The Challenges Grappling Data Protection And Privacy In The Insurance Industry

The Challenges Grappling Data Protection And Privacy In The Insurance Industry


The Insurance Regulatory and Development Authority of India has prescribed an additional framework

A 'Regulatory Sandbox' is a testing environment created by the relevant regulatory authority

On May 18, 2019, the IRDAI issued 'Regulatory Sandbox'

The digital revolution in India has disrupted the business environment in all industries and the insurance industry is no exception. Digitization enhances efficiency and reduces the cost of transacting business however there remain several challenges to the adoption of emerging technologies such as disruption to the traditional insurance ecosystem, uncertain consumer adoption, return on investment and data privacy and security.

Emerging technologies usually deal in customer data which can be used to drive insights related to historical health issues and behavioural patterns of customers. Increasing regulations related to customer personal data around the globe and in India will continue to pose additional challenges for insurers and insurance providers alike.

The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) set out the general framework with respect to data protection in India.

However, given the nature of the business of insurance companies and intermediaries, the Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which is required to be followed in addition to the general framework under the IT Act.

Regulatory Framework Governing Insurance Companies 

The IRDAI has made it mandatory for all the insurance companies to ensure the protection and maintenance of confidentiality of all the information that they have collected. Below are some of the relevant data protection regulations applicable to insurance companies:

– IRDAI (Maintenance of Insurance Records) Regulations, 2015 – Pursuant to Regulation 3(3)(b), 3(9) insurers are required to ensure that:

  • the system in which the policy and claim records are maintained has adequate security features; and
  • the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India.

– IRDAI (Health Insurance Regulations), 2016 – Pursuant to Regulation 35(c) insurers, third party administrators (TPAs) and network providers (i.e., hospitals) are required to comply with data related matters as may be specified in guidelines prescribed by the IRDAI (if any).

– IRDAI (Protection of Policyholders’ Interests) Regulations, 2017 – Pursuant to Regulation 19(5) insurers are required to maintain total confidentiality of policyholder information, unless it is legally necessary to disclose the same to statutory authorities.

– IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 – Pursuant to Regulation 12 insurers are required to ensure that the:

  • outsourcing service provider has adequate security policies to protect the confidentiality and security of policyholder information;
  • information and data parted to outsourcing service providers remain confidential; and
  • customer data is retrieved with no further use of the same by the service provider once the outsourcing agreement is terminated.

Regulatory Framework Governing Intermediaries 

Intermediaries in the insurance sector such as – brokers, individual agents, corporate agents, third party administrators (TPAs), surveyors, loss assessors and web aggregators – serve as a bridge between customers and insurance companies, by facilitating the process for selection and purchase of insurance products and assisting in the servicing of policies and assessment of claims.

Therefore, intermediaries are also bearers of confidential information and thus are subject to obligations relating to data protection and preservation of confidentiality prescribed by the IRDAI.

Whilst each intermediary is subject to its own regulations and code of conduct as set out in the table herein, below, the provisions in relation to data protection of the policyholder are common for all intermediaries. Inter alia, they prescribe that insurance intermediaries –

  • treat all information supplied to them by prospective clients as completely confidential to themselves and to the insurer(s) to which the business is being offered; and
  • take appropriate steps to maintain the security of confidential documents in their possession, including by way of restricting access to such information, execution of confidentiality undertakings, etc.

While a similar regime has been prescribed for insurance surveyors and loss assessors, the extant regulations permit surveyors and loss assessors, as an exception, to disclose information pertaining to a client, employer or policyholder to any third party, only where necessary consent has been obtained from the interested party.

It is however clear that the surveyors and loss assessors are prohibited from using (or appearing to use) any confidential information to their personal advantage or to the advantage of a third party.

Specifically, in relation to TPAs, the IRDAI (Third Party Administrators – health services) Regulations, 2016 (TPA Regulations) requires the TPAs to not share the data and personal information of customers received by them for servicing insurance policies or claims.

A limited exception to this rule has been carved out for disclosure of confidential information to any court of law, tribunal, government or the IRDAI in the event of any investigation being carried out (or proposed to be carried out) against the insurer, TPA or any other person or for any other reason.

The aforesaid exception is similar to the carve-out under Rule 6 of the SPDI Rules, which permits government agencies mandated under law to obtain information (including sensitive personal data or information) for specified purposes, without obtaining the prior permission of the provider of such information.

Insurance Regulatory Sandbox 

A ‘Regulatory Sandbox’ is a testing environment created by the relevant regulatory authority to provide market players with an opportunity to safely and securely execute and test their innovative products, services, business models and delivery mechanisms, in an orderly manner, which aims at protecting the customers and at the same time safeguarding the interest of the stakeholders.

Shortly after the issuance of the RBI Regulatory Sandbox, on May 18, 2019, the IRDAI issued the “Draft Insurance Regulatory and Development Authority of India (Regulatory Sandbox) Regulations, 2019” (IRDAI Regulatory Sandbox).

The objective of the IRDAI Regulatory Sandbox is to create a balance between the orderly development of the insurance sector on one hand and protection of interests of policyholders on the other, while at the same time facilitating technological innovation by way of relaxing provisions of any existing regulations framed by the IRDAI, for a limited scope and limited duration.

On approval of an application, the IRDAI chair may relax the applicability of one or more provisions of any regulations, guidelines or circulars requested in the application, subject to the conditions for approving the application or any other conditions which the chair deems necessary.

The Regulatory Sandbox Regulations expressly state that no relaxation will be granted in relation to the Insurance Act 1938 or the Insurance Regulatory and Development Authority (IRDA) Act 1999.


The underlying objective of the regulation is to encourage good data practices and retain customer trust in the insurance businesses. Instead of treating it as a mere compliance task, companies should welcome the newly introduced regulations as a great opportunity for them to win customer trust and gain competitive advantages.

Though insurers may be acutely impacted by the regulation, their path to compliance is similar to any other impacted sector: revisiting systems and processes to assess readiness for this regulation and investing in filling gaps.

Note: The views and opinions expressed are solely those of the author and does not necessarily reflect the views held by Inc42, its creators or employees. Inc42 is not responsible for the accuracy of any of the information supplied by guest bloggers.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

Unlock 60% OFF
Cancel Anytime
Unlock 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

The Challenges Grappling Data Protection And Privacy In The Insurance Industry-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

The Challenges Grappling Data Protection And Privacy In The Insurance Industry-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

The Challenges Grappling Data Protection And Privacy In The Insurance Industry-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

The Challenges Grappling Data Protection And Privacy In The Insurance Industry-Inc42 Media
The Challenges Grappling Data Protection And Privacy In The Insurance Industry-Inc42 Media
You’re in Good company