What kinds of personal information does IRS collect and hold?
The kinds of personal information that IRS may collect and may hold include contact details (including name, address, mobile number, email address), employment history, date of birth, driver’s license number, details of insurance claims, details of third parties involved in claims, and other information that is relevant to its functions or activities.
The IRS may also collect, hold, use and disclose some sensitive information about individuals as set out in the section entitled Sensitive information.
The IRS collects personal information for purposes directly related to its functions or activities, which includes managing the IRS claims database which is operated to assist IRS Members with:
- prevention of insurance fraud where the intent in using the IRS Database is to provide added information to confirm the accuracy of information provided by applicants;
- management of insurance claims where the intent in using the IRS Database is to analyse claims and the management of claim payments;
- management of claims investigation and loss assessment processes;
- validation of prior claim disclosure at time of quotation and assessment of underwriting risk where the intent in using the IRS Database is to provide complete information to enable insurers to assess material and moral risk;
- benchmarking analysis to show how an individual IRS Member is performing against industry norms (not against named IRS Members); and
- identity verification.
The IRS may collect, hold, use and disclose sensitive information about individuals such as mental and physical health, disability, racial or ethnic origin, criminal convictions or religious or political affiliation, either directly from the individuals or from IRS members or from third parties in connection with processing and dealing with information received from the public to help combat insurance fraud.
The IRS may also collect, hold and use sensitive information about individuals directly from individuals when they contact the IRS in connection with its functions and activities. However, any such collection is with the consent of such individuals. Any such sensitive information is only retained on an aggregated basis by the IRS and the individuals are not identifiable.
How does IRS collect and hold personal information?
The IRS collects personal information directly from IRS members as part of policy holder claim history data. This information is collected and disclosed to IRS in accordance with each member’s Privacy Statements and Privacy Policies.
The IRS collects personal information directly from individuals through their use of the website and when they contact the IRS by email, telephone, in person or otherwise in connection with the IRS's services, functions or activities.
Who has access to personal information collected by IRS?
Use of the IRS Database is restricted to:
- authorised employees and representatives of IRS and IRS members including those engaged in underwriting, fraud detection, investigation, loss assessment and claims management;
- those law enforcement authorities, who are authorised by the Board of IRS to use the IRS Database pursuant to Legally Enforced Access; and
- an individual in relation to their own My Insurance Claims Report.
IRS Member Obligations
The IRS Member must (and must procure that its Representatives), with respect to Personal Information collected, held, used or disclosed under or in connection with the IRS Membership Deed:
- act, in accordance with the Privacy Law and IRS' privacy policies as notified to the IRS Member from time to time in dealing with any Personal Information provided to the IRS Member or acquired by the IRS Member from the IRS Database;
- not, collect, use or disclose any Personal Information for any purpose other than fulfilling the IRS Member's obligations under the Membership Deed;
- take such steps as are necessary to ensure that all Personal Information collected by the IRS Member or disclosed to the IRS Database is accurate, up to date and complete and, for the purpose of disclosure, relevant;
- ensure, in respect of any Personal Information the IRS Member discloses to IRS, that it takes reasonable steps to ensure that the subject of the Personal Information (the Individual) is aware of all matters which are prescribed by the Australian Privacy Principles under the Privacy Law;
- not use or disclose any Personal Information collected from the IRS Database for the purpose of direct marketing;
- not allow, or permit access to, or transfer any Personal Information collected from the IRS Database or which has been collected, accessed or used by the Member with the consent of IRS, outside of Australia, unless it has first obtained IRS' approval in writing;
- take such steps as are reasonable in the circumstances, to destroy or de-identify Personal Information collected by it from the IRS Database once the IRS Member no longer needs it for the purpose for which it was collected or used by the IRS Member, unless otherwise required by Law to retain such Personal Information;
- co-operate with IRS or any other IRS Member to resolve any complaint made under any Privacy Law and in relation to any request by an Individual for access to or correction of Personal Information held by the IRS Member in connection with the IRS Database; and
- co-operate with any reasonable requests or directions of IRS concerning the storage, security, use and disclosure of Personal Information.
The IRS may use "cookies" on the Website. A cookie is a small amount of information which is transferred to the hard drive of your computer and which can identify your web browser but not you. Individuals can disable their web browsers from accepting cookies. If you do so, you can still access the Website, but not all services may be available.
How IRS holds, uses and discloses personal information
The IRS holds personal information in a secure online database managed by a third party (the Service Provider). It may also hold electronic copies of documents containing personal information (e.g. queries, complaints, forms and other relevant documents) in a secure online database.
Where it holds personal information electronically, such information can only be accessed by authorised IRS staff using personal accredited passwords.
The keeping of personal information in hard copy is not encouraged by the IRS. Information is held in hard copy only for a reasonable time as necessary and stored securely. All IRS premises are protected by security access.
The IRS only holds and uses personal information for purposes directly related to its functions or activities, or for the purposes for which the information was originally collected, or otherwise in accordance with the Australian Privacy Principles.
Disclosure of personal information
The IRS may disclose personal information provided to it, to the following third parties:
- IRS Members by way of access to the IRS Database to support claims management, claims investigation, loss assessment, fraud detection and validate risk underwriting;
- Federal, State or Territory police authorities and agencies;
- the IRS's staff for the purposes of their work responsibilities; and
- other third parties providing law enforcement or administrative services, including the Service Provider.
The disclosure of personal information in the circumstances outlined in this section (9) above may include the disclosure of sensitive information.
The IRS does not generally disclose personal information to overseas recipients and will only do so in accordance with the Australian Privacy Principles. However some IRS Members undertake part of their back office claims processing in overseas locations, and personal information may be disclosed to such persons in these operations, by way of access to the IRS database, to allow them to perform their operational functions.
Accessing and correcting personal information held by IRS
Individuals may access personal information about them that is held by the IRS by ordering their own My Insurance Claims Report.
Individuals may make or seek changes to that information, by contacting their insurer in relation to information concerning an insurance claim, or the Service Provider on 13 23 33 or +61 3 9828 3200. Alternatively an individual can email IRS@insurancecouncil.com.au.
If the IRS does not agree to provide access to personal information or to amend or annotate the information we hold about an individual, the relevant individual may seek a review of the IRS's decision.
Individuals can send written complaints about a breach of the Australian Privacy Principles in relation to their personal information to IRS@insurancecouncil.com.au or to The Privacy Officer, Insurance Reference Services Limited, Level 4, 56 Pitt Street, Sydney NSW 2000.
Complaints will be reviewed by our Privacy Officer and a written response will usually be provided within 30 days of receipt of the complaint by IRS.
If an individual believes that his or her complaint has not been satisfactorily addressed by IRS, after following the procedure set out above, he or she can make a complaint to the Office of the Information Commissioner (OAIC). The OAIC's contact details are available on its website.