Privacy - Do we really understand it?
I've talked about the privacy act and client information protection in the past, and it seems to fall on deaf ears.
Tuesday, October 10th 2023, 8:35AM 
2 Comments
by Jon-Paul Hale
I expect this because it means more work and thought about what we do and how we do it.
Simple things we have taken for granted are now explicitly against the law with the 2020 Privacy Act changes.
These now require mandatory reporting and disclosures to the Privacy Commissioner, too.
Sorry, AIA, you seem to be my present whipping post here. You're currently an easy target.
Yes, AIA is my example here.
In AIA's infinite wisdom, they have looked to improve the matching process for clients' existing business in the AIA Hub and Quote system and have stepped on a landmine.
The problem is that they are exposing unauthorised client information in the process.
I first noticed this with a client that I moved from ASB to AIA branding. If you didn't know, you can move ASB Cover to AIA and take over servicing without facing underwriting and preserving client benefits.
* ASB does not let you service their branded policies, but you can move things (with the appropriate replacement advice) and have an AIA policy going forward.
Back to the story, what happened here? As usual, I did the illustration in the quote system, except the system flagged a client match and pulled through the extra discounts for multiple benefits, etc. Ok, thanks, but I'm replacing that contract.
While this is an example of a client that was with ASB being flagged, which I thought was borderline, I did know the details of the client policies and already had information authorities in place for them. So, ok, that's how that works.
Except, with another client in the illustration system, it flags there are client matches and then displays the names, gender and DOB of possible matching clients.
For clients that are not in my agency, I do not have authority, and I shouldn't know if they have policies with AIA.
On checking this out, AIA made a decision to implement this that it was a manageable risk. One they think is mitigated by other factors.
Other factors, huh?
So tell me, what exactly is stopping me from taking that information, locating the client concerned, and approaching them with an offer from a different provider?
AIA would only know about this when the cancellation of cover turned up or the change of servicing.
AIA would not know this was all started from them displaying client details in their illustration system.
I'm not about to go off and do this; I have far too much other work to contend with. However, I'm sure an eagle-eyed adviser or two out there has discovered a marketing opportunity. Or they now know of it!
You'll likely have similar names and DOB in the illustration system for this to pop up. It looks to be First Name and DOB, maybe gender.
Given the size of AIA's business, this is not secure, as you don't need many people to have multiple people with the same birthday, and they have hundreds of thousands insured. Especially those born in September!
The unauthorised use case here is David Smith 29/9/1977; you will get matches of all Davids or Smith's with that birthdate. A bored adviser looking for suspects could find this quite lucrative.
Match that to/from the white pages, and away you go... Maybe some social media stalking.
It's not hard to find someone in N.Z.!
I have said previously that providers need to do better; the impact of a provider stuffing this stuff up has a profound effect.
An adviser may impact a few hundred people, but an insurer can impact millions. The recent Southern Cross stuff was with 940,000 people from their latest financial report.
In contrast with AIA, they notify a claim for a client. "John Smith policy 123456-01 has had a claim," and they refuse to confirm more details without a sign-off with a client authorisation.
I can access the name, gender, and DOB of random clients just by using their illustration tools, but I can't have even minor details on a claim for a client in my client base to determine if I need to follow them up.
Seriously, we are entering a time of the inmates running the asylum!
AIA, somehow you have seriously dropped the ball, client privacy, changing terms and conditions on policies with splits from policy admin, FAP and agency stuff without checks, AirPoints, and the Level 5 education thing I haven't sent to Philip yet just in the last 6-8 weeks.
The other insurers aren't squeaky clean on everything either; at the same time, they aren't sending such conflicting, inconsistent messages like AIA.
P.S. Actively published to shine the light, or light a fire, on an issue that impacts all of us with clients with AIA; we all have exposure to clients being approached as a direct result of this.
| « Authority Documents - What’s too far? | Attestations, qualifications, and just general tick boxing » |
Special Offers
Comments from our readers
This is a crude matching process and exposes client details that aren't authorised. As a minimum this should be restricted to the clients within your agency not the whole damn business!
This is a basic Privacy Act issue that is not being managed, regardless of the +ve or -ve business aspects.
There are some basics here that seem to have been overlooked:
The client providing authority to their policies. Just because you're quoting them doesn't mean that you should be able to see what's there on the system.
Second, as an adviser you should have awareness of the client picture to assess this in the first place. The means doesn't justify the ends for the use case you stated.
From a systems perspective, there are many ways of doing this that are technically more complex but don't expose client information. Sure there can be spelling mistakes, but there are tools to check this for matching purposes too.
As to the trust thing, you're making my point, they trust us with some pretty significant things but fail to trust us on the practical side of things. Or they expect us to accept that a newbie will get it right but fail to account for basic operational simplicity that's easily checked on with heavy handed processes.
True most of those examples of not trusting us probaly started with an adviser doing something dodgy, having seen a lot of dodgy stuff over the years it probably explains my cynicism.
Sign In to add your comment
|
|
Printable version |
|
Email to a friend |
But in a previous article you complained about insurers not trusting advisers.
Be careful what you wish for