Introduction

The insurance sector in India is projected to become the 6th largest insurance market by 2032, according to a report by Swiss Re. The primary driver behind such drastic growth is advent of technological advancements in insurance sector which is popularly termed as 'InsurTech'. Tech companies have a leverage when it comes to artificial intelligence, data analysis and cloud computing, which helps them to provide better facilities to their customers. For instance, risk assessment, claim management etc. However, "with great power there must also come great responsibility", with Insurtech companies gathering substantial personal data to offer different services. Life insurance or health insurance, for instance, often requires sensitive information like health conditions and lifestyle habits, leading to accumulation of vast sensitive personal data.

This accumulation makes the insurance industry susceptible to cyber-attacks and data breaches. For instance, Medibank, an Australian Health Insurance Company, experienced a massive data breach, compromising the credentials belonging to approximately 9.7 million policyholders, subsequently sold on the dark web. Similarly, India Railway Catering Tourism Corporation suspended the services of Bajaj Allianz General Insurance and Liberty General Insurance, from its online platform due to identification of vulnerabilities on their respective websites, posing risks to travelers' personal data.

These instances urge regulatory bodies to take significant steps for the protection of personal and sensitive data. The recently enacted Digital Personal Data Protection Act, 2023 ("DPDP Act") protects the personal data of a data principle from any type of exploitation.

This blog would discuss the legal compliances of insurance companies with respect to protection of personal and sensitive data of the policy holders. Further it delves into the impact of present DPDP Act on insurance companies. The author would also present her views on the said issue by giving referencing other jurisdictions.

Current Data Protection Framework in Insurance Sector

The Insurance Regulatory and Development Authority of India ("IRDAI"), is responsible for the protection of policy holders and consumers in the insurance sector. IRDAI has established a regulatory framework for the protection of policy holder's data, in addition to the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011.

The regulatory framework developed by IRDAI are implemented to protection consumers' data and information which includes,

  1. Regulation 19(5) of IRDAI (Protection of Policyholders' Interests) Regulations, 2017, makes it obligatory for the insurers to maintain total confidentiality of the policyholder information unless it is necessary due to operation of any law. This ensures the right to privacy of policy holders which is a fundamental right under Article 21 of Constitution as per KS Puttasawamy case.
  2. Regulation 3(9) of IRDAI (Maintenance of Insurance Records) Regulations, 2015 which mentions about data localisation. The provision mandates the storage of data in centres located and maintained in India. This data includes the information related to policies take by the policy holder, the claim records etc.
  3. Regulation 12 of IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 deals with third party data sharing/ privacy intelligence. The policyholder's interests are to be protected by the insurers to mitigate the risk involved with outsourcing/ third parties.
  4. Regulation 35(c) of the IRDAI (Health Insurance Regulations), 2016, which binds the Third Party Administrators (a company registered with the authority, and engaged by the insurer for providing health services as enumerated under IRDAI (Third Party Administrators - Health Services) Regulations, 2016.) and network providers (hospitals), for any data related matters. These TPAs are type of intermediaries who are prohibited from sharing data and personal information about the consumers.

These regulations are applicable on all the insurers, insurance intermediaries and policyholders. The major issue with these regulations are that they do not provide a uniform framework for all the insurers and intermediaries which is necessary today because of the advent of technological advancements. The introduction of DPDP Act marks a forward thinking initiative to safeguard consumer rights within an increasingly data centric environment. However, its enforcement is anticipated to introduce some compliance related hurdles for insurers and intermediaries who will fall under the definition of data fiduciary. To address the challenges stemming from DPDP Act, IRDAI has convened a specialized task force aimed at assessing its impact on insurance sector.

DPDP Act and insurance regulatory framework

With the introduction of DPDP Act, the government made a positive step toward protecting digital and offline personal data. The law brings into existence a new regulator i.e. Data Protection Board of India ('DPBI') for grievance redressal. The insurance industry generally collects a bulk of personal data necessary for underwriting purposes. Underwriting procedure is necessary for tasks such as setting premiums, identifying potential policy fraud and developing targeted marketing strategies.

The first issue that insurance industry may face would be related to consent management. The DPDP Act, under Section 6 mentions that the consent given by the data principle shall be 'unambiguous, clear, free, specific and unconditional'. This consent shall pertain to a specific purpose and be limited to minimum data essential for that purpose. However, a pertinent question arises in health insurance, during collection of an individual's data encompassing medical history for analysis, while raw data provided by customers, the limitation on processed information or derived insights are unclear. Additionally, when the insurance policy requires the data of a child, then the question arises, whether the insurer also needs to acquire the consent of the lawful guardian of child, as per Section 9 of DPDP Act.

Furthermore, the effect of DPDP Act is also not clear for long-standing policies that have been routinely renewed. To protect health care data, reference can be drawn from Health Insurance Portability and Accountability Act of the USA which places rules on how health related data can be 'collected, stored and processed' in USA. Its primary objective is to prevent any fraud and abuse of personal healthcare data. Similarly, the Gramm Leach Bliley Act, ensures the protection of customer's sensitive financial data.

Additionally, the Act potentially impacts the insurance sector, especially insurance intermediaries like brokers. These intermediaries are involved in the transmission, acquiring, possessing, and processing of customer's data, raising the primary issue of data protection i.e. third-party transparency. The DPDP Act defines 'data fiduciary' under Section 2(i) as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data". This definition implies that the insurer would be considered as the data fiduciary, who along the insurance intermediaries would be responsible for the personal data of customers. Recently, IRDAI also decided to introduce Managing General Agents (MGA) in the insurance sector, who unlike other brokers is vested with underwriting authority from a specific insurer. The DPDP Act puts forth a question in front of IRDAI that how it is going to divide the compliance responsibility on these entities. Non-regulation of such intermediaries may lead to major data breach issues in the insurance sector.

Another issue is that unlike GDPR, DPDP Act does not provide a distinction between personal data and sensitive personal data. Despite the presence of the SPDI Rules, 2011 to safeguard the sensitive data, due to want of uniformity and poor enforcement, it might create a confusion in the insurance sector. These ambiguities allow for varied interpretations, which may not be the optimal approach to deal with insurance related data. Further, Section 10 of DPDP Act, deals with obligations of ''Significant Data Fiduciary'. The question may arise that whether insurance companies fall under this category.

The threat of data breach would loom large if the insurance sector doesn't adopt new technological advancements. The personal and sensitive data received from customers have to be encrypted and secured, to protect against any data breach/ data theft. IRDAI issued Information and Cyber Security Guidelines 2023 to ensure a minimum information security framework for insurance intermediaries. This includes having a uniform framework for data, cloud, mobile and cyber security and conducting independent assurance audit. The DPDP Act, under Section 8, outlines the general obligations of a data fiduciary. Sub-section 5 of Section 8 specifies data fiduciary's responsibility for protection of personal data undertaken by it or on its behalf by a Data processor, to prevent any personal data breach. This defines the liability of an insurer for any data collected and processed by the intermediaries.

The way ahead

It would be interesting to see how IRDAI would handle such pressing issues with respect to DPDP Act. The underlying objectives of all the aforementioned regulations and DPDP Act are center on fostering good data protocols and upholding customer's confidence in insurance sector. Although the insurers would be affected by the introduction of DPDP Act, it can be seen from the aforementioned discussion that the current data protection regime under insurance sector is on similar lines with the DPDP Act. The IRDAI's newly constituted task force needs to come up with plausible solutions, to prevent any regulatory overlap and incorporation of mechanisms to fill any compliance loopholes. The customers should be given the right to consent to process their data. Further, they should have the privilege to access their information as well as the insights into the entities who are accessing their data. The IRDAI is urged to implement regulatory measure for overseeing data portability. Concurrently, in accordance with the provisions of DPDP Act, which empowers a data principle to withdraw consent, the customers in insurance sector should similarly be provided with the choice to either delete their data or reduce the amount of data being shares and processed. The regulator further needs to acknowledge the advent of Insurtech companies and afford them room for inventive strides while upholding the requisites for data protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.