Insurers and Privacy Act requests
Insurers have experienced a recent surge in Privacy Act requests from homeowners with unresolved claims arising from the Canterbury earthquakes. Some requests coincided with the impending expiry of the time limitation extension to 4 September 2017 agreed by the insurers who are members of ICNZ. Others appear to be an inexpensive means to gather evidence for proceedings or complaints.
In this article, we consider some issues that commonly arise in Privacy Act complaints against insurers.
What may insureds ask for?
Insureds who are natural persons (companies have no such rights) are entitled to access their “personal information” held by insurers on request, without giving a reason. There is no particular form for a request and it does not have to be in writing or mention the Privacy Act to be effective.
Insurers must provide a decision on whether to grant the request within 20 working days and must then process the request without undue delay.
What information must be provided?
Personal information is information “about an identifiable individual”. This is interpreted broadly.
In Case Note 228045  NZ PrivCmr 8 the Privacy Commissioner ordered an insurer to disclose an engineering report about an insured person’s house. The report did not name the insured, but that person could be identified because the report referred to the “property owner”, contained the property address and described the damage it had sustained. The report was “about” the insured because it related to the insured’s house.
When considering what documents to provide in response to a request, insurers should consider whether they contain information that could identify the insured and whether they relate to the insured person or his or her property.
Insurers should also check their privacy policies to ensure they are not acting inconsistently with them.
Do insurers have to provide all the documents in their file?
Insureds will often request a copy of the insurer’s “file”. This can exceed the insured’s entitlement under the Act, as most insurers hold personal information and non-personal information in a range of formats and locations associated with an insured or a claim.
If an insured requests the “file”, insurers are entitled to review the file and provide only those documents that contain personal information about the insured.
What about emails, phone call logs and recordings and other records not in a “file”?
This depends upon the request. If an insured requests a “file” for a particular claim and the insurer has a system that manages and stores its records for that claim, such as a hard copy file or a computer based file, the insurer may take the view that the request relates only to that “file”.
However, if the request appears to encompass all documents relating to a claim, the insurer is obliged to provide access to all documents that it holds that contain personal information about that insured, whichever form they are in.
An insurer’s documents may not extend to documents held by its employees in their personal capacity, such as text messages on personal telephones and diaries that are their personal property.
What information can be refused?
Insurers may refuse to disclose, or may redact, information that is protected by legal professional privilege. This generally falls into two main categories:
- Solicitor-client privilege, which in summary protects documents sent or received by lawyers for the purposes of obtaining legal services or advice;
- Litigation privilege, which in summary protects documents prepared for the purposes of a proceeding (not just documents sent or received by lawyers) that is reasonably apprehended. Normally this requires the claim having been declined – claims which involve a difficult relationship between the insured and the insurer do not necessarily meet the “reasonably appended” In February 2015, the Privacy Commissioner decided that an insurance company could not rely on litigation privilege to withhold an investigation report, as the dominant purpose of the report was to set out the details of the incident that gave rise to the claim and advise the insurance company whether to accept it (Case Note 248835  NZ PrivCmr 5). A proceeding was not reasonably apprehended until the insurer had made its decision based on the report.
Another ground to withhold a document is that it contains information that would disclose a trade secret or be likely unreasonably to prejudice the commercial position of an insurer. In the insurance context, this may include information about claim reserves, the method by which an insurer calculates the level of reserves to pay out on a claim, and estimates of costs. EQC will generally release cost estimates, although there are circumstances in which it will not, primarily where commercial negotiations for repairs are occurring.
Insurers can refuse to provide evaluative material if that would breach an express or implied promise to keep the material confidential. The Privacy Act recognises that evaluative or opinion material used for the purpose of deciding whether to insure or renew insurance for an individual or property qualifies as “evaluative material”.
An insurer’s documents may not extend to those held by its employees in their personal capacity, such as text messages on personal telephones and diaries.
What about draft documents?
Draft documents may expose information that an insurer decided not to pass to an insured or may otherwise reveal a weakness in its position. There is no special protection for draft documents and they must be reviewed on their own merits and disclosed if they contain personal information that cannot be withheld for a recognised reason, such as solicitor-client privilege.
What about consultants’ documents held on their files?
Insurers may instruct loss adjustors and other consultants who will have additional documents on their files that contain personal information.
The Privacy Act applies only to documents that an insurer “holds”, but this is interpreted widely. The Human Rights Review Tribunal has decided that an agency holds information
that it controls, whether or not that information is in its physical possession.
Insurers are therefore obliged to provide personal information held by a consultant where the insurer is entitled to that information. In most instances, however, the consultant will have provided the insurer with all the information to which it is entitled, such as a final report. A consultant is not normally obliged to provide an insurer with other information. In the context of professionals such as accountants and lawyers, the usual test is whether the document was intended to become the property of the client and does not extend to internal records, notes and draft documents.
May an insurer charge a fee for providing a file?
Act request, which may reflect the urgency requested by the insured.
An insurer may charge for the costs of material and labour for time spent locating the relevant material, collating, transcribing and copying it. However, an insurer may not charge for the time spent deciding whether to disclose particular information, such as a legal review.
The Privacy Commissioner1 and Human Rights Review Tribunal2 have endorsed the Ministry of Justice’s Charging Guidelines for Official Information Act 1982 Requests dated 18 March 2002 as a useful starting point. The guidelines provide that the first hour of staff time and 20 pages of photocopying should normally be free and then charges of $38 per half hour and 20 cents per page (GST inclusive) apply.
What about EQC?
Insureds may make Privacy Act requests to EQC. They may also make requests for information from EQC under the Official Information Act 1982, which does not apply to private insurers.
Who enforces the Privacy Act?
Persons who wish to complain that an insurer has failed to provide information that it is obliged to provide
Privacy Commissioner has limited powers and normally seeks to resolve complaints by agreement.
In serious cases, the Privacy Commissioner or the insured person may refer a complaint to the Human Rights Review Tribunal, which may make orders and award damages for breaches of the Privacy Act. Such cases normally involve circumstances in which sensitive personal information such as medical information has been disclosed in a way that has harmed an individual.
How should insurers prepare for Privacy Act claims?
Insurers may prepare to respond to Privacy Act claims by:
- ensuring that their staff do not record statements or information that would be harmful or embarrassing if provided to an insured
- keeping commercially confidential information in a separate location or file
- having an efficient system for managing client files which includes relevant emails, contact notes and records of telephone calls
- deleting any unnecessary files and records