PRIVACY POLICY AND PROCEDURES
CEMAC Pty Ltd
1. Objective
The objective of these policies and procedures is to ensure that in our dealings with clients and other people, we comply with the Privacy Act 1988 (Cth). The Act seeks to protect individuals’ personal information. It does this by limiting the ways in which personal information may be collected and used.
Complying with the Privacy Act helps us to enhance our client service.
What is personal information? – Personal information is information or opinion about an individual whose identity is apparent or can easily be ascertained from the information or opinion, for example name, address, age etc.
Sensitive personal information – Sensitive information is information or opinion about a person’s racial or ethnic origin, political opinions, membership of a political, trade or professional association or a trade union, religious or philosophical beliefs or affiliations, sexual preferences, criminal record or health information.
Our Privacy Officer, William Legge, is responsible for all matters to do with privacy.
2. Our Privacy Policy
This Policy applies to all the personal information we collect, whether from insured parties (and their contractors and employees), brokers, their employees or others.
We only collect personal information that we need and we only use the information that we collect for the primary purpose(s) for which we collect it. These are:
a) Providing quotes for insurance cover (including obtaining underwriter confirmation where necessary);
b) Issuing insurance policies;
c) Handling claims under insurance policies;
d) Providing information about insurance matters;
e) Dealing with brokers, underwriters and reinsurers; and
f) Operating our business.
a) Trade, rent or sell personal information; or
b) Provide personal information to anyone without consent – other than brokers, underwriters, reinsurers and their appointed representatives and those we appoint to investigate and manage claims on our behalf.
Stricter requirements apply to sensitive personal information. We do not collect or disclose sensitive information without consent unless:
a) The collection is required by law; or
b) It is necessary for the establishment, exercise or defence of a claim.
In most cases we obtain consent in the usual course of dealings, eg. Our Administration Agreement, Proposal etc incorporate such consent.
The Privacy Act does allow us to use or disclose information in some other unusual circumstances. If you want to use or disclose personal information for any reason other than those described above, check with the Privacy Officer before doing so. (Note for Privacy Officer – NPP 2.1 sets out the other circumstances in which information may be used or disclosed for a secondary purpose).
3. Openness
Provide a copy of the Long Form Privacy Policy Statement to anyone who asks for information about our Privacy Policy. It can be provided as a protected word document, printed on letterhead or a .pdf (eg. In Adobe Acrobat or Jaws) document emailed on request.
4. Issuing Policies
Quotations – The first time you collect any personal information, tell the person from whom you are collecting it the following things:
a) Who we are and how to contact us – if the person has called us, there is no need to say anything;
b) The purpose for which we are collecting the information, eg to enable us to quote on the risk, issue the policy, etc;
c) To whom we usually provide that information, eg our underwriters and reinsurers;
d) Any law that requires the information to be collected – eg the duty of disclosure;
e) The consequences if the information is not provided – eg that we will not be able to quote or insure and the insured may breach their duty of disclosure;
f) The fact that the person can gain access to the information.
As all of our business is written through brokers or other licensed intermediaries (hereinafter referred to as “brokers”), you will most frequently collect personal information about the insured and others from brokers. You need to take reasonable steps to ensure that the person(s) about whom the information is being collected is aware of these things. The broker should have attended to this already.
See the Telephone Scripts for examples of how to deal with this when you speak to a broker or, on rare occasions, to a client.
Issuing contracts of insurance – The same requirements apply to any further personal information you collect before you issue the contract of insurance. However as the Short Form Privacy Statements (and Consents) in the Proposals set out all the things that the broker/client need to be told, there is no need to do anything further if a Proposal has been completed.
Renewals – The same requirements apply to any further personal information you collect when you renew a contract of insurance.
When sending the endorsement or renewal notice ensure the Short Form Privacy Policy Statement – Renewals is incorporated in the covering letter or accompanying invoice.
5. Claims – Although we do not have claims settling authority we may, on occasions, be required to collect personal information on behalf of our Insurers. The same requirements apply to any further personal information you collect under these circumstances when a client makes a claim under a policy.
Where a Claim form is sent to the client or broker
If you deal with the client or broker directly on the claim, send a Claim Form for completion as soon as the claim is notified. The Short Form Privacy Statement in the Claim Form is sufficient to fulfil our obligations at this point.
Where an Adjuster or Investigator is appointed to manage or investigate the claim.
These are appointed by our Insurers hence compliance in this area rests with both of those parties. .As Loss Adjusters and Investigators frequently need to collect personal information about the insured and others, it is particularly important that they comply with the requirements of the Privacy Act.
Where a professional or other expert is appointed to advise in connection with a claim
These are also appointed by our Insurers so the same applies as per Adjusters.
6. Data Quality
Use every opportunity you can when dealing with clients and other persons to check the personal information that we hold is accurate and up to date. Correct any personal information which is incomplete, incorrect or out of date.
7. Marketing Communications
We market to our brokers by sending them information about insurance matters from time to time. Each such publication must have prominently displayed, words to the effect: “CEMAC Pty Ltd is delighted to provide this newsletter as a service to you. Please let us know if you would rather not receive it and we will remove your name from our distribution list”.
Refer any request to be removed from the list to our marketing department.
We do not charge for removing people from our list.
8. Data Security
Protecting Personal Information – We take reasonable steps to protect the personal information we hold from misuse and unauthorised access, modification and disclosure.
Physical security – All staff have keys to allow access to the premises and it is important that these keys be kept secure at all times. Should you lose a key you must report the loss to Trent Rogash immediately so appropriate measures can be taken. CEMAC Pty Ltd has a permanently monitored back-to-base alarm system for which all staff know the access code. This code is not to be divulged to any other person. No files are to be removed from the premises without permission from the Privacy Officer. It is preferred that all staff adhere, as much as possible, to a clean desk policy.
Computer and network security – Each staff member has his/her own individual log-on code and password to protect the integrity of our computer system. All staff are networked to the server which is fire-wall protected from external connection. Back-up tapes are done each day and stored off premises in accordance with the procedures manual.
Communications security – All endeavours are to be made to check the validity of fax numbers before sending information. Thorough checks are to be made as to the identity of a caller before divulging any personal information over the telephone. Email communications are performed through a router with fire-wall protection for the server.
Personnel security – Staff personnel records are kept under strict security and access to these records are limited to William Legge and the staff member concerned. You can request access to your file at any time.
Destroying or De-Identifying Personal Information – We destroy or de-identify personal information when it is no longer needed. As the vast majority of our Insureds’ policy packages contain a liability component we are required to store the records indefinitely. All archived files are stored in-house or in a secure document storage facility. Any paperwork relating to any customer which is not required to be filed is to be shredded. As the shredder is a cross-cut type which produces 2 cm long strips disposal in a waste bin or composted.
9. Access and Correction
Access – In principle, we will provide a person with access to the personal information we hold about them on request. Murray Rogash will be responsible for approving the provision of access to personal information.
Method of Access – Before providing access:
a) Check what particular information the person wants to ensure that you are not providing more than is required; and
b) Confirm that the person requesting the information is who they claim to be.
Providing Access – Provide the information by the most cost-effective method available. This could be:
a) Letting the person inspect the information we hold and take notes of its contents – however take care to ensure that they only see their own information;
b) Letting the person view the information and provide and explanation of its contents;
c) Providing a photocopy or fax of the information;
d) Providing a printout of information held in electronic form;
e) Providing a summary of the information.
Timeframe – Requests for access should be acknowledged within 7 – 10 days. Straightforward requests for access should be fulfilled within 14 days and if complex within 30 days.
Charges for Access – There are no charges for lodging a request for access.
If the time and effort required is minimal then there will be no charge for such access. If, however, it takes considerable time (to be determined by the Privacy Officer) then a charge will apply relating to cost of staff time at the appropriate hourly rate for that staff member plus the cost of any copying etc at ten cents per page.
Refusing Access – You may refuse to provide access to personal information in the following circumstances:
a) The request is frivolous, vexatious, ie. trivial, made to pursue an unrelated grievance against us or is a repeated request for the same information.
b) Provision would unreasonably impact on the privacy of others.
c) The information relates to existing or anticipated legal proceedings against us by the person and the information would not be discoverable in those proceedings.
d) Provision would reveal our intentions in negotiations with the person in such a way as to prejudice the negotiations.
e) It is unlawful to provide access, the law permits or requires access to be denied or it would prejudice the activities of enforcement bodies.
The Privacy Officer must approve all refusals of access.
The Privacy Act permits us to refuse access in some other unusual circumstances. If you want to refuse access for any reason other than those listed above, check with the Privacy Officer before doing so.
Correcting personal information – If personal information in our records is incorrect, incomplete or out of date, update the records to make them accurate. However:
a) If the records are inaccessible and no longer required, consider destroying or de-identifying the information; and
b) If you do not agree that the information is inaccurate, incomplete or out of date, and if requested, attach to it a statement to the effect that the person to whom the information relates claims that it is inaccurate, incomplete or out of date.
Giving reasons – Give reasons for any denial of access or refusal to correct information. Again our Privacy Officer should approve these before they are communicated to the person requesting access or correction.
10. Tax File Numbers and other identifiers
We do not use tax file numbers or other governmental identifiers to identify any person.
We collect, use and disclose identifiers of employees in the following circumstances:
a) To the trustee of any superannuation fund to which we contribute on behalf of employees, to the Superannuation Holding Accounts Reserve and to other regulated superannuation funds, exempt public sector superannuation schemes and approved deposit funds when the benefits of members are transferred to these funds (unless the owner of the tax file number requests in writing that it not be disclosed);
b) To the Tax Office in relation to the preparation of group certificates or tax stamps sheets under the PAYE/PAYG system;
c) To the Tax Office in respect of payments made under the Prescribed Payments System or for Reportable Payments Declarations.
The Privacy Act permits us to disclose identifiers in some other unusual circumstances. If you want or are asked to disclose an identifier for any reason other than those listed above, check with the Privacy Officer before doing so.
Note for Privacy Officer – the other circumstances are set out in NPP 2.1 (e)-(h).
11. Complaints About Privacy
Refer any complaint about privacy matters to the Privacy Officer.
1. Long Form Privacy Policy Statements
Privacy Policy
At CEMAC Pty Ltd we are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth). This Privacy Policy describes our current policies and practices in relation to the handling and use of personal information.
What information do we collect and how do we use it?
To enable us to quote on and insure risks, we collect the information we need to assess the risk and whether and on what terms we will insure it. We may need to provide this information to our underwriters who may, in turn, provide it to reinsurers. Some of these companies may be located outside Australia.
When a claim is made under the policy, to enable assessment of the claim, our Insurers and their representatives (including loss adjusters, investigators, medical advisers and lawyers) collect information about the claim, some of which may be personal information. We, on behalf of our Insurers, may collect the information from our insured or from third parties. We provide this information to those who have been appointed to assist with consideration of the claim. Again this information may be passed on to our underwriters and reinsurers.
We may use your personal information internally to help us improve our services and help resolve any problems.
What if you don’t provide some information to us?
We can only issue insurance cover and assess claims under the policy if we have all relevant information. The insurance laws also require insureds to provide us with all the information we need in order to be able to decide whether to insure and on what terms.
How do we hold and protect your information?
We hold the information we collect from insurance intermediaries and insureds in either electronic or hard copy files in our office.
We ensure that your information is safe by use of electronic firewalls and premises secured by back-to-base alarm. Our premises are never left unlocked if unattended.
Will we disclose the information we collect to anyone?
We do not sell, trade, or rent personal information to others.
We may need to provide information we hold to contractors who supply services to us, eg to handle mailings on our behalf or to other companies in the event of a corporate sale, merger, reorganisation, dissolution or similar event. However, we will do our best to ensure that they protect the information in the same way that we do.
We may provide this information to others if we are required to do so by law or under some unusual other circumstances which the Privacy Act permits.
How can you check, update or change the information we are holding?
Upon receipt of your written request and enough information to allow us to identify the information, we will disclose to you the personal information we hold about you. We will also correct, amend or delete any personal information that we agree is inaccurate.
If you wish to access or correct your personal information please write to The Privacy Officer, CEMAC Pty Ltd, PO Box 6513, Upper Mt Gravatt Qld 4122.
We do not charge for receiving a request for access to personal information or for complying with a correction request. In most cases there will not be a charge for providing access to personal information. However, if such provision involves substantial time and effort, a charge will be made sufficient to compensate us for the wages of staff involved and any additional costs eg copying etc.
Your consent
By asking us to quote or provide insurance to insureds, you and your clients consent to the collection and use of the information you have provided to us for the purposes described above.
Tell us what you think
We welcome your questions and comments about privacy. If you have any concerns or complaints, please contact The Privacy Officer on 07 3349 7455 or email to admin@cemac.com.au.
2. Short Form Privacy Policy Statements
Renewal Invitations
This is incorporated in the Renewal Invitation.
Privacy - We are committed to protecting your privacy. We use the information you provide to us to quote on and insure your clients’ risks. We only provide personal information to our underwriters and their representatives (who may, in turn, provide it to reinsurers) and those who are appointed to assist with claims under policies of insurance. We will not trade, rent or sell the information.
If you don’t provide us with full information, we cannot properly quote for your clients’ insurance and we cannot provide insurance. You can check the personal information we hold about you and your clients at any time. For more information about our Privacy Policy, ask us for a copy or visit our web site at www.cemac.com.au.
Proposal Forms
These are designed by Lumley Insurance and will incorporate Lumley Insurance's privacy statement
Claim Form
This is designed by Lumley Insurance and will incorporate Lumley Insurance's privacy statement
3. Website Privacy Policy Statement
Your website should incorporate a Privacy and Security Policy Statement which should form part of the terms of use of your website.
As Gold Seal cannot predict what tools your website uses or what information it collects, it is not possible to provide template clauses. The following is intended as a guide to the information that you may need to incorporate and must be checked with your website developer.
Our Privacy Policy
Use the Long Form Privacy Policy Statement as the basis for the website Privacy Policy Statement. Then add additional clauses to describe how the website collects, uses and stores personal information as described below.
If your website provides information only and has no capacity to collect visitor data, describe the manner in which the website collects anonymous personal information at the end of the section in the Long Form Privacy Policy Statement titled “How do we hold and protect your information”. The following clauses may be useful but must be checked with your website developer:
You can visit our website without providing us with any personal information.
Anonymous data – We use technology to collect anonymous information about the use of our website, for example when you browse our website our service provider logs your server address, the date and time of your visit, the pages and links accessed and the type of browser used. It does not identify you personally and we only use this information for statistical purposes and to improve the content and functionality of our website, to better understand our customers and markets and to improve our services.
Cookies – In order to collect this anonymous data we may use “cookies”. Cookies are small pieces of information which are sent to your browser and stored on your computer’s hard drive. Sometimes they identify users where the website requires information to be retained from one page to the next. This is purely to increase the functionality of the site. Cookies by themselves cannot be used to discover the identity of the user. Cookies do not damage your computer and you can set your browser to notify you when you receive a cookie so that you can decide if you want to accept it. If you use only temporary cookies, insert “Once you leave the site, the cookie is destroyed and no personal or other information about you is stored.” If you use permanent cookies, insert “They allow the website to recognise your computer when you return in the future”.
If users can request information via the website, then also insert a paragraph describing what information you collect via the website and how you use it. This should be inserted at the end of the second paragraph of the section titled “what information do we collect and how do we use it?”
If you transact business via your website, contact your website developer for information about security processes and protocols and appropriate clauses to describe how personal information is collected, used and stored.
4. E-mail Waiver
This is used on all outgoing emails.
CAUTION: Name and CEMAC Pty Ltd A.C.N. 087 238 837 The information contained in this message and any attachment(s) may be privileged and confidential and is intended for the exclusive use of the addressee designated. If you are not the addressee any disclosure, reproduction, distribution, on-transmission, dissemination or use of the communication is strictly prohibited. Whilst any attachments may have been checked for viruses you should rely on your own virus checking programmes and procedures. To facilitate our communications we will store on our database your e-mail name and address together with any other contact details you have provided.
Tel 07 3349 7455 Fax 07 3349 2007
PO Box 6513, Upper Mt Gravatt Qld 4122
5. Telephone Scripts
It is vital that we ensure that our clients are told the following:
a) Our identity and how to contact us – usually this is already apparent as the broker/client initiated the phone call;
b) The purpose for which we collect personal information;
c) The organisations (or types of organisations) that we usually disclose the information to;
d) Any law that requires the information to be collected;
e) The main consequences if the information is not collected;
f) The fact that the client is able to get access to the personal information.
As we only deal with organisations with whom we have a signed Administration Agreement they will be aware of our Privacy Policy which addresses the above.
Telephone Quotations
When a broker with whom we do not already deal seeks a quotation or insurance cover over the telephone we are to advise him as follows . . .
|
