National Privacy Commission
FREQUENTLY ASKED QUESTIONS
FOR LIFE INSURANCE
The Insurance Code provides for 2-years incontestability period of insurance policies. Naturally, if the risk insured against occurs within those 2 years, the insurer will investigate the claim for any concealment. Such investigation usually requires the services of independent investigators. Can sharing in this case be done without the consent of the subject then, on the ground that it is allowed under applicable laws and regulations?
Section 13 of the Data Privacy Act of 2012 provides that processing of sensitive personal information is prohibited except in any of the enumerated cases.
This case illustrated may fall under the second and/or the sixth criteria, wherein processing of sensitive personal information is provided for by existing laws and regulations and/or when the processing is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims.
Hence, this processing for investigating insurance claims does not need consent of the data subject. However, the company must ensure that personal data is secured and protected when shared for investigation purposes. The fact that the company may obtain services of independent investigators should also be included in the contract with the customer and in its privacy notice.
Yes, both manual and electronic or automated process must be registered with the NPC. Processing has been described in the IRR to be an operation or set of operations which may be performed through automated means or manual processing, if personal data are contained or intended to be contained in a filing system.
Section 3(f) of NPC Circular No. 17-01 defines a processing system as a structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.
Section 8 of NPC Circular No. 16-01 provides that all personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the NPC recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard.
Although NPC Circular 16-01 is addressed to all government branches, agencies, bureaus, offices, LGUs, GOCCs and state colleges and universities, it may be used by the private sector as reference.
For security measures, the NPC will also look at industry standards, provided that this standard is not below the level of security provided in the Data Privacy Act and related issuance of the Commission.
We must distinguish between the processing of personal data based on the existing contracts for insurance and those processing for a secondary purpose, i.e. sharing of personal data for marketing purpose.
It is evident that insurance companies must continue processing data of their clients if there is an existing contractual obligation for providing insurance. However, the processing for a purpose other than the provision of insurance services is another matter. This is where the consent requirement is necessary. Where no sensitive information is used, consent may not be required if company can demonstrate that processing is necessary for the purposes of its legitimate interests, except where such interests are overridden by fundamental rights and freedoms of the client.
The DPA clearly defines consent as freely given, specific and informed indication of will, evidenced by written, electronic or recorded means. A positive act is required from the data subjects and an implied or assumed consent will not suffice. Thus, the failure to respond does not constitute as consent for processing for the other secondary purposes.
To clarify, privacy policies/statements/ notices are ways of showing adherence to the principle of transparency. These documents are not equivalent to a consent form.
The processing of personal data pursuant to an existing contract of insurance is not dependent on whether or not a client/data subject accepts the revised privacy provisions. Where there is an existing valid contract for insurance, the same must be honored.
In the event that the revised privacy policies would affect the very terms and conditions of the insurance contract itself in a way that the contract is novated, then the client’s refusal to accept may result to the termination of the contract. If otherwise, the contract should remain valid.
Section 16(e) of the Data Privacy Act of 2012 and Section 34 of its Implementing Rules and Regulations (IRR) provides for the right of the data subject to suspend, withdraw, or order the blocking, removal or destruction of his or her personal data from the
personal information controller’s filing system upon discovery and substantial proof of
any of the following:
The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, expression, or of the process or otherwise authorized;
rights of the data subject.
If the justification of the data subject is among those enumerated above, it is incumbent upon the company to comply with the request for deletion.
for the processing of beneficiary’s personal information?
There is a need to clarify on what processing is to be done with respect to the
beneficiary’s personal information. If the processing is limited to the fulfillment of the insurance contract, the contract terms and conditions would be controlling. Consent may be required if the processing is for some other purpose unrelated to the insurance policy.
Consent is just one of the criteria for lawful processing of personal or sensitive personal information.
If there is an existing contract or some other legal obligation, the same is controlling as to how personal data is processed.
Changes in the process or business improvements which would not change the
purpose of processing would not necessarily require consent of the data subject.
It is advisable that the company notify/inform the data subjects of the changes made and provide them a platform where they may ask for additional information. The client should be provided information when changes involve any of the following:
A data sharing agreement is executed between/among personal information controllers (PICs), while an outsourcing contract is between a PIC and a personal information processor (PIP).
In a service provider transaction, we understand this to be between a PIC and a PIP.
The contract is an outsourcing contract and not a data sharing agreement.
A non-disclosure agreement may be made part of the outsourcing agreement. The PIC should likewise use contractual and other reasonable means to ensure that proper safeguards are in place, confidentiality, integrity and availability of personal data is ensured, prevent the use for unauthorized purposes, and compliance with the requirements of the law.
For the invocation of rights of the deceased, the provisions under the Civil Code (Succession) shall govern.
Yes, the heirs may lawfully object to the sharing of medical information pursuant Section 35 of the IRR on the transmissibility of rights of the data subject. The right to object, exercised by a lawful heir will only be to the extent allowed the insured, if he or she were alive.
Section 30 of NPC Circular 16-04 states that the decision of the NPC shall become final and executory fifteen (15) days after the receipt of a copy by the party adversely affected. One motion for reconsideration may be filed, which shall suspend the running of the said period. Any appeal from the Decision shall be to the proper courts, in accordance with law and rules.
Information necessary for AMLA reporting is outside of the scope of the Data Privacy Act of 2012, to the minimum extent necessary to comply with such law.
This is interpreted to mean that companies covered by the AMLA need not obtain consent if they need to report covered or suspicious transactions.
sensitive personal information or any other information that may be used to enable
identity fraud.” Is the underlined phrase applied to both sensitive personal information and any other information? To illustrate, will the combination of the name and marital status of a client be sufficient to meet this element?
This should be read as:
The personal data involves:
Sensitive personal information; or
Any other information that may be used to enable identity fraud.
The element is flexible enough to let the company determine whether the personal data involved in the breach can be used to enable identity fraud.
In your example, the name and marital status may indeed be used to enable identity fraud.
The PIC may decide on its own. This third element should be liberally interpreted in a manner mindful of the rights and interests of the data subjects. The PIC assumes the risk when its assessment is different from the NPC. When in doubt, PIC should notify.
Where the acquisition may lead to physical, material or non-material damage, in particular, where the acquisition may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization, or any other significant economic or social disadvantage.
Consider also Section 13 of NPC Circular 16-03: SECTION 13. Determination of the Need to Notify. Where there is uncertainty as to the need for notification, the personal information controller shall take into account, as a primary consideration, the likelihood of harm or negative consequences on the affected data subjects, and how notification, particulary of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred.
The personal information controller shall also consider if the personal data reasonably believed to have been compromised involves:
National Privacy Commission
FREQUENTLY ASKED QUESTIONS
FOR LIFE INSURANCE