Published on Office of the Information Commissioner Queensland (https://www.oic.qld.gov.au)

Home About  >  News  >  Privacy case note #5, 2021: Agency claims that it is not responsible for personal information concerning an insurance claim

Privacy case note #5, 2021: Agency claims that it is not responsible for personal information concerning an insurance claim

November 10, 2021 - 3:40pm

A complainant contacted OIC about an insurance company that had sought copies of his medical history for the past three years following a claim for an injury he suffered on public transport. The complainant felt this was excessive because he considered his medical history prior to the accident was not relevant to his insurance claim.

Privacy principles

The complaint raised issues under Section 35 – Binding a contracted service provider to privacy principles.

Investigation

There was initial confusion about whether the insurer fell under the Queensland or Commonwealth privacy jurisdictions. Whilst the insurer nominally fell under the Commonwealth’s Privacy Act 1988 (Privacy Act), the Office of the Australian Commissioner (OAIC) had taken the view that as a Queensland State Government agency owned the vehicle and engaged the insurer to provide insurances services for the fleet, the insurer was a contracted service provider for a state contract. As such, the Privacy Act did not apply to any personal information associated with the contract.

An agency outsourcing one of its functions to the private sector commonly invokes the obligation in Section 35 of the Information Privacy Act – binding a contracted service provider to the privacy principles. However, an agency is not required to bind a contractor where there is no flow of personal information between the contractor and the agency.

The agency held the position that any information concerning an insurance claim would pass between the individual and the insurer only. As the agency was not involved in the administration of insurance claims, the obligation to bind the insurer did not apply to the insurer’s request for the medical information, and the responsibility for the insurer’s request was that of the insurer only.

The specific circumstance of this complaint meant that the insurer’s request fell outside of both the Commonwealth’s and Queensland’s privacy jurisdictions. OIC recommended the complainant pursue his complaint with the insurer directly.