Insurance industry: privacy compliance for claims investigation and underwriting

The insurance industry is one of the largest consumers of third-party personal information in New Zealand. During both underwriting and claims investigation, insurers routinely access credit bureaus, vehicle history databases, medical records, and other sources.

Underwriting

When assessing a new policy application, insurers may run credit checks, verify identity through third-party sources, and access claims history databases. Each of these involves collecting personal information from a source other than the applicant.

Claims investigation

During claims handling, insurers may access vehicle history (Carjam), property records, company records, credit data, and even social media. The volume of third-party data collection during an investigation can be substantial.

The compliance challenge

Insurers often argue that their policy terms and conditions cover third-party data collection. However, the OPC has been clear that blanket consent clauses in insurance policies may not satisfy IPP3A, particularly for claims investigations that go beyond what a reasonable policyholder would expect.

Risk-based approach

The OPC recommends a risk-based approach: the more sensitive the data and the less expected the collection, the more robust the notification or consent process should be.

DEIS for insurers

DEIS allows insurance companies to log every third-party data access with the specific IPP3A pathway, creating an audit trail that satisfies OPC requirements. For high-volume claims teams, this is significantly more efficient than manual record-keeping.