Regulatory framework

28.6 As discussed in Chapter 25, a contract of insurance is one of ‘utmost good faith’: an applicant for insurance has a duty at common law^[3] and under legislation^[4] to disclose to the insurer all information that is known, or which reasonably ought to be known, to be relevant to the insurer. As a result, insurers can and do collect a great deal of health information, including some genetic information, from applicants. The privacy of that information was formerly regulated solely by industry standards; it is now regulated by statute and supplemented by industry standards.

Before 21 December 2001

28.7 Prior to 21 December 2001, when the Privacy Amendment (Private Sector) Act 2000 (Cth) came into force in relation to the private sector, the insurance industry was essentially self-regulating in relation to the principles governing the collection, storage, use and disclosure of personal information. It appears that self-regulation was generally effective in protecting information privacy. In a 1996 Information Paper on the privacy implications of genetic testing, the then Federal Privacy Commissioner found that:

life insurance companies put considerable emphasis on protecting the confidentiality of personal information and complaints about improper handling of information do not appear to be a major focus of dissatisfaction with industry practice.^[5]

28.8 More recently, but prior to 21 December 2001, the Financial Industry Complaints Service (FICS) commented on the low number of complaints in the industry with respect to privacy. In a letter to IFSA, FICS stated that:

Complaints about specific breaches of privacy by our life insurance company members are low. However, the Service has received a number of complaints related to disputed claims where the complainant has raised a privacy issue, such as an objection to the insurer seeking information from old medical records. It is not possible to determine the exact number of complaints the Service has received containing such an associated privacy issue. However, I have consulted our long standing staff members who have advised such complaints would only be in the vicinity of 2 to 3 per year.^[6]

28.9 IFSA noted in its submission to the Inquiry that:

The life insurance industry has a long history of collecting medical and personal information for use in underwriting whilst at the same time safeguarding the individual’s privacy. This has been demonstrated by the way in which the industry has managed the highly sensitive information associated with underwriting for HIV/AIDS.^[7]

28.10 The ICA notes on its website that:

[The general insurance industry] was first among private sector groups to adopt the National Principles for the Fair Handling of Personal Information, a voluntary set of information privacy principles for the private sector issued by the federal Privacy Commissioner in February 1998. At the same time the industry set up an independent complaints handling, monitoring and enforcement scheme to support the effective operation of the National Principles. The scheme (called the ‘General Insurance Information Privacy Principles’) was formally launched by the federal Attorney-General in August 1998.^[8]

Since 21 December 2001

28.11 Since 21 December 2001, the collection, use, storage and disclosure of an applicant’s or insured’s personal information by private sector insurers has been regulated by the Privacy Act. Under these provisions, the National Privacy Principles (NPPs) apply to insurers unless they choose to be bound by a privacy code that has been approved by the Privacy Commissioner and provides an equivalent level of protection.

28.12 The ICA was the first private sector organisation to develop a privacy code and to have it approved and listed on the Register of Approved Privacy Codes under s 18BG of the Privacy Act. The Code is based on the General Insurance Information Privacy Principles, with some additions and modifications to meet the new legislative requirements. The General Insurance Information Privacy Code was approved on 17 April 2002. It applies to general insurance business, which, as discussed in Chapter 25, includes some insurance products in which an applicant’s health information is collected and used for underwriting.^[9]

28.13 As discussed in Chapter 7, the NPPs do not apply to certain small business operators.^[10] Although insurance companies are unlikely to fall within this exemption (by reason of their high annual turnover), the situation in relation to insurance brokers and agents is not as straightforward. In its submission, the OFPC noted that:

Insurance is now covered by the private sector amendments to the Act, unless some entities within the industry can bring themselves within the small business exemption. For the most part, however, insurance agents and brokers will be either traders in personal information or related bodies in the terms of section 6D of the Act and hence will be subject to the Act.^[11]

28.14 The Inquiry notes, however, that even traders in personal information are exempt from the Privacy Act in some circumstances, for example, if they disclose personal information only with the consent of the individual concerned or as required or authorised by legislation.^[12]

28.15 In Chapter 7 the Inquiry expressed the view that all small business operators who collect, use or disclose genetic information should be subject to the provisions of the Privacy Act. Recommendation 7–7 has been framed to address this gap in the coverage of federal privacy law, and would apply, if adopted, to small business operators in the field of insurance.

28.16 In addition to the role of federal legislation, the privacy of genetic information in underwriting is regulated by industry standards. For example, in 2001 IFSA issued a Genetic Testing Policy for its members, which is described in more detail in Chapter 25. The policy applies to genetic tests, as defined in the policy, but does not extend to genetic information in the form of family medical history. Several provisions in the Genetic Testing Policy are directed to privacy issues, including the following:

6 Insurers will ensure that results of existing genetic tests are only obtained with the written consent of the tested individual.

7 The results of genetic tests will only be used in the assessment of an insurance application in respect of the individual on whom the test was conducted. The result will not be used in the assessment of insurance applications of relatives of the tested individual.

8 Insurers will ensure that strict standards of confidentiality apply to the handling and storage of the results of genetic tests.

9 Access to the results of genetic tests in a form identifiable to particular individuals will be restricted to the insurer’s underwriters and reinsurers. The results will be made available to other third parties only with the written authorisation of the applicant/insured or in the normal course of discovery during legal proceedings.^[13]

Adequacy of regulatory framework

28.17 Submissions received by the Inquiry did not identify major problems in the legal framework for protecting genetic information collected by the insurance industry. The OFPC expressed the view that:

As previously argued in this submission, the privacy protection framework for personal information across the private sector, including the insurance industry, is fundamentally sound.^[14]

28.18 The Centre for Law and Genetics observed:

The new private sector privacy laws and arrangements, although as yet largely untested in view of their recent commencement, appear to provide quite a satisfactory framework for the protection of privacy interests in general. They are, of course, not specially geared to the protection of genetic information, although for most practical purposes, this category of information would be covered within the definition of health information which is recognized under the legislation as being a particularly sensitive form of information …

Notably, although there have been ongoing concerns about the use by insurers of genetic test information, few, if any, complaints have been heard regarding insurers’ failure to adequately protect the privacy of this information.^[15]

28.19 The Inquiry considers that the basic framework for privacy protection in the insurance context is satisfactory. However, a number of specific issues were raised which require further consideration. These issues are discussed in the following sections and relate to:

• the quality of consent to collection and use of genetic information by insurers;

• the collection of family medical history by insurers; and

• the sharing of information between related insurance organisations.