Who we are
Our commitment to privacy and responsible use of personal information
- We respect rights to privacy and are committed to safeguarding the privacy of our customers. This policy sets out how we collect and treat personal information.
- We are bound by, and will abide by, the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (“Privacy Act”), which set the minimum standards for how private sector organisations should collect, use, handle and disclose personal information.
- “Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable. This applies:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
This includes information such as name, email address, identification number, or any other type of information that can reasonably identify an individual, either directly or indirectly.
What personal information is collected
- As a company offering reinsurance products, we collect and hold a range of personal information from and about individuals who are insured under policies issued by our customers (insurance companies). We only collect personal information including sensitive information, from individuals that is necessary for our business functions or activities and in accordance with the provisions of the Privacy Act.
- We may, from time to time, receive and store personal information submitted to us through third parties, provided to us directly or given to us in other forms. We will receive basic information such as:
- phone number
- email address
- date of birth
This will be used only to send information, provide updates and process the product.
- We may collect additional information at other times, including but not limited to:
- employment details;
- income including but not limited to, salary and wages, investments, fee income;
- sources of income;
- citizenship status;
- financial information including, but not limited to, assets and liabilities;
- individual medical history;
- family medical history;
- claims history;
- pastimes and pursuits;
- travel plans;
- occupational duties;
- feedback; and
- information about personal or business affairs
How we collect and hold personal information?
- Where it is reasonable and practicable to do so, we collect personal information about an individual directly from the individual and not from third parties. In many circumstances though, in view of our business as a reinsurer, this is not practicable. We could collect personal information from various third parties including:
- insurance companies;
- claims assessors;
- loss adjusters;
- claims managers;
- chief medical officers;
- legal representatives;
- treating medical and health professionals;
- rehabilitation service providers;
- the individual’s employer (if applicable); and
- other General Reinsurance group entities.
We hold personal information electronically in various internal systems and databases including shared drives, email, document management systems and in hard copy.
How we use personal information
- We collect, hold, use and disclose personal information collected from individuals for various purposes associated with our business, including:
- to undertake and complete reinsurance transactions;
- risk analysis and reinsurance underwriting;
- management of claims;
- accounting and auditing;
- risk management;
- portfolio analysis;
- complaints management; and
- legal, regulatory and compliance purposes.
If personal information is withheld, it may not be possible for us to provide our products and services.
- If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases.
Disclosure of personal information to other organisations
- We may disclose personal information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, legal proceedings or in response to a law enforcement agency request.
- The Australian Privacy Principles, allow us, in certain circumstances, to disclose to related entities and to third parties personal information that has been disclosed to us and to our related parties. We may disclose an individual’s personal information for the purposes listed above to the following:
- legal representatives and other external advisors;
- other General Reinsurance group entities and related parties;
- third party service providers who we engage to assist us to conduct our business;
- government or regulatory bodies (as required or authorised by law);
- other organisations who in conjunction with us provide goods and services to the individual;
- professional associations or organisations with whom we conduct an affinity relationship;
- any person or organisation which the individual wishes to authorise to act on their behalf or to whom the individual provides consent (we require the individual to notify us of this, in writing); and
- any person or organisation that has information that is necessary for one or more of our business functions or activities.
Access to personal information
- An individual may request details of personal information that we hold about them in accordance with the provisions of the Privacy Act 1988 (Cth). If the individual would like a copy of the information which we hold about them they should contact our Privacy Officer. (See Section 14 for contact details).
- A reasonable fee may be charged for retrieving and sending an individual their personal information. There may be circumstances in which we cannot provide individual access to the personal information we hold. We reserve the right to refuse to provide information that we hold, in certain circumstances set out in the Privacy Act or any other applicable law. We will provide an individual with reasons for denial of access.
Correction of personal information
- We will take reasonable steps to make sure that personal information we collect, use or disclose is accurate, complete and up-to-date, relevant and not misleading.
- If any individual believes that any information we hold on them is inaccurate, out of date, incomplete, irrelevant or misleading, they have the right to request that we change the information by contacting our Privacy Officer.
- We will attend to each request as quickly as possible.
- In order to process any request for access or correction of an individual’s personal information, we will need to obtain a minimum level of information from an individual including the following:
- full name;
- date of birth; and
- details of the request including supporting information, evidencing the individual’s right to access the data.
- As a company offering reinsurance products to our clients, it is often necessary to collect an individual’s sensitive information in order to provide these services. Without the individual’s consent to collect and disclose this information, we would be unable to offer our services to the insurance companies.
- Sensitive information includes information or an opinion relating to a person’s racial or ethnic origin, political views of memberships, religious beliefs or affiliations, membership of a professional or trade association or trade union, sexual orientation or practices and criminal record. It also includes information about a person’s health or medical history.
- We will only collect, handle, use and disclose sensitive information about an individual in accordance with the provisions of the Privacy Act.
Outsourcing and contractual arrangements
Breaches of data leading to serious harm1
Under Part IIIC of the Privacy Act 1988, a notifiable data breaches scheme commenced in Australia on 22 February 2018. The scheme applies to “eligible data breaches”—where the breach is likely to result in serious harm to any of the individuals to whom the information relates. It requires Australian Privacy Principles entities to provide a statement to the Commissioner (of the Office of the Australian Information Commissioner) notifying of an eligible data breach as soon as practicable after the entity becomes aware of the breach. It also requires entities to notify affected individuals as soon as practicable after preparing the statement for the Commissioner. Like the GDPR, there are exceptions to these requirements. For more information, see https://www.oaic.gov.au/ndb. See Appendix 1 for OAIC step through process.
Privacy training and education
Complaints and disputes
- If an individual is not satisfied with how we have dealt with an individual’s complaint, then, up until 31 October 2018, the individual may refer the complaint to the Financial Ombudsman Service or the Superannuation Complaints Tribunal whose details are as set out below.
- Financial Ombudsman Service Limited
- GPO Box 3
- Melbourne VIC 3001
- Tel. 1300 780 808
- Superannuation Complaints Tribunal
- Locked Bag 3060
- Melbourne VIC 3001
- Tel. 1300 884 114
- From 1 November 2018, the individual should refer the complaint to the Australian Financial Complaints Authority (AFCA). Contact details are:
- Australian Financial Complaints Authority
- GPO Box 3
- Melbourne VIC 3001
- Tel. 1800 931 678
- Should an individual require clarification on any particular matter or need further information on any privacy matters, our Privacy Officer can be contacted at the contact details below.
Further information regarding the Privacy Act can be obtained at:
How to contact us
All correspondence should be addressed to:
- Privacy Officer
- General Reinsurance Australia
- Level 20, 1 O’Connell St
- Sydney, 2000
|Phone||02 8236 6100|
|Fax||02 9222 1525|
- “Serious harm” is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.