What may insureds ask for?
Insureds who are natural persons (companies have no such rights) are entitled to access their “personal information” held by insurers on request, without giving a reason. There is no particular form for a request and it does not have to be in writing or mention the Privacy Act to be effective.
Insurers must provide a decision on whether to grant the request within 20 working days and must then process the request without undue delay.
What information must be provided?
Personal information is information “about an identifiable individual”. This is interpreted broadly.
In Case Note 228045 [2012] NZ PrivCmr 8 the Privacy Commissioner ordered an insurer to disclose an engineering report about an insured person’s house. The report did not name the insured, but that person could be identified because the report referred to the “property owner”, contained the property address and described the damage it had sustained. The report was “about” the insured because it related to the insured’s house.
When considering what documents to provide in response to a request, insurers should consider whether they contain information that could identify the insured and whether they relate to the insured person or his or her property.
Insurers should also check their privacy policies to ensure they are not acting inconsistently with them.
Do insurers have to provide all the documents in their file?
Insureds will often request a copy of the insurer’s “file”. This can exceed the insured’s entitlement under the Act, as most insurers hold personal information and non-personal information in a range of formats and locations associated with an insured or a claim.
If an insured requests the “file”, insurers are entitled to review the file and provide only those documents that contain personal information about the insured.
What about emails, phone call logs and recordings and other records not in a “file”?
This depends upon the request. If an insured requests a “file” for a particular claim and the insurer has a system that manages and stores its records for that claim, such as a hard copy file or a computer based file, the insurer may take the view that the request relates only to that “file”.
However, if the request appears to encompass all documents relating to a claim, the insurer is obliged to provide access to all documents that it holds that contain personal information about that insured, whichever form they are in.
An insurer’s documents may not extend to documents held by its employees in their personal capacity, such as text messages on personal telephones and diaries that are their personal property.
What information can be refused?
Insurers may refuse to disclose, or may redact, information that is protected by legal professional privilege. This generally falls into two main categories:
Another ground to withhold a document is that it contains information that would disclose a trade secret or be likely unreasonably to prejudice the commercial position of an insurer. In the insurance context, this may include information about claim reserves, the method by which an insurer calculates the level of reserves to pay out on a claim, and estimates of costs. EQC will generally release cost estimates, although there are circumstances in which it will not, primarily where commercial negotiations for repairs are occurring.
Insurers can refuse to provide evaluative material if that would breach an express or implied promise to keep the material confidential. The Privacy Act recognises that evaluative or opinion material used for the purpose of deciding whether to insure or renew insurance for an individual or property qualifies as “evaluative material”.
An insurer’s documents may not extend to those held by its employees in their personal capacity, such as text messages on personal telephones and diaries.
What about draft documents?
Draft documents may expose information that an insurer decided not to pass to an insured or may otherwise reveal a weakness in its position. There is no special protection for draft documents and they must be reviewed on their own merits and disclosed if they contain personal information that cannot be withheld for a recognised reason, such as solicitor-client privilege.
What about consultants’ documents held on their files?
Insurers may instruct loss adjustors and other consultants who will have additional documents on their files that contain personal information.
The Privacy Act applies only to documents that an insurer “holds”, but this is interpreted widely. The Human Rights Review Tribunal has decided that an agency holds information that it controls, whether or not that information is in its physical possession.
Insurers are therefore obliged to provide personal information held by a consultant where the insurer is entitled to that information. In most instances, however, the consultant will have provided the insurer with all the information to which it is entitled, such as a final report. A consultant is not normally obliged to provide an insurer with other information. In the context of professionals such as accountants and lawyers, the usual test is whether the document was intended to become the property of the client and does not extend to internal records, notes and draft documents.
May an insurer charge a fee for providing a file?
Act request, which may reflect the urgency requested by the insured.
An insurer may charge for the costs of material and labour for time spent locating the relevant material, collating, transcribing and copying it. However, an insurer may not charge for the time spent deciding whether to disclose particular information, such as a legal review.
The Privacy Commissioner1 and Human Rights Review Tribunal2 have endorsed the Ministry of Justice’s Charging Guidelines for Official Information Act 1982 Requests dated 18 March 2002 as a useful starting point. The guidelines provide that the first hour of staff time and 20 pages of photocopying should normally be free and then charges of $38 per half hour and 20 cents per page (GST inclusive) apply.
What about EQC?
Insureds may make Privacy Act requests to EQC. They may also make requests for information from EQC under the Official Information Act 1982, which does not apply to private insurers.
Who enforces the Privacy Act?
Persons who wish to complain that an insurer has failed to provide information that it is obliged to provide
Privacy Commissioner has limited powers and normally seeks to resolve complaints by agreement.
In serious cases, the Privacy Commissioner or the insured person may refer a complaint to the Human Rights Review Tribunal, which may make orders and award damages for breaches of the Privacy Act. Such cases normally involve circumstances in which sensitive personal information such as medical information has been disclosed in a way that has harmed an individual.
How should insurers prepare for Privacy Act claims?
Insurers may prepare to respond to Privacy Act claims by:
