Privacy Policy – Australia

Introduction

In this Privacy Policy, “we”, “our” and “us” refers to UnderwriteMe Australia Pty Limited (ACN 611 160 760).

Protecting the privacy of people about whom we hold information is important to us. As well as giving those people knowledge about how we protect the privacy of their personal information, knowledge of our privacy principles and practices supports our insurer clients to verify the trust that they have placed in us and our business relationships. We comply with all applicable information privacy laws in Australia.

In broad terms, we may process information about an individual who is reasonably identifiable:

• where that information is collected by our insurer clients using a software tool and services we supply to our insurer client; and
• where that information is is collected by us about our clients and potential clients.

The purpose of collecting and holding such information and the kind of information held varies as follows.

1. Information collected by our insurer clients and held by us

1.1 The purposes for which we may collect, hold, use and disclose personal information

We provide a software tool to our insurer clients to assist them to collect personal information about an individual (the individual) and to make decisions relating to:

1.1.1 the price and terms on which the insurer might offer an insurance policy or contract to the individual;

1.1.2 dealing with claims made under an insurance policy or contract by the individual; and

1.1.3 requests by the insurer to third parties (such as health service providers) for more information about the individual.

In providing that tool to our clients, we, our related bodies corporate and our contractors may have access to personal information entered by or on behalf of our client into the tool, for the purposes of assisting our client to use the tool and providing ongoing maintenance and support services for the software tool. We use a third party cloud storage provider to store personal information for our clients.

It is necessary for us to hold this personal information to be able to provide the tool to our insurer client. Our insurer client who collected and uses that information may also have obligations to the individual under privacy laws.

We do not use personal information we hold for our clients for any marketing to individuals, nor do we pass on that personal information to any third parties for marketing purposes.

We collect de-personalised data from the information we hold for our clients for use by us and our related bodies corporate for research and development purposes, including calculating future (re)insurance pricing, underwriting research and risk profiling.

We may use or disclose personal information to enforce or defend our legal rights, for example in a claim made by a client, service provider or the individual.

We use or disclose personal information when it is required by law, for example when disclosure is required by court order. We may also collect, use and disclose personal information where permitted by the Privacy Act 1988 (Cth), for example where we suspect that unlawful activity relating to our activities may be engaged in and we need to use the personal information to take appropriate action.

1.2 The kinds of personal information that we collect or hold, and how we collect or hold it

The type of personal information we hold for our clients depends on the product or service that the client is receiving from us and on choices that our client makes about what information to collect for use in conjunction with that product or service. That information may include:

1.2.1 information that an individual provides on an application, claim or other form (for example, name, address, age, income, occupation, etc);

1.2.2 information that the insurer has collected about an individual from other sources such as its own records of prior applications, subsequent disclosures made by an individual about themselves, information about the history of insurance policies and claims relating to an individual, information from credit reporting agencies about an individual and information to verify employment or income; and

1.2.3 medical or health information (sensitive information) that an individual has provided to his or her insurer or has permitted his or her insurer to receive from doctors or other health care providers; and

1.2.4 information generated by the software tool such as recommendations for further actions required.

Information collected about the individual is entered by our client’s personnel, or prospective policy purchasers, policyholders or their advisers, into the software tool. Our client also sends us some personal information to load into the software tool. Information is stored for our client in electronic form on our third party provider’s cloud storage.

We rely on our client to have made the individual about whom our client collects information aware that it will provide that information to us, the purposes we use it for, the types of third parties we disclose it to and how they can access it (as described in this document). If it is sensitive personal information (such as health information) we rely on our client to have obtained the individual’s consent to the above.

Our access to and use of personal information collected by our client is limited by the terms of the contract under which we provide the relevant product or service to our client. Our client remains in complete control of personal information it has collected and we may only have access as is necessary for the purposes of performing or exercising rights granted under that contract. On termination of our contract with our client we must destroy that personal information or return it to our client, except (to the extent permitted by law or in other specific circumstances provided for in the relevant contract) copies held in back-up systems (which remain subject to the terms of the contract indefinitely).

We may retain de-personalised information we have collected from the information we hold for our clients.

We have internal security policies which require us to maintain physical, electronic and procedural safeguards to protect the confidentiality and integrity of all personal information we hold or collect, and to protect against the use of it for an unauthorised purpose. These policies include limiting access to personal information we hold only to our personnel who need to have access in order to perform the scope of their role for us, and to implementing technical safeguards such as firewalls, encryption and access controls.

2. Information we collect about our clients and potential clients

2.1 The purposes for which we may collect, hold, use and disclose personal information

We collect personal information from our clients for the purpose of delivering our products and services, including communicating with them, marketing and sales activities, and giving their nominated personnel (including their employees, contractors, agents, brokers and associated financial advisors) access to our products and services.
We collect personal information from potential clients for the purpose of offering our products and services, including communicating with them, marketing and sales activities, and giving their nominated personnel access to our products and services.

We may share information with our related bodies corporate to provide elements of our products and services or to perform part of the operations of our business with our clients and potential clients. For example, different legal entities may provide software support and administrative services.

We may disclose personal information from our clients or potential clients to other entities that provide business services to us. For example, this might include logon authentication service providers, professional advisors or audit service providers.
We may use or disclose this personal information in the circumstances permitted by the Privacy Act 1988 (Cth) or other laws applicable to us.

We may use or disclose information to enforce or defend our legal rights, for example in a claim made by a client, service provider or data subject.

We use or disclose information when it is required by law. An example is a disclosure required by court order. We may also collect, use and disclose personal information where permitted by the Privacy Act 1988 (Cth), for example where we suspect that unlawful activity relating to our activities may be engaged in and we need to use the personal information in that way to take appropriate action.

2.2 The kinds of personal information that we collect or hold, and how we collect or hold it

We collect personal information provided to us by our clients and potential clients, which may include personal information about some or all of their personnel (including their employees, contractors, agents, brokers and associated financial advisors). It is not always practical for us to collect this information directly from the person it is about. We may receive this personal information in a meeting, by telephone or email, or any other means by which we communicate with our clients or their personnel.

We may collect personal information about our clients, potential clients and their personnel that we generate in the course of providing our products and services, for example by generating digital logs of access.

We may also collect personal information about our clients, potential clients and their personnel from third parties, such as service providers to us or from publicly available sources.

Personal information we hold from our clients and potential clients is held in one or more of the following: cloud storage provided by a third party contractor; on our equipment; and in our premises.

We have internal security policies which require us to maintain physical, electronic and procedural safeguards to protect the confidentiality and integrity of all personal information we hold or collect, and to protect against the use of it for an unauthorised purpose. These policies include limiting access to personal information we hold only to our personnel who need to have access in order to perform the scope of their role for us, and to implementing technical safeguards such as firewalls, encryption and access controls.

3. Personal information held or accessed from overseas

For the purposes outlined in sections 1.1 and 2.1 of this Privacy Policy, we may hold personal information on cloud storage that is located overseas. We endeavour to use cloud storage in Australia, but this is not always possible, for example to build in redundancy and preserve access to data in the event of a major incident affecting Australian storage facilities or remote access to them. Generally, we endeavour to use alternative storage facilities in a European Union country.

Our employees and contractors, and employees and contractors of our related bodies corporate, may also access from overseas personal information we hold as is incidentally necessary for the purposes described in section 1. Access may be from the UK, a European Union country, Canada, USA or Singapore.

We require that, where possible, either:

• the entity or person having such access is subject to laws which protect the information in a way that is substantially similar to the Australian Privacy Principles in the Privacy Act 1988 (Cth) and which offer the data subject enforcement rights; or
• access is limited to those in relation to whom we have taken reasonable steps to ensure that they will not breach our contractual and privacy obligations laws, for example, by creating contractual obligations which limit the use, prohibit copying, include confidentiality and security obligations, and allow us to audit compliance.

4. Access and complaints

Each person has the right in appropriate circumstances to access the personal information we hold about them, and to seek correction of that information if it is in error. If a person would like to seek access, or to correct any information we hold about them, we recommend you make this request in writing. Where justified, corrections will be made.

We aim to comply with our obligations under privacy laws. Any person may contact us to make a complaint about how we have collected or handled his or her personal information.

We will respond to any request or complaint made in relation to personal information within a reasonable period after request. We may collect personal information about the individual making a request or complaint for the purposes of dealing with that request or complaint and it may be held in one or more of the following: cloud storage provided by a third party contractor; on our equipment; and in our premises.

Please direct inquiries about access, correction and complaints to the address below:

Company Secretary
UnderwriteMe Australia Pty Limited
Level 46, Gateway
1 Macquarie Place
Sydney
NSW 2000
Email: legal@underwriteme.com.au
We may update this Privacy Policy from time to time.