A shift towards digitisation has been the central theme for the insurance industry in recent years. Digitisation lowers the cost of transacting business, helps increase penetration, and brings higher efficiencies. However, the convenience of digitisation brings with it concerns related to data protection.
The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) set out the general framework with respect to data protection in India. However, given the nature of the business of insurance companies and intermediaries, the Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which is required to be followed in addition to the general framework under the IT Act.
Set out below is the regulatory regime prescribed by the IRDAI with respect to data protection applicable to the insurance sector. It is pertinent to note that the regulations require strict compliance and that the IRDAI has, in the past, taken action for any breach thereof.[i]
Regulatory Framework Governing Insurance Companies
The IRDAI has mandated insurance companies to protect and maintain the confidentiality of information they collect. Records must be held and maintained in India and disclosure is permitted only in limited circumstances. The table below captures the relevant data protection regulations applicable to insurance companies:
|No.||Regulation / Guidelines||Provision||Particulars|
|1.||IRDAI (Protection of Policyholders’ Interests) Regulations, 2017||Regulation 19(5)||Insurers are required to maintain total confidentiality of policyholder information, unless it is legally necessary to disclose the same to statutory authorities.|
|2.||IRDAI (Maintenance of Insurance Records) Regulations, 2015||Regulation 3(3)(b), 3(9)||Insurers are required to ensure that: (i) the system in which the policy and claim records are maintained has adequate security features; and (ii) the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India.|
|3.||IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017||Regulation 12||
Insurers are required to ensure that the:
(i) outsourcing service provider has adequate security policies to protect the confidentiality and security of policyholder information;
(ii) information and data parted to outsourcing service providers remain confidential; and
(iii) customer data is retrieved with no further use of the same by the service provider once the outsourcing agreement is terminated.
|4.||IRDAI (Health Insurance Regulations), 2016||Regulation 35(c)||Insurers, TPAs (defined hereinafter) and network providers (i.e., hospitals) are required to comply with data related matters as may be specified in guidelines prescribed by the IRDAI (if any).|
Regulatory Framework Governing Insurance Intermediaries
Intermediaries in the insurance sector serve as a bridge between customers and insurance companies, by facilitating the process for selection and purchase of insurance products and assisting in the servicing of policies and assessment of claims. Such insurance intermediaries, namely brokers, individual agents, corporate agents, third party administrators (TPAs), surveyors, loss assessors and web aggregators, are also subject to obligations relating to data protection and preservation of confidentiality prescribed by the IRDAI.
Whilst each intermediary is subject to its own regulations and code of conduct as set out in the table herein below, the provisions in relation to data protection of the policy holder are common for all intermediaries. Inter alia, they prescribe that insurance intermediaries (i) treat all information supplied to them by prospective clients as completely confidential to themselves and to the insurer(s) to which the business is being offered; and (ii) take appropriate steps to maintain the security of confidential documents in their possession, including by way of restricting access to such information, execution of confidentiality undertakings, etc. While a similar regime has been prescribed for insurance surveyors and loss assessors, the extant regulations permit surveyors and loss assessors, as an exception, to disclose information pertaining to a client, employer or policyholder to any third party, only where necessary consent has been obtained from the interested party. It is however clear that the surveyors and loss assessors are prohibited from using (or appearing to use) any confidential information to their personal advantage or to the advantage of a third party.
Specifically in relation to TPAs, the IRDAI (Third Party Administrators – Health Services) Regulations, 2016 (TPA Regulations) requires the TPAs to not share the data and personal information of customers received by them for servicing insurance policies or claims. A limited exception to this rule has been carved out for disclosure of confidential information to any court of law, tribunal, government or the IRDAI in the event of any investigation being carried out (or proposed to be carried out) against the insurer, TPA or any other person or for any other reason. The aforesaid exception is similar to the carve out under Rule 6 of the SPDI Rules, which permits government agencies mandated under law to obtain information (including sensitive personal data or information) for specified purposes, without obtaining the prior permission of the provider of such information.
The table below enlists the provisions of the regulations, which set out the regime applicable to insurance intermediaries, described above:
|Third Party Administrators – Health Services||TPA Regulations||
Regulation 19(4), 19(7)
Code of Conduct – Schedule II (2(m), 2(n))
(i) IRDAI (Licencing of Banks as Insurance Brokers) Regulations, 2013
(ii) IRDAI (Insurance Brokers) Regulations, 2018
(i) Code of Conduct – Schedule II (2(d), 2(e))
(ii) Code of Conduct – Schedule I – Form H (2(d), 2(e))
|Insurance Web Aggregators||IRDAI (Insurance Web Aggregators) Regulations, 2017||Code of Conduct – Schedule VIII – Form W (a(iii), a(iv))|
|Corporate Agents||IRDAI (Registration of Corporate Agents) Regulations, 2015||Code of Conduct – Schedule III (I(1)(d), I(1)(e))|
|Common Service Centres||IRDAI (Insurance Services by Common Service Centres) Regulations, 2015||
Code of Conduct – Schedule IV (I(2)(d), I(2)(e)) and II(5)
|Insurance Surveyors and Loss Assessors||IRDAI (Insurance Surveyors and Loss Assessors) Regulations, 2015||Code of Conduct – Regulation 16(16), 16(17)|
In the second part of this post we will look at the guidelines applicable to both insurance companies and insurance intermediaries which includes cyber security guidelines and ecommerce guidelines.
[i] Final order in the matter of M/s. Bharti AXA Life Insurance Company Limited, IRDA/ENF/MISC/ONS/074/04/2016;.Final order in the matter of M/s. Regal Insurance Brokers & RMS Pvt. Ltd., IRDA/ENF/ORD/ONS/181/08/2017.