Who we are
Our commitment to privacy and responsible use of personal information
- We respect rights to privacy and are committed to safeguarding the privacy of our customers and information they share with us. This policy sets out how we collect, store, use, protect, handle and disclose personal and sensitive information.
- We are bound by, and will abide by the Privacy Act 1988 (Cth) (“Privacy Act”), and all amendments thereto including the Australian Privacy Principles, which set the minimum standards for how private sector organisations should collect, store, use, protect, handle and disclose personal and sensitive information.
- "Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable. This applies:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
This includes information such as name, date of birth, gender, marital status, email address, identification number, details about employment including salaries and employment history or any other type of information that can reasonably identify an individual, either directly or indirectly.
“Sensitive information” means Personal information that includes health and/or genetic information. We may collect and hold sensitive information, including but not limited to details about health, mental health or disability and records concerning advice or treatment received including medications prescribed, for the purpose of providing reinsurance services.
What personal information is collected
- As a company offering reinsurance products, we collect and hold a range of Personal information and Sensitive information from and about individuals who are insured under policies issued by our customers (insurance companies). We only collect personal information including Sensitive information, from individuals that is necessary for our business functions or activities and in accordance with the provisions of the Privacy Act.
- We may, from time to time, receive and store personal information submitted to us through third parties, provided to us directly or given to us in other forms. We will receive basic information such as:
- phone number
- email address
- date of birth
This will be used only to send information, provide updates and process the product.
- We may collect additional information at other times, including but not limited to:
- employment details;
- income including but not limited to, salary and wages, investments, fee income;
- sources of income;
- citizenship status;
- financial information including, but not limited to, assets and liabilities;
- individual medical history;
- family medical history;
- claims history;
- pastimes and pursuits;
- travel plans;
- occupational duties;
- feedback; and
- information about personal or business affairs
How we collect and hold Personal information and Sensitive information
- Where it is reasonable and practicable to do so, we collect Personal information and Sensitive information about an individual directly from the individual and not from third parties. In many circumstances though, in view of our business as a reinsurer, this is not practicable. We could collect Personal information and Sensitive information from various third parties including:
- insurance companies;
- claims assessors;
- loss adjusters;
- claims managers;
- chief medical officers;
- legal representatives;
- treating medical and health professionals;
- rehabilitation service providers;
- the individual’s employer (if applicable); and
- other General Reinsurance group entities.
We hold Personal information and Sensitive information electronically in various internal systems and databases including shared drives, email, document management systems and in hard copy. We have reasonable security measures in place to secure the Personal information and Sensitive information, including firewalls, protection against malware and secure logon procedures. We also maintain reasonable security procedures for holding physical information, including electronic building entry and storage procedures.
How we use personal information
- We collect, hold, use and disclose Personal information and Sensitive information collected from individuals, whether directly or indirectly, for various purposes associated with our business, including:
- to undertake and complete reinsurance transactions;
- risk analysis and reinsurance underwriting;
- management of claims;
- accounting and auditing;
- risk management;
- portfolio analysis;
- complaints management; and
- legal, regulatory and compliance purposes.
If Personal information or Sensitive information is withheld, it may not be possible for us to provide our products and services.
- If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any Personal information, Sensitive information and non-personal information contained in those databases.
Disclosure of personal information to other organisations
- We may disclose Personal information or Sensitive information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, legal proceedings or in response to a law enforcement agency request.
- The Australian Privacy Principles, allow us, in certain circumstances, to disclose to related entities and to third parties, Personal information and Sensitive information that has been disclosed to us and to our related parties. We may disclose an individual’s Personal information and/or Sensitive information for the purposes listed above to the following:
- legal representatives and other external advisors;
- other General Reinsurance group entities and related parties;
- third party service providers who we engage to assist us to conduct our business;
- government or regulatory bodies (as required or authorised by law);
- other organisations who in conjunction with us provide goods and services to the individual;
- professional associations or organisations with whom we conduct an affinity relationship;
- any person or organisation which the individual wishes to authorise to act on their behalf or to whom the individual provides consent (we require the individual to notify us of this, in writing); and
- any person or organisation that has information that is necessary for one or more of our business functions or activities.
- We may also disclose Personal information and Sensitive information to overseas recipients, including General Reinsurance group entities with locations in Canada, China, European Union, Hong Kong, India, New Zealand, Singapore, South Africa, the United Kingdom and the United States. If Personal information or Sensitive information is disclosed to overseas recipients, we will require the receiving parties to adhere to the Australian Privacy Principles and to handle the Personal information and Sensitive information in accordance with the Australian Privacy Principles.
Access to personal information
- An individual may request details of Personal information or Sensitive information that we hold about them in accordance with the provisions of the Privacy Act 1988 (Cth). If the individual would like a copy of the information which we hold about them they should contact our Privacy Officer. (See section “How to contact us” for contact details).
- A reasonable fee may be charged for retrieving and sending an individual their personal information or Sensitive information. There may be circumstances in which we cannot provide individual access to the Personal information or Sensitive information we hold. We reserve the right to refuse to provide information that we hold, in certain circumstances set out in the Privacy Act or any other applicable law. We will provide an individual with reasons for denial of access.
Correction of personal information
- We will take reasonable steps to make sure that Personal information and Sensitive information we collect, store, handle, use or disclose is accurate, complete, up-to-date, relevant and not misleading.
- If any individual believes that any information we hold on them is inaccurate, out of date, incomplete, irrelevant or misleading, they have the right to request that we change the information by contacting our Privacy Officer.
- We will attend to each request as quickly as possible.
- In order to process any request for access or correction of an individual’s Personal information or Sensitive information, we will need to obtain a minimum level of information from an individual including the following:
- full name;
- date of birth; and
- details of the request including supporting information, evidencing the individual’s right to access the data.
- Where it is established that Personal information or Sensitive information in relation to an individual is inaccurate, out of date, incomplete, irrelevant or misleading, we will take all reasonable steps necessary to correct the information so that it is accurate, complete, up-to-date, relevant and not misleading. If we disagree about whether the information is accurate, complete, up-to-date, relevant and not misleading, and the individual requests us to associate with the information a statement claiming that the information is inaccurate, out of date, incomplete, irrelevant or misleading, we will take all reasonable steps to do so.
- If an individual is seeking information on another person’s behalf, we will require additional written authorisation from that individual.
Outsourcing and contractual arrangements
Breaches of data leading to serious harm1
Under Part IIIC of the Privacy Act 1988, a notifiable data breaches scheme commenced in Australia on 22 February 2018. The scheme applies to ‘eligible data breaches’—where the breach is likely to result in serious harm to any of the individuals to whom the information relates. It requires Australian Privacy Principles entities to provide a statement to the Commissioner (of the Office of the Australian Information Commissioner) notifying of an eligible data breach as soon as practicable after the entity becomes aware of the breach. It also requires entities to notify affected individuals as soon as practicable after preparing the statement for the Commissioner. Like the GDPR, there are exceptions to these requirements. For more information, see https://www.oaic.gov.au/ndb. See Appendix 1 for OAIC step through process.
Privacy training and education
Complaints and disputes
- If an individual is not satisfied with how we have dealt with an individual’s complaint, then the individual should refer the complaint to the Australian Financial Complaints Authority (AFCA). Contact details are:
- Australian Financial Complaints Authority
- GPO Box 3
- Melbourne VIC 3001
- Tel. 1800 931 678
- Should an individual require clarification on any particular matter or need further information on any privacy matters, our Privacy Officer can be contacted at the contact details below.
Further information regarding the Privacy Act can be obtained at:
How to contact us
All correspondence should be addressed to:
- Privacy Officer
- General Reinsurance Australia
- Level 20, 1 O’Connell St
- Sydney, 2000
- “Serious harm” is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
This policy was last updated on 26 May 2021 and is current at the present time.