introduction

Big Data for Mutuals. Marc Dautlich 25 November 2013

Financial Services Guidance Note Outsourcing

HIPAA BUSINESS ASSOCIATE AGREEMENT

An introduction to European employment law for Japanese companies

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Code of Practice on the Identity Card Number and other Personal Identifiers Compliance Guide for Data Users

Personal Information Protection Act. Information Sheet 12: 1. Service Providers Outside Canada: Notification, Policies and Practices

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Global investigations: what employers need to know about investigating employees

Hong Kong IPO Sponsor Reforms.

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

OUTSOURCING POLICY

Objective and key requirements of this Prudential Standard

what your business needs to do about the new HIPAA rules

COMMENTARY. Hong Kong Strengthens Its Personal Data. on Direct Marketing JONES DAY

Privacy and Cloud Computing for Australian Government Agencies

How not to lose your head in the Cloud: AGIMO guidelines released

NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS. The following definitions and rules of interpretation shall apply:

Supervisory Policy Manual

Kaiser Permanente Affiliate Link Provider Web Site Application

NOTICE ON OUTSOURCING

Viva Energy may from time to time amend, delete or supplement these Terms and Conditions. Any change takes effect from the earlier of:

University Healthcare Physicians Compliance and Privacy Policy

Banking and financial services outsourcing in Asia: the legal and regulatory essentials

An introduction to European employment law for Korean companies

CITY UNIVERSITY OF HONG KONG

What's Up with Apps in Hong Kong July 2013

Trinity Online Application - Terms and Conditions of Use

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

White Paper on Financial Institution Vendor Management

Credit Union Code for the Protection of Personal Information

TERMS & CONDITIONS OF BUSINESS

Major changes in Belgian dismissal rules

Major Changes Introduced by the New Companies Ordinance Companies Limited by Guarantee 1

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

MiFID 2: investor protection

BUSINESS ASSOCIATE AGREEMENT

NOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT

UBS Electronic Trading Agreement Global Markets

The potential legal consequences of a personal data breach

BUSINESS ASSOCIATE AGREEMENT

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).

Data controllers and data processors: what the difference is and what the governance implications are

Personal Data Protection Policy and Practices ( the Policy )

Rouse Legal (Hong Kong and Vietnam) Terms of Business

Westpac Business Debit MasterCard Application

Australia s unique approach to trans-border privacy and cloud computing

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

A guide for directors of subsidiary companies in Hong Kong. August 2011

Major Changes Introduced by the New Companies Ordinance Private and Public Companies 1

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Players Agent Registration Regulations

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Consultation Document on Review of the Personal Data (Privacy) Ordinance

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

Privacy Policy. 30 January 2015

Risk Management of Outsourced Technology Services. November 28, 2000

A s a covered entity or business associate, you have

Clause 1. Definitions and Interpretation

E-ALERT Privacy & Data Security

INDEPENDENT CONTRACTOR AGREEMENT

Last updated: 30 May Credit Suisse Privacy Policy

Professional Direct Insurance Ockford Mill Ockford Road Godalming GU7 1RH. Terms and Conditions of Business Agreement. Our Service

BUSINESS ASSOCIATE AGREEMENT

The Securities Financing Transactions Regulation

Business Associate Agreement

ODT SOLICITORS LLP. Terms of Business. 1. ODT Solicitors LLP is a limited liability partnership incorporated in England.

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong

8 Securities Limited ( 8Sec ) reserves the right to update and change the TOS from time to time without notice or acceptance by you.

Notes 注 意. Authorization / Declaration 授 權 / 聲 明

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Data Security and Breach in Outsourcing Agreements

Mitigating and managing cyber risk: ten issues to consider

BUSINESS ASSOCIATE AGREEMENT

Transcription:

Briefing Data privacy regulation: Spotlight on Hong Kong insurers Summary Two recent regulatory initiatives will place the Hong Kong insurance industry s use and handling of personal data under greater scrutiny, for both front office marketing activities and back office processing. The Hong Kong Privacy Commissioner for Personal Data has published guidelines, Guidance on the Proper Handling of Customers Personal Data for the Insurance Industry. http://www.pcpd.org.hk/english/publications/files/gn_insurance_e.pdf At the same time, the Insurance Authority has issued a guidance note on outsourcing that insurers are required to observe from 1 January 2013. http://www.oci.gov.hk/download/gn14.pdf Both sets of guidelines impose important constraints on data handling by Hong Kong insurance companies. For more information please contact Mark Parsons Partner, Hong Kong T +852 2846 3341 E mark.parsons@freshfields.com Freshfields Bruckhaus Deringer llp 1

The Data Handling Guidelines: insurance industry-specific regulation Amendments in July 2012 to the Personal Data (Privacy) Ordinance (the PDPO) saw increased data privacy requirements in Hong Kong across all business sectors. Of key importance to insurers, the PDPO introduced stricter controls on direct marketing (ie businesses using their own data to market to individuals) and on cross-marketing (ie one business transferring data to another business for marketing purposes). These reforms will come into force on a date to be fixed by the government, expected to be no later than 1 April 2013. The Hong Kong Privacy Commissioner for Personal Data (PCPD) s publication of insurance industry specific guidance (the Data Handling Guidelines) reflects the importance and sensitivity of the use of personal data in the sector. It may also reflect the discovery in the Octopus Rewards crossmarketing affair of 2010 (which gave impetus to stricter regulatory controls) that a number of insurance companies were recipients of data. Fully-informed consent The Data Handling Guidelines set out the steps that Hong Kong insurers are required to take to produce terms and conditions and privacy policies that are more clear for consumers. Application forms and policies will need to be presented in legible formats using understandable wording and must specify more clearly the purposes of use for the personal data and the classes of companies to which the data may be disclosed. Direct marketing controls Direct marketing controls are at the heart of the 2012 amendments to the PDPO. The Data Handling Guidelines track these requirements specifically. Customers and potential customers must be informed, orally or in writing, that their personal data will be used for direct marketing and the kinds of products and services that will be marketed. When the insurance institution uses the personal data in direct marketing (eg during marketing calls) for the first time, it must notify the customer of their right to opt-out from their personal data being used for future direct marketing. Customers who exercise their rights to opt-out must be placed on an opt-out list for counter-checking in future marketing activities. Cross marketing controls: significant impact on bancassurance arrangements Insurers are often recipients of customer data transferred through bancassurance arrangements and other marketing alliances. The 2012 amendments to the PDPO will impose strict standards of disclosure for such arrangements, including a requirement that transferors disclose if they are receiving commercial remuneration for the data. In a bancassurance model where the bank markets the insurance products itself, transfers of personal data to insurers are less likely to occur. However, many bancassurance models reflect the commercial reality that insurers are more able and better motivated to market insurance products. Insurers, therefore, seek transfers of banks databases for data mining and marketing purposes. Going forwards, banks will have to provide personal information collection statements to customers notifying them of the disclosure, in relatively specific terms, to insurance companies among the third party classes to which the data will be transferred and that compensation will be paid. 2 Freshfields Bruckhaus Deringer llp

In the wake of the Octopus Rewards affair, the PCPD will take a dim view of secondment arrangements and other operational structures that blur the distinction between bank employees and insurer employees making marketing approaches to consumers. These models have been used in the past to avoid outright data transfers from banks to insurance companies. To the extent the use of these models misleads consumers, the PCPD will most likely take action. Hong Kong insurers must now examine whether a bank or alliance partner can actually disclose personal data under the bancassurance arrangements in a manner that complies and whether the bancassurance model falls within the designated scope notified to customers in the bank s terms and conditions and privacy policy. Excessive collection of data The Data Handling Guidelines also instruct insurers to consider carefully whether each item of customer data is actually necessary for the disclosed purposes. For example, in an insurance claim, it may not be necessary to collect medical data about unrelated ailments or injuries unless the insurance institution can show the data is relevant to the current medical expenses insurance claim. Individuals Hong Kong Identity Card (HKIC) numbers, or other personal identifiers, must not be collected except to correctly identify the individual for a purpose that is in the individual s own interests or to prevent harm to another person or to prevent damage or loss that is not trivial to the insurer. For example, an insurer can collect a customer s or beneficiary s HKIC number to ensure that an insurance claim payment is made to the correct person. Data security The Data Handling Guidelines direct insurers to carefully scrutinise their security procedures for personal data. For example, mail should be marked private and confidential if intended to be read only by the designated recipient and should be sent in sealed envelopes without sensitive data (eg HKIC number) visible through the envelope window. Where customers personal data is sent by email, encryption, confidential mail boxes or access passwords should be used for transmission. Data retention The Data Handling Guidelines require insurers to evaluate retention periods for data taking into consideration the specific context. In general, data should not be retained for longer than is reasonably necessary to satisfy the stated purposes of collection, subject to any relevant statutory requirements (eg the retention periods set out in the Anti-Money Laundering Ordinance). The Data Handling Guidelines direct that insurers should generally retain customers personal data for no more than seven years after the end of the business relationship (eg the expiry of the customer s insurance policy) to comply with accounts-keeping, records requirements, or potential litigation. Shorter or longer retention periods may be appropriate for different types of personal data. Insurers should consider for each case what is suitable. For example, the recommended retention period for personal data of unsuccessful insurance applications involving money transactions is not more than seven years. Where no money transactions are involved, a retention period of two years is considered sufficient. Freshfields Bruckhaus Deringer llp 3

Liability for private investigators The Data Handling Guidelines specifically address insurers liability for any breaches of the PDPO by private investigators engaged for claims assessment purposes. The investigators acts and omissions are deemed to be those of the instructing insurer for the purposes of compliance. Outsourcing and shared services The Insurance Authority s guidance note to the insurance industry on outsourcing (the Outsourcing Guidelines) sets out other measures that insurers are expected to take for any material outsourcing arrangements where an authorized insurer engages another entity (including an affiliate) to perform a function or service it would otherwise perform itself. An outsourcing is deemed material if there is potential for a significant impact on the insurer s financial position, business operations, reputation or ability to meet its obligations to policyholders or comply with its legal and regulatory requirements, if the outsourced function were disrupted. The Outsourcing Guidelines apply to any new outsourcing arrangements from 1 January 2013. For existing outsourcing arrangements, insurers must provide the Insurance Authority with details of the outsourcing and a copy of the outsourcing agreement before 31 January 2013. Insurers must also carry out a materiality and risk assessment of the outsourcing before 30 March 2013 and correct any failings before 31 December 2013. Requirements for outsourcing agreements The Outsourcing Guidelines require insurers to enter into written outsourcing agreements with their service providers and to consider specific terms in the agreement including: performance standards and contractual means of effectively monitoring and enforcing performance; data, intellectual property and asset ownership rights; sub-contracting controls; arrangements for the insurer, its auditors, actuaries and the Insurance Authority to have access to books, records and facilities; contingency planning, business continuity and disaster recovery; and arrangements to deal with access to intellectual property rights and data upon termination or expiry of the agreement. The Outsourcing Guidelines state that outsourcing agreements should preferably be governed by Hong Kong law. The Outsourcing Guidelines apply to intragroup services and shared services arrangements as well as to outsourcings to third party vendors. The standards for contractual documentation in intra-group arrangement are lower: a memorandum of understanding properly endorsed by the insurer s board of directors may be acceptable in lieu of a formal contract. Going forwards, insurers are required to notify the Insurance Authority at least three months before entering into a new material outsourcing arrangement, or significantly varying an existing one. The notification should be submitted along with a detailed description of the proposed outsourcing arrangement. 4 Freshfields Bruckhaus Deringer llp

Offshoring from Hong Kong Insurers should evaluate additional factors if they are contemplating offshoring services from Hong Kong. Country risks, including the social, economic and political conditions, of the outsourcing jurisdiction should be assessed. The rights of an overseas authority to access the insurer s data must also be considered. Where an overseas authority requests access to the insurer s customers data, the insurer must notify the Insurance Authority. In light of the potential added risks in overseas outsourcing, insurers must consider informing customers of their decision to offshore services and of any overseas authorities rights to access their data. Data security breaches Insurers are required to notify the Insurance Authority of any unauthorized access or data breach by a service provider or its subcontractors that affects the insurer or its customers. Insurers remain ultimately accountable and liable for all outsourced services, including the service provider s actions and compliance with applicable laws. Conclusions The Data Handling Guidelines and Outsourcing Guidelines are important new requirements that demonstrate increased scrutiny of insurance operations in Hong Kong. Although many of the requirements in the guidelines are already found in the general requirements of the PDPO, the PCPD s targeting of the insurance industry in Hong Kong for special treatment must be carefully evaluated. Insurers are recommended to review their data processing policies, procedures and privacy policies. They should also ensure that proper formalities are applied to outsourcing and shared services arrangements. Bancassurance and other insurance marketing arrangements need to be reviewed to assess compliance with the new requirements. freshfields.com Freshfields Bruckhaus Deringer llp is a limited liability partnership registered in England and Wales with registered number OC334789. It is authorised and regulated by the Solicitors Regulation Authority. For regulatory information please refer to www.freshfields.com/support/legalnotice. Any reference to a partner means a member, or a consultant or employee with equivalent standing and qualifications, of Freshfields Bruckhaus Deringer llp or any of its affiliated firms or entities. This material is for general information only and is not intended to provide legal advice. Freshfields Bruckhaus Bruckhaus Deringer llp, Deringer, llp 34911 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information