General Reinsurance Australia Privacy Policy

General Reinsurance Australia Privacy Policy

Who we are

In this Privacy Policy “we”, “our”, and “us” refers to General Reinsurance Australia. We offer property and casualty reinsurance in Australia, New Zealand, Oceania, and Marshall Islands.

Our commitment to privacy and responsible use of personal information
  1. We respect rights to privacy and are committed to safeguarding the privacy of our customers and information they share with us. This policy sets out how we collect, store, use, protect, handle and disclose personal and sensitive information.

  2. We are bound by, and will abide by the Privacy Act 1988 (Cth) (“Privacy Act”),  and all amendments thereto including the Australian Privacy Principles, which set the minimum standards for how private sector organisations should collect, store, use, protect, handle and disclose personal and sensitive information.

  3. "Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable. This applies:

    • whether the information or opinion is true or not; and

    • whether the information or opinion is recorded in a material form or not.

    This includes information such as name, date of birth, gender, marital status, email address, identification number, details about employment including salaries and employment history or any other type of information that can reasonably identify an individual, either directly or indirectly.

  4. “Sensitive information” means Personal information that includes health and/or genetic information. We may collect and hold sensitive information, including but not limited to details about health, mental health or disability and records concerning advice or treatment received including medications prescribed, for the purpose of providing reinsurance services.

    Other terms used throughout this Privacy Policy are defined in the Australian Privacy Principles.


What personal information is collected
  1. As a company offering reinsurance products, we collect and hold a range of Personal information and Sensitive information from and about individuals who are insured under policies issued by our customers (insurance companies). We only collect personal information including Sensitive information, from individuals that is necessary for our business functions or activities and in accordance with the provisions of the Privacy Act.

  2. We may, from time to time, receive and store personal information submitted to us through third parties, provided to us directly or given to us in other forms. We will receive basic information such as:

    • name
    • phone number
    • address
    • email address
    • date of birth

    This will be used only to send information, provide updates and process the product.


  3. We may collect additional information at other times, including but not limited to:

    • employment details;
    • income including but not limited to, salary and wages, investments, fee income;
    • sources of income;
    • citizenship status;
    • financial information including, but not limited to, assets and liabilities;
    • individual medical history;
    • family medical history;
    • claims history;
    • pastimes and pursuits;
    • lifestyle;
    • travel plans;
    • occupational duties;
    • feedback; and
    • information about personal or business affairs

How we collect and hold Personal information and Sensitive information
  1. Where it is reasonable and practicable to do so, we collect Personal information and Sensitive information about an individual directly from the individual and not from third parties. In many circumstances though, in view of our business as a reinsurer, this is not practicable. We could collect Personal information and Sensitive information from various third parties including:

    • insurance companies;
    • claims assessors;
    • loss adjusters;
    • investigators;
    • claims managers;
    • chief medical officers;
    • legal representatives;
    • accountants;
    • treating medical and health professionals;
    • rehabilitation service providers;
    • the individual’s employer (if applicable); and
    • other General Reinsurance group entities.

    If such information is not provided to us, we may not be able to provide your insurer with the reinsurance services they have requested and this may affect the insurer’s ability to provide you with the relevant insurance. If we do collect such information identified above, we will protect it as set out in this Privacy Policy and in accordance with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth).

    We hold Personal information and Sensitive information electronically in various internal systems and databases including shared drives, email, document management systems and in hard copy. We have reasonable security measures in place to secure the Personal information and Sensitive information, including firewalls, protection against malware and secure logon procedures. We also maintain reasonable security procedures for holding physical information, including electronic building entry and storage procedures.


  2. By providing us with Personal information and Sensitive information, whether directly or indirectly, the individual consents to the supply of that information subject to the terms of this Privacy Policy.

How we use personal information
  1. We collect, hold, use and disclose Personal information and Sensitive information collected from individuals, whether directly or indirectly, for various purposes associated with our business, including:

    • to undertake and complete reinsurance transactions;
    • risk analysis and reinsurance underwriting;
    • management of claims;
    • accounting and auditing;
    • risk management;
    • portfolio analysis;
    • complaints management; and
    • legal, regulatory and compliance purposes.

    If Personal information or Sensitive information is withheld, it may not be possible for us to provide our products and services.


  2. If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any Personal information, Sensitive information and non-personal information contained in those databases.

Disclosure of personal information to other organisations
  1. We may disclose Personal information or Sensitive information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, legal proceedings or in response to a law enforcement agency request.

  2. The Australian Privacy Principles, allow us, in certain circumstances, to disclose to related entities and to third parties, Personal information and Sensitive information that has been disclosed to us and to our related parties. We may disclose an individual’s Personal information and/or Sensitive information for the purposes listed above to the following:

    • auditors;
    • legal representatives and other external advisors;
    • other General Reinsurance group entities and related parties;
    • third party service providers who we engage to assist us to conduct our business;
    • government or regulatory bodies (as required or authorised by law);
    • other organisations who in conjunction with us provide goods and services to the individual;
    • professional associations or organisations with whom we conduct an affinity relationship;
    • any person or organisation which the individual wishes to authorise to act on their behalf or to whom the individual provides consent (we require the individual to notify us of this, in writing); and
    • any person or organisation that has information that is necessary for one or more of our business functions or activities.

  3. If we do disclose Personal information and/or Sensitive information to a third party, we will protect it in accordance with this privacy policy. Where we disclose Personal information and/or Sensitive information, we require the receiving parties to adhere to our strict confidentiality requirements for the use and handling of personal information and also seek to ensure that they adhere to the Australian Privacy Principles.

  4. We may also disclose Personal information and Sensitive information to overseas recipients, including General Reinsurance group entities with locations in Canada, China, European Union, Hong Kong, India, New Zealand, Singapore, South Africa, the United Kingdom and the United States. If Personal information or Sensitive information is disclosed to overseas recipients, we will require the receiving parties to adhere to the Australian Privacy Principles and to handle the Personal information and Sensitive information in accordance with the Australian Privacy Principles.

 

Access to personal information
  1. An individual may request details of Personal information or Sensitive information that we hold about them in accordance with the provisions of the Privacy Act 1988 (Cth). If the individual would like a copy of the information which we hold about them they should contact our Privacy Officer. (See section “How to contact us” for contact details).

  2. A reasonable fee may be charged for retrieving and sending an individual their personal information or Sensitive information. There may be circumstances in which we cannot provide individual access to the Personal information or Sensitive information we hold. We reserve the right to refuse to provide information that we hold, in certain circumstances set out in the Privacy Act or any other applicable law. We will provide an individual with reasons for denial of access.

Correction of personal information
  1. We will take reasonable steps to make sure that Personal information and Sensitive information we collect, store, handle, use or disclose is accurate, complete, up-to-date, relevant and not misleading.

  2. If any individual believes that any information we hold on them is inaccurate, out of date, incomplete, irrelevant or misleading, they have the right to request that we change the information by contacting our Privacy Officer.

  3. We will attend to each request as quickly as possible.

  4. In order to process any request for access or correction of an individual’s Personal information or Sensitive information, we will need to obtain a minimum level of information from an individual including the following:

    • full name;
    • date of birth; and
    • details of the request including supporting information, evidencing the individual’s right to access the data.

  5. Where it is established that Personal information or Sensitive information in relation to an individual is inaccurate, out of date, incomplete, irrelevant or misleading, we will take all reasonable steps necessary to correct the information so that it is accurate, complete, up-to-date, relevant and not misleading. If we disagree about whether the information is accurate, complete, up-to-date, relevant and not misleading, and the individual requests us to associate with the information a statement claiming that the information is inaccurate, out of date, incomplete, irrelevant or misleading, we will take all reasonable steps to do so.

  6. If an individual is seeking information on another person’s behalf, we will require additional written authorisation from that individual.

Outsourcing and contractual arrangements

All contractual arrangements with third parties impose appropriate privacy and confidentiality obligations on those third parties to ensure that Personal information and Sensitive information that we impart is kept secure and that we do not breach our obligations under the Australian Privacy Principles and this Privacy Policy.

Breaches of data leading to serious harm1

Under Part IIIC of the Privacy Act 1988, a notifiable data breaches scheme commenced in Australia on 22 February 2018. The scheme applies to ‘eligible data breaches’—where the breach is likely to result in serious harm to any of the individuals to whom the information relates. It requires Australian Privacy Principles entities to provide a statement to the Commissioner (of the Office of the Australian Information Commissioner) notifying of an eligible data breach as soon as practicable after the entity becomes aware of the breach. It also requires entities to notify affected individuals as soon as practicable after preparing the statement for the Commissioner. Like the GDPR, there are exceptions to these requirements. For more information, see   https://www.oaic.gov.au/ndb. See Appendix 1 for OAIC step through process.

Privacy training and education

We will provide training to our employees to ensure that all relevant staff are suitably trained about our obligations under the Australian Privacy Principles and our Privacy Policy.

Complaints and disputes
  1. If an individual believes that we have not complied with an obligation under the Privacy Act in relation to an individual’s personal information, the individual is asked to please contact our Privacy  Officer (see section “How to contact us” for contact details). We will promptly acknowledge and investigate complaints. Our address is provided at the end of this Privacy Policy.

  2. If an individual is not satisfied with how we have dealt with an individual’s complaint, then the individual should refer the complaint to the Australian Financial Complaints Authority (AFCA). Contact details are:

    • Australian Financial Complaints Authority
    • GPO Box 3
    • Melbourne VIC 3001
    • Tel. 1800 931 678
      Email:   info@afca.org.au

Further information
  1. Our Privacy Policy outlines our adherence to the Australian Privacy Principles, and the way in which we collect, hold, use and disclose an individual’s personal information.

  2. Should an individual require clarification on any particular matter or need further information on any privacy matters, our Privacy Officer can be contacted at the contact details below.

    Further information regarding the Privacy Act can be obtained at:

How to contact us

All correspondence should be addressed to:

  • Privacy Officer
  • General Reinsurance Australia
  • Level 20, 1 O’Connell St
  • Sydney, 2000
  • Phone  02 8236 6148
    Email PrivacyANZ@genre.com
       

Endnote

  1. “Serious harm” is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

 

Appendix 1: OAIC Step Through in case of Data Breach

 

This policy was last updated on 26 May 2021 and is current at the present time.