What kinds of personal information does IRS collect and hold?
The kinds of personal information that IRS may collect and may hold include contact details, employment history, date of birth, driver’s license number, details of insurance claims, details of third parties involved in claims, and other information that is relevant to its functions or activities.
The IRS may also collect, hold, use and disclose some sensitive information about individuals as set out in the section entitled Sensitive information.
The ICA collects personal information for purposes directly related to its functions or activities, including:
- prevention of insurance fraud where the intent in using the IRS Database is to provide added information to confirm the accuracy of information provided by applicants;
- management of insurance claims where the intent in using the IRS Database is to analyse claims and the management of claim payments;
- assessment of risk where the intent in using the IRS Database is to provide complete information to enable insurers to assess material and moral risk;
- benchmarking analysis to show how an individual IRS Member is performing against industry norms (not against named IRS Members as competitors); and
- identity verification.
The IRS may collect, hold, use and disclose sensitive information about individuals such as mental and physical health, disability, racial or ethnic origin, criminal convictions or religious or political affiliation, either directly from the individuals or from third parties in connection with processing and dealing with information received from the public to help combat insurance fraud.
The IRS may also collect, hold and use sensitive information about individuals directly from individuals when they contact the IRS in connection with its functions and activities. However, any such collection is with the consent of such individuals. Any such sensitive information is only retained on an aggregated basis by the IRS and the individuals are not identifiable.
How does the IRS collect and hold personal information?
The IRS collects personal information directly from insurance company members as part of policy holder claim history data. This information is provided to IRS in accordance with each member’s Privacy Statements and Privacy Policies.
The IRS collects personal information directly from individuals through their use of the website and when they contact the IRS by email, telephone, in person or otherwise in connection with the IRS's services, functions or activities.
Who has access to personal information collected by IRS?
Use of the IRS Database is restricted to:
- authorised employees and representatives of IRS members including those engaged in underwriting, loss assessment and claims management;
- those law enforcement authorities, who are authorised by the Board of IRS to use the IRS Database pursuant to Legally Enforced Access; and
- an individual in relation to their own My Insurance Claims Report.
IRS Member Obligations
The IRS Member must (and must procure that its Representatives), with respect to Personal Information collected, held, used or disclosed under or in connection with the IRS Membership Deed:
- act, in accordance with the Privacy Law and IRS' privacy policies as notified to the Member from time to time in dealing with any Personal Information provided to the Member to or acquired by the Member from the IRS Database;
- not, collect, use or disclose any Personal Information for any purpose other than fulfilling the Member's obligations under this deed;
- take such steps as are necessary to ensure that all Personal Information collected by it or disclosed to the IRS Database is accurate, up to date and complete and, for the purpose of disclosure, relevant;
- ensure, in respect of any Personal Information it discloses to IRS, that it takes reasonable steps to ensure that the subject of the Personal Information (the Individual) is aware of all matters which are prescribed by the Australian Privacy Principles under the Privacy Law;
- not use or disclose any Personal Information collected from the IRS Database for the purpose of direct marketing;
- not allow, or permit access to, or transfer any Personal Information collected from the IRS Database or which has been collected, accessed or used by the Member with the consent of IRS, outside of Australia, unless it has first obtained IRS' approval in writing;
- take such steps as are reasonable in the circumstances, to destroy or de-identify Personal Information collected by it from the IRS Database once the Member no longer needs it for the purpose for which it was collected or used by the Member, unless otherwise required by Law to retain such Personal Information;
- co-operate with IRS or any other IRS Member to resolve any complaint made under any Privacy Law and in relation to any request by an Individual for access to or correction of Personal Information held by the Member in connection with the IRS Database; and
- co-operate with any reasonable requests or directions of IRS concerning the storage, security, use and disclosure of Personal Information.
The IRS may uses "cookies" on the Website. A cookie is a small amount of information which is transferred to the hard drive of your computer and which can identify your web browser but not you. Individuals can disable their web browsers from accepting cookies. If you do so, you can still access the Website, but not all services may be available.
How the IRS holds, uses and discloses personal information
The IRS holds personal information in a secure online database. It may also hold electronic copies of documents containing personal information (e.g. queries, complaints, forms and other relevant documents) in a secure online database.
Where it holds personal information electronically, such information can only be accessed by authorised IRS staff using personal accredited passwords.
The keeping of personal information in hard copy is not encouraged by the IRS. Information is held in hard copy only for a reasonable time as necessary and stored securely. All ICA premises are protected by security access.
The IRS only holds and uses personal information for purposes directly related to its functions or activities or for the purposes for which the information was originally collected or otherwise in accordance with the Australian Privacy Principles.
Disclosure of personal information
The IRS may disclose personal information provided to it, to the following third parties:
- members of the IRS, such as insurance companies, to process queries or complaints received by the IRS from individuals;
- Federal, State or Territory police authorities and agencies;
- the IRS's staff for the purposes of their work responsibilities; and
- other third parties providing law enforcement or administrative services.
The disclosure of personal information in the circumstances outlined in sections (a) to (d) above may include the disclosure of sensitive information.
The IRS does not generally disclose personal information to overseas recipients and will only do so in accordance with the Australian Privacy Principles.
Accessing and correcting personal information held by the IRS
Individuals may access personal information about them that is held by the IRS by ordering their own My Insurance Claims Report.
Individuals may make or seek changes to that information, by contacting their insurer in relation to information concerning an insurance claim, or an individual can email IRS@insurancecouncil.com.au.
If the IRS does not agree to provide access to personal information or to amend or annotate the information we hold about an individual, the relevant individual may seek a review of the IRS's decision.
Individuals can send written complaints about a breach of the Australian Privacy Principles in relation to their personal information to IRS@insurancecouncil.com.au or to The Privacy Officer, Insurance Reference Services Limited, Level 4, 56 Pitt Street, Sydney NSW 2000.
Complaints will be reviewed by our Privacy Officer and a written response will usually be provided within 30 days of receipt of the complaint by the ICA.
If an individual believes that his or her complaint has not been satisfactorily addressed by the ICA, after following the procedure set out above, he or she can make a complaint to the Office of the Information Commissioner (OAIC). The OAIC's contact details are available on its website.