Policyholder Data Sharing in India

Introduction

With a vision to transform India into a digitally empowered society and knowledge economy, the Indian government[1] launched the Digital India initiative and mindful of its impact, it has been taking several steps to ensure greater accessibility as well as greater safety around internet based services. This, coupled with heightened internet based services and digital connectivity,[2] led the government to launch several digital services[3] and some are remarkably successful – these range from unified payments interface (UPIs) to DigiLocker[4]. According to India Brand Equity Foundation, the rising use of UPIs strongly indicate that more and more people in India are adopting a digital lifestyle[5] – UPI saw its highest ever number of transactions in April 2022 at 5.58 billon, amounting to INR 9.83 trillion. DigiLocker hit the mark of 101 million users on March 19, 2022, evidencing the adoption and success of this initiative[6].

Individual sector regulators have adapted to the growing demands of regulating digital service delivery[7]. In the insurance sector, the Insurance Regulatory and Development Authority of India (“IRDAI”) has supported the Digital India initiative through several measures such as the introduction of the Guidelines on Insurance E-Commerce dated March 9, 2017[8] (“Ecommerce Guidelines”) (more on this below), promotion of ‘web-aggregators’[9] and establishment of Common Public Service Centres for marketing insurance products[10]. Policy measures, which include implementation of the ‘Regulatory Sandbox approach’ through notification of the IRDAI (Regulatory Sandbox) Regulations, 2019[11] (“Sandbox Regulations”), demonstrate the insurance sector’s inclination towards digital innovation and its adoption. . The IRDAI is expected to provide a further impetus towards the push for innovation in the insurance industry[12].

However, the increased propensity of consumers to transact digitally for their insurance needs[13],\ gives rise to concerns relating to sharing and protection of customer data. Having discussed the regulatory framework prescribed by the IRDAI in relation to data protection for the insurance sector[14], we now answer questions relating to what constitutes policyholder information, trends in the treatment & sharing of policyholder data, and considerations for the IRDAI on the sharing of policyholder-data.

What is Policyholder Information?

‘Policyholder Information’ has not been defined under the Insurance Act, 1938 or the rules and regulations framed thereunder. However, in practice, it includes the information that is furnished by a prospect/ policyholder during the course of solicitation of an insurance policy, or issuance/sale of an insurance policy, or servicing of insurance policy.

The information can be collected from the policyholder through various means, such as, inter alia, a proposal form or a claim form, or through telemarketing/other distancing marketing modes. Such policyholder information can be broadly categorized into the following data sets:

Personal Information

Specialised Information

Potential Market Practice and Contention

The IRDAI has a strict restriction on the sharing of policyholder data. In terms of Regulation 19(5) of the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017 (“Policyholder Protection Regulations”), insurers are required to maintain total confidentiality of policyholder information, unless it is legally necessary to disclose the same to statutory authorities. Further, in the context of the Ecommerce Guidelines, all insurers and insurance intermediaries, who are desirous of setting up an Insurance Self- Network Platform (“ISNP”) for undertaking insurance e-commerce activities in India, are required to file an application for registering their electronic platform set up as an ISNP with the IRDAI. The Ecommerce Guidelines inter alia provides that privacy and confidentiality of data are to be maintained at all times and misuse of personal information collected during the course of an insurance transaction is to be prevented[15].

However, the IRDAI appears to allow the sharing of information, records and data by insurers, with third parties for business purposes, provided that adequate: (i) consents are obtained from the information owner; and (ii) safety measures are put in place to ensure confidentiality and security of such information, records and data. In the event, sensitive data is required to be sent to third parties, Paragraph 11 of the Guidelines on Information and Cyber Security for Insurers dated April 7, 2017 (“Cyber Security Guidelines”) requires that the insurer must ensure it has: (a) approval of the information/ business owner; and (b) adequate controls to prevent a third party from misusing data (i.e., by way of non-disclosure agreements, right protected email, etc.)From a practical perspective, we find that it is common for insurers to retain and/or reserve the right to share personal information of its customers and prospects with their affiliates and group companies for various purposes, including cross-selling and promotional activities[16]. However, the insurers may not be able to contend that policyholder data can be shared with third parties/ its affiliates and group companies for the purposes of cross-selling and promotional activities, given that:

(a)    the Policyholder Protection Regulations and Ecommerce Guidelines provide for a strict restriction on maintaining confidentiality of policyholder data; and

(b)    the IRDAI may not accept the contention that ‘cross-selling and promotional activities’ qualify as legitimate business purposes of the insurer.

This said, as of date, there is no guidance from the IRDAI on whether the provisions of the Cyber Security Guidelines (which incorporate the Information Technology Act, 2000 and the Information Technology (reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 principles of consent-based sharing of information) will prevail over the general restrictions on sharing of policyholder information.[17]  

Taking Cues from RBI and Global Trends

The Indian banking regulator, the Reserve Bank of India (“RBI”) has allowed banks to disclose data of its customers inter alia when express/ implied consent of the customer has been procured[18]. Further, an analysis of the data-sharing practices in the insurance industry of five other jurisdictions reveals that the global trends have increasingly inclined towards a consent-based regime for policyholder-data sharing by insurers. Below is a brief table:

Sr. No. Jurisdiction Brief Details of insurance Data Sharing Practices/ Proposals
1. Australia
  • In November 2017, the Australian Government introduced Consumer Data Right (CDR) in Australia[19].
  •  While this was implemented for the banking sector initially, it is proposed that the CDR regime shall be rolled out to the insurance industry in 2023[20], and this move has been endorsed by Insurtech Australia[21].
  • Insurtech Australia has stated that it would like to see positive developments for insurance consumers by allowing insurtechs to access and use a particular customer’s data with the permission of the customer[22].
2. Singapore
  • Singapore Financial Data Exchange is the world’s first public digital infrastructure to use a national digital identity and centrally managed online consent system to enable individuals to access, through applications, their financial information held across different government agencies and financial institutions[23]
3. South Africa
  • The Financial Sector Conduct Authority (FSCA) published its research report and consultation paper on Open Finance[24], a framework to allow consumers and companies to access their financial data created on financial service providers’ (FSPs) platforms and enable sharing such data with other FSPs.
  • The FSCA has proposed five recommendations for Licensing, Supervision and Enforcement procedures to regulate Open Finance, which includes its suggestion that informed consent should be obtained from consumers prior to the sharing of data with third party providers[25].
4. Japan
  • The Financial Services Agency has previously proposed that financial institutions (including insurers), subject to customer consent (where necessary), may provide ‘customer information’ to third parties, ‘if it contributes to the advancement of the business of the financial institutions or the improvement of the convenience of its users[26].
5. Malaysia
  • Pursuant to the Personal Data Protection Act 2010, the insurance and takaful industry in 2017 adopted the ‘Code of Practice on Personal Data Protection for the Insurance and Takaful Industry in Malaysia’ (“Code”)[27].
  • In relation to processing of customer-data by insurers, under the Code, the customers/ policyholders are entitled to[28]:
    • be informed by the insurer whether their personal data is being processed by or on behalf of the insurer.
    • correct their personal data if it is inaccurate, incomplete, misleading or not up to date.
    • withdraw their consent to the processing of personal data.
    • request the insurer to cease the processing of his/her personal data should the same cause or likely cause substantial damage to them or another, and the said damage/distress is unwarranted.
    • request that the insurer cease or not begin processing their personal data for direct marketing purposes.

The Way Forward – A Consent Based Regime

Though the position of the IRDAI with respect to policyholder data sharing is rigid, we have come across instances when the IRDAI has proposed a consent based regime vide the exposure draft on IRDAI (Protection of Policyholders’ Interest) Regulations, 2014 (“Draft PPI Regulations”). In terms of Paragraph 4(b)(ii) of Annexure IV of the Draft PPI Regulations, an insurance service provider must maintain the confidentiality of personal information relating to consumers and not disclose it to a third party except in a manner expressly permitted under the Draft PPI Regulations, which includes sharing of personal information after obtaining written informed consent of the consumer after giving the consumer an effective opportunity to refuse consent[29]. However, subsequently, the IRDAI notified the Policyholder Protection Regulations which, as discussed above, provides that insurers shall at all times maintain total confidentiality of policyholder information, unless it becomes necessary to disclose the information to statutory authorities due to operation of any law[30].

Basis the RBI’s position on banks (in relation to sharing its customers data) and global insurance data-sharing practices, in our view, the time is ripe to introduce a consent-based regime in the Indian insurance industry for sharing policyholder data. However, in introducing the necessary changes through a robust regulatory framework, the IRDAI will have its task cut out in striking a balance between promoting innovation in the Indian insurance industry through artificial intelligence, machine learning, and big data analytics on the one hand and ensuring that the needs as well as concerns of the policyholders are adequately addressed on the other. .


[1] In 2015, the Government of India launched the Digital India initiative which is a flagship program with a vision to transform India into a digitally empowered society and knowledge economy.

[2] According to Mr. Ram Sewak Singh, chief executive of the National Health Authority of India, India has 1.18 billion mobile connections, 700 million internet users (with the highest data consumption which is about 12 GB per person a month), and 600 million smartphones, which are increasing 25 million per quarter. For a majority of the Indian population, the increase in affordability of mobile data and smartphones has facilitated digital connectivity. See: https://economictimes.indiatimes.com/news/india/indias-growing-data-usage-smartphone-adoption-to-boost-digital-india-initiatives-top-bureaucrat/articleshow/87275402.cms

[3] In addition to UPI and DigiLocker, the Indian government has launched other utility digital apps – UMang (for access to central and state government services), Aarogya Setu (Indian COVID-19 “contact tracing, syndromic mapping and self-assessment” digital service) and ePathshala (digital platform where students, teachers, and parents can access NCERT e-textbooks and other e-resources) etc.

[4] DigiLocker helps people to digitise and store digital copies of 560 documents including Aadhaar card, insurance policy, income certificate and driving licence. In terms of Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries providing Digital Locker facilities) Rules, 2016, the issued documents in DigiLocker system are deemed to be at par with original physical documents.

[5] See: https://www.ibef.org/government-schemes/digital-india   

[6] See: https://inc42.com/buzz/meity-backed-digital-app-digilocker-hits-101-mn-users-mark/  

[7] The RBI on January 7, 2022, announced the constitution of a FinTech department with a view to promote innovation/ incubation, identify challenges and opportunities, provide framework for research and policy interventions, given wider implications for the financial sector/ markets, inter-regulatory and international coordination. For more on RBI’s move to constitute a FinTech department, see our blog analysing the implications and future of the industry.

[8] The Ecommerce Guidelines issued by the IRDAI regulate and govern the online insurance business, and marketing and solicitation of insurance business through online mode.  

[9] Web aggregators are insurance intermediaries who maintain a website for providing interface to the insurance prospects for price comparison and information of products of different insurers.

[10] See Paragraph II.2.6.1 on Page number 93 of the IRDAI Annual Report 2019-20.

[11] On April 12, 2021, the IRDAI notified the extension of the period of validity of the IRDAI (Regulatory Sandbox) Regulations, 2019 by 2 years (i.e., until July 25, 2023) .

[12] The IRDAI Chairman, Mr. Debashish Panda, while addressing a press conference said the insurance sector was at an inflection point and IRDAI was ready to travel together with innovators and the insurtech ecosystem in the country. He was quoted saying “Using technology as extended arms to serve the needs of the low-income population, vulnerable sections, calamity-prone regions, MSMEs and millennials is the need of the hour”. See: IRDAI ready to embrace tech to take insurance services to hinterland: Panda – The Hindu

[13] The ‘India Insurtech Landscape and Trends’ included details about the India Insurance Agents Survey (as of April 20, 2020). The aforesaid survey has revealed that 67% of agents feel that customers’ willingness to use apps/ portal has increased post the COVID-19 outbreak. In addition, according to the report titled “Going digital: Insights to optimise consumer appetite for online insurance in India” published by SwissRe Institute, an earlier Swiss Re survey of Asian markets in May 2020 highlighted this sentiment, as two-thirds of respondents indicated concern about their health and well-being, and stated that their purchase patterns for insurance would shift to online modes.

[14] See our two-part blog titled ‘Data Protection in the Indian Insurance Sector – Regulatory Framework’ (Part I and Part II)

[15] See  Part II of our blog titled ‘Data Protection in the Indian Insurance Sector – Regulatory Framework’

[16] Please note that while the insurers have ‘reserved’ the right to share information as per their respective privacy policies, we are unable to verify if these insurers have disclosed personal information of their customers to their affiliates and group companies in practice and if so, the arrangements pursuant to which customer data or information is being shared.

[17] See: The general restrictions on sharing of policyholder information highlighted in Part I of our blog.

[18] In terms of paragraph 56 of the Reserve Bank of India’s Master Direction – Know Your Customer (KYC) Direction, 2016, banks must maintain secrecy regarding the customer information which arises out of the contractual relationship between the banker and customer. The information collected from customers for the purpose of opening of account must be treated as confidential and details thereof must not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer. However, such information may be disclosed inter alia where the disclosure is made with the express or implied consent of the customer. Further, in terms of paragraph 25 of the RBI Master Circular on Customer Service in Banks, 2015, banks are obligated to keep customer information confidential. However, the exceptions to the aforesaid rule applicable to the implied contract of confidentiality between the bank and the customer includes instances where the disclosure is made with the express or implied consent of the customer.

[19] CDR gives consumers greater access to and control over their data and will improve consumers’ ability to compare and switch between products and services. See more at: https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-

[20] Insurtech Australia is a national, not-for-profit organisation representing 70 insurtechs and 28 corporate partners in Australia. For more on the proposal to roll out CDR to the insurance industry, please see: https://www.insurancebusinessmag.com/au/news/breaking-news/cdr-insurers-in-australia-set-for-an-industry-world-first-408610.aspx

[21] See: https://www.insurancenews.com.au/insurtech/insurtech-australia-backs-extension-of-cdr-to-insurance

[22] Supra note 21

[23] See: https://www.mas.gov.sg/development/fintech/sgfindex

[24]See:https://www.fsca.co.za/News%20Documents/FSCA%20Press%20Release%20-%20FSCA%20publishes%20its%20SA%20Research%20Insights%20and%20Consultation%20Paper%20on%20Open%20Finance%20-%2010%20December%202020.pdf

[25] See: https://www.lexology.com/library/detail.aspx?g=7b416ea1-15af-4df6-a6b3-844262e4b3a3

[26] See: https://chambers.com/content/item/3553

[27] The Code is a collective initiative of the Life Insurance Association of Malaysia, General Insurance Association of Malaysia and Malaysian Takaful Association.

[28] See Point 6 in FAQs about the Code of Practice on Personal Data Protection for the Insurance and Takaful Industry in Malaysia, available at: https://piam.org.my/wp-content/uploads/2021/06/FAQ.pdf

[29] Paragraph 4(c)(i) of Annexure IV of the Draft PPI Regulations

[30] Regulation 19(5) of the IRDAI (Protection of Policyholders’ Interest) Regulations, 2017