In compliance with Republic Act 10173 or the Data Privacy Act of 2012, PACIFIC UNION INSURANCE COMPANY hereby adopts its own Data Protection policy to regulate the collection and processing of personal information in relation to the conduct of its business.
PACIFIC UNION INSURANCE COMPANY: DATA PROTECTION POLICY 2018
STATEMENT OF POLICY
PACIFIC UNION INSURANCE COMPANY (“PUIC”) is a reputable insurance company, having been in the insurance industry since 1945. The company, as an institution, seeks to always uphold honesty, integrity and fair dealing with its clients, stakeholders and employees in all of its transactions and activities.
The measures described in this statement are illustrative of our general posture toward the protection of the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. PUIC as a personal information controller and/or processor adheres to the general privacy principles of transparency, legitimate purpose, and proportionality as mandated by law.
I. CONSENT AND TRANSPARENCY
The principle of transparency refers to the duty of PUIC as personal information controller/processor to inform data subjects of the nature, purpose, and extent of the processing of their personal data.
Collection of Personal Data
Personal Data is collected and stored when a person (data subject) makes an application for an insurance policy, renewal or modification of an insurance policy, when a data subject enters our website and when a person provides Personal Data to PUIC through any other authorized channel.
Personal Data may also be obtained from other sources such as bureaus or agencies established by regulatory authorities, operators of registers or databases available to the insurance industry, our affiliated entities, business partners and independent third parties, regulatory authorities and any party who has, does or will provide products or services to the data subject and to whom the data subject has granted consent.
1. Employees, agents, brokers, work-affiliates and other authorized persons of PUIC shall observe and adhere to the following guidelines in conducting business and other transactions under the name of the Company:
The consent of all potential clients/clients shall at all times be secured when their personal data are collected. Consent must be “freely given, specific, informed,” and the definition further requires that consent to collection and processing be evidenced by recorded means. In line with this, PUIC requires all potential clients/clients to fill out a Personal Information sheet regardless of the type of product/line that they seek to apply for. (See attached PUIC Personal Information Sheet)
All potential clients/clients as data subjects shall be informed of certain specific information relating to the collection and processing of their personal data, scope and method of processing, the recipient or classes of recipients of their personal data and the basis of processing of their personal data when they have not provided consent.
Consent is not required for processing where the data subject is party to a contractual agreement, for purposes of fulfilling that contract. Further, an exception to consent is allowed where processing is necessary to pursue the legitimate interests of the data controller, except where overridden by the fundamental rights and freedoms of the data subject.
Pursuant to the law, processing of sensitive and personal information is strictly prohibited unless it falls under certain exceptions.
The law defines sensitive personal information as being:
a. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
b. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding or any offense committed or alleged to have committed;
c. Issued by government agencies “peculiar” (unique) to an individual, such as National/Government ID’s details;
d. Marked as classified by executive order or act of Congress.
All processing of sensitive and personal information is prohibited except in certain circumstances. The exceptions are:
a. Consent of the data subject;
b. Pursuant to law that does not require consent;
c. Necessity to protect life and health of a person;
d. Necessity for medical treatment;
e. Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or regulation.
II. LEGITIMATE PURPOSE
PUIC shall use and share certain personal data for the performance of the contract or to take steps prior to entering into the contract of insurance. The following processing activities are used for this legal purpose:
– Providing a quotation
– Underwriting and pricing a policy
– Handling a claim
– Handling a third party claim
– Sharing details with or seeking personal information from your intermediary (if applicable) and anyone authorised by you to act on your behalf
– Sharing details with or seeking personal information from loss adjusters, repairers and other claims handling agents, medical practitioners, engineers and legal practitioners.
PUIC shall also use and share certain personal data for legitimate business interests. The following processing activities are used for this legal purpose:
– Risk management, auditing and other Company provisions which are key governance functions to protect the business;
– Market research, customer satisfaction surveys, and data analytics, including profiling, to develop and enhance the customer relationship and journey as part of our business strategy;
– Prevention and detection of fraud to help protect underwriting and claims processing. This shall also include, but not limited to, sharing with or seeking information from other insurance companies to confirm information provided and to safeguard against non-disclosure and help prevent fraudulent claims; (See attached PUIC Anti-Fraud Plan Policy series of 2017)
– Recording or monitoring of business for regulatory, training and quality purposes;
– Automated decision making. PUIC may use clients’ personal data to evaluate, analyse or predict the performance of the contract of insurance. In these cases, suitable safeguards are in place and clients have the right to intervene to express their interests and contest automated decisions.
PUIC shall in all cases secure the CONSENT of the data subject prior to the processing of any data involved in the above-mentioned instances. . In all of these processing activities, the interests of the clients are considered and PUIC shall ensure that necessary safeguards are in place to protect clients’ privacy.
PUIC adheres to the principle of proportionality by requiring that the scope and method of processing personal data be relevant, suitable, necessary and not excessive in relation to a declared and specified purpose/s.
PUIC shall limit the processing of personal data to only what is necessary and compatible with the declared and specified purpose.
Retention Period of Personal Data
PUIC shall keep the clients personal data only for as long as it is required by the insurance contract, to handle claims and to comply with our legal and regulatory obligations as documented in our recording policy.
PUIC shall always observe the rights of data subjects in data processing, to wit:
a. Right to be informed whether personal information is being or has been processed, and the content of such personal information;
b. Right to reasonable access to personal information;
c. Right to dispute and rectify an inaccuracy or error in the personal information;
d. Right to object to the processing of personal data;
e. Right to suspend, withdraw or order the blocking, removal or destruction of personal data from the personal information controller’s filing system;
f. Right to damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorised use of personal data;
g. Transmissibility of rights of the data subject to his or her lawful heirs or assigns in certain defined cases; and
h. Right to data portability.
i. Right to request a copy of personal data, and to have incorrect personal data corrected.
j. Right to withdraw the consent for the processing of personal data, have personal data erased, or the processing restricted.
IV. DATA SECURITY BREACH NOTIFICATION AND MEASURES
Mandatory personal information breach notification
A “security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise availability, integrity or confidentiality. This definition includes incidents that would result in a personal breach, if not for safeguards that have been put in place.
A “personal data breach,” on the other hand, is a subset of a security breach that actually leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Requirement to notify
PUIC shall notify the National Privacy Commission (NPC) as well as the affected data subjects within 72 hours of knowledge of any data breach, or any reasonable belief by the Data Protection Officer of a personal data breach that requires notification.
Criteria for Breach Notification
a. The breached information must be sensitive personal information, or information that could be used for identity fraud, and
b. There is a reasonable belief that unauthorized acquisition has occurred, and
c. The risk to the data subject is real, and
d. The potential harm is serious.
a. Describe the nature of the breach;
b. The personal data possibly involved;
c. The measures taken by the entity to address the breach;
d. The measures take to reduce the harm or negative consequence of the breach;
e. The representatives of the personal information controller, including their contact details;
f. Any assistance to be provided to the affected data subjects.
The VP Internal Audit/Operations shall be appointed to oversee the Company’s Data Protection Policy.
V. COMPANY SANCTIONS FOR INTERNAL BREACH
***To be discussed vis a vis PUIC Employees Manual
This Data Protection Policy is designed to assist the public in understanding how PUIC collects, uses, discloses and/or process the personal data provided to the Company.
If one, at any time, has any queries on the Policy or any other queries or complaints in relation to how PUIC manages, protects and/or process personal data, please do not hesitate to contact the Company.
By providing your Personal Data to us, you acknowledge and accept that we may retain your information for as long as necessary for us to fulfill the purposes for which your information was collected and for us to comply with Republic Act 10173 and any relevant laws.