The LCCC has sanctioned an insurer for collecting customers’ medical information without first obtaining valid consent.
The breach relates to failures between March 2020 and March 2024, during which the un-named insurer gathered medical information in the underwriting process without using the prescribed authority wording required under clause 4.10 of the Life Insurance Code of Practice.
Under the Code, valid consent must be obtained using wording agreed by the Council of Australian Life Insurers and the Royal Australian College of General Practitioners.
…the issue arose after staff were temporarily redeployed from a business unit where consent was automatically captured…
The authority is designed to ensure customers clearly understand what medical information will be collected, how it will be used and shared, and what privacy safeguards apply.
The LCCC said the issue arose after staff were temporarily redeployed from a business unit where consent was automatically captured as part of the application process to another area where this safeguard was not in place. As a result, when those staff requested medical reports, they were unaware that valid consent had not been obtained.
The problem came to light only after a customer complaint in early 2024, having gone undetected by the insurer’s quality assurance and monitoring frameworks. More than 2,000 customers were affected across 2,171 applications.
In response, the insurer apologised to impacted customers and introduced remediation measures, including additional staff training, system changes to automate consent procedures, and strengthened monitoring controls.
The LCCC determined a formal warning was proportionate, citing the extended duration of the breach, the number of customers affected, and the fact the issue was identified externally. It said the case underscores the need for robust oversight, particularly where manual processes are introduced, and signalled that further non-compliance could attract stronger enforcement action.
When will those doing serious breaches be named and held accountable?
Comments are closed.