Briefing Data privacy regulation: Spotlight on Hong Kong insurers Summary Two recent regulatory initiatives will place the Hong Kong insurance industry s use and handling of personal data under greater scrutiny, for both front office marketing activities and back office processing. The Hong Kong Privacy Commissioner for Personal Data has published guidelines, Guidance on the Proper Handling of Customers Personal Data for the Insurance Industry. http://www.pcpd.org.hk/english/publications/files/gn_insurance_e.pdf At the same time, the Insurance Authority has issued a guidance note on outsourcing that insurers are required to observe from 1 January 2013. http://www.oci.gov.hk/download/gn14.pdf Both sets of guidelines impose important constraints on data handling by Hong Kong insurance companies. For more information please contact Mark Parsons Partner, Hong Kong T +852 2846 3341 E mark.parsons@freshfields.com Freshfields Bruckhaus Deringer llp 1
The Data Handling Guidelines: insurance industry-specific regulation Amendments in July 2012 to the Personal Data (Privacy) Ordinance (the PDPO) saw increased data privacy requirements in Hong Kong across all business sectors. Of key importance to insurers, the PDPO introduced stricter controls on direct marketing (ie businesses using their own data to market to individuals) and on cross-marketing (ie one business transferring data to another business for marketing purposes). These reforms will come into force on a date to be fixed by the government, expected to be no later than 1 April 2013. The Hong Kong Privacy Commissioner for Personal Data (PCPD) s publication of insurance industry specific guidance (the Data Handling Guidelines) reflects the importance and sensitivity of the use of personal data in the sector. It may also reflect the discovery in the Octopus Rewards crossmarketing affair of 2010 (which gave impetus to stricter regulatory controls) that a number of insurance companies were recipients of data. Fully-informed consent The Data Handling Guidelines set out the steps that Hong Kong insurers are required to take to produce terms and conditions and privacy policies that are more clear for consumers. Application forms and policies will need to be presented in legible formats using understandable wording and must specify more clearly the purposes of use for the personal data and the classes of companies to which the data may be disclosed. Direct marketing controls Direct marketing controls are at the heart of the 2012 amendments to the PDPO. The Data Handling Guidelines track these requirements specifically. Customers and potential customers must be informed, orally or in writing, that their personal data will be used for direct marketing and the kinds of products and services that will be marketed. When the insurance institution uses the personal data in direct marketing (eg during marketing calls) for the first time, it must notify the customer of their right to opt-out from their personal data being used for future direct marketing. Customers who exercise their rights to opt-out must be placed on an opt-out list for counter-checking in future marketing activities. Cross marketing controls: significant impact on bancassurance arrangements Insurers are often recipients of customer data transferred through bancassurance arrangements and other marketing alliances. The 2012 amendments to the PDPO will impose strict standards of disclosure for such arrangements, including a requirement that transferors disclose if they are receiving commercial remuneration for the data. In a bancassurance model where the bank markets the insurance products itself, transfers of personal data to insurers are less likely to occur. However, many bancassurance models reflect the commercial reality that insurers are more able and better motivated to market insurance products. Insurers, therefore, seek transfers of banks databases for data mining and marketing purposes. Going forwards, banks will have to provide personal information collection statements to customers notifying them of the disclosure, in relatively specific terms, to insurance companies among the third party classes to which the data will be transferred and that compensation will be paid. 2 Freshfields Bruckhaus Deringer llp
In the wake of the Octopus Rewards affair, the PCPD will take a dim view of secondment arrangements and other operational structures that blur the distinction between bank employees and insurer employees making marketing approaches to consumers. These models have been used in the past to avoid outright data transfers from banks to insurance companies. To the extent the use of these models misleads consumers, the PCPD will most likely take action. Hong Kong insurers must now examine whether a bank or alliance partner can actually disclose personal data under the bancassurance arrangements in a manner that complies and whether the bancassurance model falls within the designated scope notified to customers in the bank s terms and conditions and privacy policy. Excessive collection of data The Data Handling Guidelines also instruct insurers to consider carefully whether each item of customer data is actually necessary for the disclosed purposes. For example, in an insurance claim, it may not be necessary to collect medical data about unrelated ailments or injuries unless the insurance institution can show the data is relevant to the current medical expenses insurance claim. Individuals Hong Kong Identity Card (HKIC) numbers, or other personal identifiers, must not be collected except to correctly identify the individual for a purpose that is in the individual s own interests or to prevent harm to another person or to prevent damage or loss that is not trivial to the insurer. For example, an insurer can collect a customer s or beneficiary s HKIC number to ensure that an insurance claim payment is made to the correct person. Data security The Data Handling Guidelines direct insurers to carefully scrutinise their security procedures for personal data. For example, mail should be marked private and confidential if intended to be read only by the designated recipient and should be sent in sealed envelopes without sensitive data (eg HKIC number) visible through the envelope window. Where customers personal data is sent by email, encryption, confidential mail boxes or access passwords should be used for transmission. Data retention The Data Handling Guidelines require insurers to evaluate retention periods for data taking into consideration the specific context. In general, data should not be retained for longer than is reasonably necessary to satisfy the stated purposes of collection, subject to any relevant statutory requirements (eg the retention periods set out in the Anti-Money Laundering Ordinance). The Data Handling Guidelines direct that insurers should generally retain customers personal data for no more than seven years after the end of the business relationship (eg the expiry of the customer s insurance policy) to comply with accounts-keeping, records requirements, or potential litigation. Shorter or longer retention periods may be appropriate for different types of personal data. Insurers should consider for each case what is suitable. For example, the recommended retention period for personal data of unsuccessful insurance applications involving money transactions is not more than seven years. Where no money transactions are involved, a retention period of two years is considered sufficient. Freshfields Bruckhaus Deringer llp 3
Liability for private investigators The Data Handling Guidelines specifically address insurers liability for any breaches of the PDPO by private investigators engaged for claims assessment purposes. The investigators acts and omissions are deemed to be those of the instructing insurer for the purposes of compliance. Outsourcing and shared services The Insurance Authority s guidance note to the insurance industry on outsourcing (the Outsourcing Guidelines) sets out other measures that insurers are expected to take for any material outsourcing arrangements where an authorized insurer engages another entity (including an affiliate) to perform a function or service it would otherwise perform itself. An outsourcing is deemed material if there is potential for a significant impact on the insurer s financial position, business operations, reputation or ability to meet its obligations to policyholders or comply with its legal and regulatory requirements, if the outsourced function were disrupted. The Outsourcing Guidelines apply to any new outsourcing arrangements from 1 January 2013. For existing outsourcing arrangements, insurers must provide the Insurance Authority with details of the outsourcing and a copy of the outsourcing agreement before 31 January 2013. Insurers must also carry out a materiality and risk assessment of the outsourcing before 30 March 2013 and correct any failings before 31 December 2013. Requirements for outsourcing agreements The Outsourcing Guidelines require insurers to enter into written outsourcing agreements with their service providers and to consider specific terms in the agreement including: performance standards and contractual means of effectively monitoring and enforcing performance; data, intellectual property and asset ownership rights; sub-contracting controls; arrangements for the insurer, its auditors, actuaries and the Insurance Authority to have access to books, records and facilities; contingency planning, business continuity and disaster recovery; and arrangements to deal with access to intellectual property rights and data upon termination or expiry of the agreement. The Outsourcing Guidelines state that outsourcing agreements should preferably be governed by Hong Kong law. The Outsourcing Guidelines apply to intragroup services and shared services arrangements as well as to outsourcings to third party vendors. The standards for contractual documentation in intra-group arrangement are lower: a memorandum of understanding properly endorsed by the insurer s board of directors may be acceptable in lieu of a formal contract. Going forwards, insurers are required to notify the Insurance Authority at least three months before entering into a new material outsourcing arrangement, or significantly varying an existing one. The notification should be submitted along with a detailed description of the proposed outsourcing arrangement. 4 Freshfields Bruckhaus Deringer llp
Offshoring from Hong Kong Insurers should evaluate additional factors if they are contemplating offshoring services from Hong Kong. Country risks, including the social, economic and political conditions, of the outsourcing jurisdiction should be assessed. The rights of an overseas authority to access the insurer s data must also be considered. Where an overseas authority requests access to the insurer s customers data, the insurer must notify the Insurance Authority. In light of the potential added risks in overseas outsourcing, insurers must consider informing customers of their decision to offshore services and of any overseas authorities rights to access their data. Data security breaches Insurers are required to notify the Insurance Authority of any unauthorized access or data breach by a service provider or its subcontractors that affects the insurer or its customers. Insurers remain ultimately accountable and liable for all outsourced services, including the service provider s actions and compliance with applicable laws. Conclusions The Data Handling Guidelines and Outsourcing Guidelines are important new requirements that demonstrate increased scrutiny of insurance operations in Hong Kong. Although many of the requirements in the guidelines are already found in the general requirements of the PDPO, the PCPD s targeting of the insurance industry in Hong Kong for special treatment must be carefully evaluated. Insurers are recommended to review their data processing policies, procedures and privacy policies. They should also ensure that proper formalities are applied to outsourcing and shared services arrangements. Bancassurance and other insurance marketing arrangements need to be reviewed to assess compliance with the new requirements. freshfields.com Freshfields Bruckhaus Deringer llp is a limited liability partnership registered in England and Wales with registered number OC334789. It is authorised and regulated by the Solicitors Regulation Authority. For regulatory information please refer to www.freshfields.com/support/legalnotice. Any reference to a partner means a member, or a consultant or employee with equivalent standing and qualifications, of Freshfields Bruckhaus Deringer llp or any of its affiliated firms or entities. This material is for general information only and is not intended to provide legal advice. Freshfields Bruckhaus Bruckhaus Deringer llp, Deringer, llp 34911 5