By Alec Christie, Partner, and James Wong, Associate
Without proper governance digital technology can be a stumbling block, contributing to compliance failures in Insurance. Those who embed compliance (and ethics) into their digital strategy can build significant trust in their brand.
1: Is privacy compliance built into our tracking, telematics and risk modelling?
Data is crucial to your ability to accurately assess and measure risk. As the insurance sector becomes increasingly reliant on big data, insurers become increasingly exposed to relevant surveillance and privacy laws. In particular, you need to periodically re-assess how you use external data sources to infer risk profiles as part of your modelling. This relates to both:
- data you collect yourself (e.g. from wearables/fitness tracking, GPS tracking and telematics devices); and
- external data feeds integrated into your core insurance platform (e.g. market data, external feeds from web scraping).
While tracking (of all sorts) can be done in a privacy-compliant way, we have rarely seen such done well in practice without assistance. We recommend undertaking a privacy review (starting with data flow mapping) of all your tracking, surveillance and data collection activities.
2: How do we respond to Assistance & Access requests?
A ‘designated communication provider’ (broadly defined such that financial services providers can be covered) may be required (or your vendors could be forced to provide), on request, to provide assistance to law enforcement and intelligence agencies without the need for a warrant. This assistance could take the form of removing electronic protections over communications (e.g. encryption), providing technical information about the technology you use and/or installing technology on behalf of the enforcement/intelligence agency. In the unlikely event that you receive such a request, you don’t want to find yourself flustered as to how you respond. Ensure you have processes in place to assess, respond to and action a request – and do so secretly (or you could face imprisonment).
3: Is our automated decision-making compliant-by-design?
With significant advancements in machine learning, automated decision-making is moving well beyond simple automation. This often leads to situations where humans are no longer able to explain decision-making performed by machines (black box AI). It’s important that you maintain in-house technical expertise on any AI-driven technologies that you choose to implement and are always in a position to explain the logic behind automated decision-making (explainable AI). This is important from an ethics and responsibility perspective – you need to answer for the decisions that are made on behalf of your organisation – but it is more likely than not that this issue will become one of compliance too.
While Australia does not yet have overarching legislation on automated decision-making, we can expect GDPR-style regulation soon. Under the GPDR (which has extra-territorial reach and applies to many Australian businesses) data controllers must: (i) generally build in meaningful human review of automated decisions; (ii) be able to explain the logic behind a decision-making process; and (iii) take steps to eliminate errors, bias and discrimination. This is best achieved with an AI governance framework.
4: Are we really on top of CPS 234?
APRA Prudential Standard CPS 234, which came into effect on 1 July 2019, sets out mandated cybersecurity and information security requirements for APRA-regulated entities. Your organisation should have implemented a CPS 234 compliance program in early 2019. However, you need to periodically re-assess compliance as your governance, systems and data and threat landscapes change over time.
Internally your systems and processes must: (i) classify and monitor your information assets; (ii) be ready to respond to incidents, including making notifications to APRA where required; and (iii) feature appropriate infosec controls that respond to each information asset’s risk profile.
Externally check that your procurement function’s infosec checklist is in good shape and that all current agreements with third parties have infosec obligations embedded.
Don’t underestimate the importance of your people to your security strategy – regular awareness and training programs are essential.
5: Should we consider ISO 27701?
Your systems interface with those of providers, customers and partners. Just as you should be satisfied of external parties’ information management arrangements, these stakeholders will take a strong interest in yours.
The emerging industry standard for privacy management, finalised 6 August 2019, is ISO 27701, the latest addition to the ISO 27000 family of standards on information security. It provides standards as well as important guidance for establishing, implementing, maintaining and enhancing a sound privacy information management system (PIMS). This is particularly useful where you are already ISO 27001-certified and operate across multiple jurisdictions – ISO 27701 provides a structure for cross-jurisdictional data governance, including for the EU and GDPR.
6: When did we last test our organisational data breach response?
You could be hit by a data breach at any moment. It could be something as simple as an email with the wrong attachment, a box of documents left by a courier outside reception or a phone slipping out of someone’s bag on the bus. When it hits, you want to know that your organisation is able to respond like clockwork using muscle memory from drills.
It is an expectation of the Privacy Commissioner (and APRA under CPS 234) that all entities have a data breach response plan to meet their obligations to notify all ‘eligible data breaches’. Putting the $2.1m penalties (soon to be the greater of $10m and 4% of your domestic revenue) aside, effective data breach response is about protecting your customers and your reputation. There are prescribed elements that every data breach response plan should feature but, importantly, it must be tailored to your organisation.
You likely prepared a data breach response plan in the lead-up to 22 February 2018. The plan must be regularly tested and revised to keep it current. To test your plan, we recommend conducting a facilitated ‘cyber drill’ exercise at least every 12 months.
7: Are we water-tight on GDPR compliance?
The EU General Data Protection Regulation (GDPR) introduced major new privacy, security and marketing obligations and rights from 25 May 2018. It also has a much wider application outside of the EU and to non-EU companies than the previous EU privacy laws. Generally, the GDPR applies:
- where you have an ‘establishment’ (whether physically or online) in the EU;
- where you offer goods or services in the EU; and/or
- where you monitor/track individuals in the EU.
In practice, this means that if you (as an Australian company) have a branch/sales office in the EU or target potential investors/buyers/tenants in the EU and collect information about individuals located in the EU (e.g. for these purposes or for enhancing your digital marketing strategy) the GDPR will likely apply to you.
Failure to comply with the provisions of the GDPR, where applicable, may result in fines of up to the greater of €20m or 4% of annual global turnover. If you’re unsure, the first step is to obtain advice as to whether GDPR applies to your organisation (before embarking on an expensive GDPR compliance program).
8: When was our last privacy audit/review?
A privacy audit (where performed as part of your organisation’s internal audit program) or review (where performed outside of your internal audit program) is an incredibly powerful tool to determine your organisation’s current privacy and information security compliance. This details where your organisation is, not where you think you are or where management hopes you are. It delivers independent assurance as to where your organisation truly is at when it comes to privacy and information security compliance.
A privacy audit/review can be comprehensive (covering your entire organisation and all privacy obligations) or targeted (covering specific business units and/or high-risk areas of compliance). When determining the scope of your next privacy audit/review, also consider including a review of contractual arrangements with third parties – this is a risk area often overlooked.
9: Are PIAs built into our project lifecycle?
The Australian Privacy Principles (APPs) encourage privacy-by-design. Whenever you initiate a new project involving personal information (including a technology implementation), you need to be planning it with privacy compliance in mind from day one, not as a bolt-on at the end. This means that every time your strategy or technology teams start ideating, the privacy officer must be at the whiteboard too.
We recommend formalising this by integrating your privacy impact assessment (PIA) process into your project methodology. A PIA provides a systematic approach to assessing any changes to data flows, understanding the impact on privacy and identifying options for mitigating any negative impacts. Dealing with these issues upfront almost always saves significant expenditure later – and minimises the risk of overruns and delays.
10: Have we developed and implemented our whistleblower policy ready for 1 January 2020?
2019 saw the introduction of a significantly expanded whistleblower protection regime covering the majority of financial services businesses.
Staff who report a broad range of conduct (including ‘misconduct’ and an ‘improper state of affairs’, whether or not the whistleblower reveals their identity and whether or not they act in ‘good faith’) must now be protected in specified ways.
A compliant whistleblowing policy must be implemented by 1 January 2020. This policy must include certain mandatory content. Failure to do so by 1 January 2020 is a criminal offence.
You must also be prepared to respond to ‘emergency disclosures’ and ‘public interest disclosures’ (disclosures which can be forwarded to the media in certain circumstances) and ensure your processes are robust enough to comply with this significantly expanded regime.
As time is running out to prepare and implement your whistleblowing policy, we are happy to discuss this with you before Christmas.
Get the latest news insights and articles straight to your inbox, simply enter your details.