When you make a claim under an insurance policy, the insurer may request you to provide documents to help them assess the claim. The documents might contain information about your employees.
When can you provide this information to your insurer and when do you have to be cautious about disclosing information?
Privacy issues
Not all organisations need to comply with the Privacy Act 1988 (Cth) (Privacy Act), but generally, all organisations with an annual turnover in excess of $3 million must comply. There are also some organisations who must comply regardless of annual turnover (eg. health services). If you are unsure about whether the Privacy Act applies to your organisation, the Office of the Australian Information Commissioner provides a helpful guide here.
If the Privacy Act applies to your organisation, then you need to be careful about the information that you disclose – even if it is to your insurer.
What type of information must be kept private?
The Privacy Act protects “personal information”. This is any information or an opinion about an individual who is identifiable. It includes a person’s name, signature, address, telephone number, date of birth, medical information, bank account details, employment details and even commentary or an opinion about a person.
Personal information is therefore commonly found in the documents that insurers want to see when investigating claims. For example, it will be contained in witness statements, incident reports or payslips.
Consent
An organisation may disclose personal information where the individual has consented to the use or disclosure, or when the personal information is used or disclosed for the primary purpose if was collected.
For example, a worker who makes a workers compensation claim will usually sign a consent authority in their claim form which enables you to provide the insurer with the worker’s personal and health information to assist with management of the claim.
You might also consider including a consent authority in your standard incident report forms so that you automatically obtain consent to disclose the statement to your insurer if a claim is made.
Other exceptions
There are some other exceptions to the Privacy Act which mean that there are certain circumstances in which you can provide information to your insurer without needing to obtain consent first.
Employee records
Under this exemption, the organisation is permitted to disclose:
An example of this is providing employee records to your workers’ compensation insurer when that employee makes a claim.
Asserting or defending a legal claim
You are permitted to disclose personal information when it is reasonably necessary to assert your legal rights or to defend a claim.
This exception may not always apply prior to your insurer referring the claim to its lawyers, but if the information is released once a lawyer is involved, it is likely that disclosure of the information to the insurer and the lawyer is permitted under the Privacy Act.
You should be careful to make sure that you are providing information that is collected and held by the organisation seeking to assert a legal right or defend a legal claim. In large company groups it is easy to treat the information held by a subsidiary as information held by the group at large. That is not necessarily the case and you may breach the Privacy Act if one organisation provides personal information held by that organisation to another entity within the group to assist that entity with legal proceedings it is facing.
Compelled by law
You are also permitted to disclose that personal information if that disclosure is required or an authorised under an Australian law, or an order of an Australia court or tribunal. For example, if required by a subpoena, order to produce or because of disclosure obligations.
For more information, you may like to read our article here.
Practical tips
If your insurer has asked you to provide information that is likely to disclose personal or sensitive information, we recommend you:
If you are unsure about whether you are covered by the Privacy Act, or have a question about whether you can disclose any information that is covered by the Privacy Act, we recommend you reach out to our team to assist you in your enquiries.
By Tom Arndt, Solicitor and Ariel Bastian, Associate