On January 7, 2020, the Thai General Insurance Association hosted a session on the insurance industry’s compliance with the Personal Data Protection Act (PDPA), which was enacted in 2019 and is due to come into force on May 27, 2020. Representatives from the Office of Personal Data Protection Commission (PDPC) and the Office of Insurance Commission (OIC) gave presentations, followed by a panel discussion with representatives of the OIC and the Thai General Insurance Association.
Speakers were able to give clarity on a number of issues:
- The PDPA imposes obligations on the board of directors to ensure company compliance with the PDPA. Insurers should establish and introduce a privacy policy to ensure full compliance within the organization.
- Appointment of a data protection officer (DPO), which can act as a second line of defense, is strongly recommended (if not compulsory). The PDPA does not currently require a DPO to be an employee within the organization; it is possible to outsource the DPO’s function to a third party.
- Industry associations may choose to establish industry guidelines for compliance with PDPA, and a few associations have already started preparing such guidelines. Industry guidelines for the non-life insurance industry, as well as relevant templates to help insurers comply with the PDPA, are currently being considered.
- To collect, use, and disclose personal data of the insured, insurers should rely on “contractual obligation” as their lawful basis—not consent. The use of health data (i.e., sensitive personal data) is unique within the insurance industry in comparison to other industries. Obtaining explicit consent for collecting health personal data from the insured in order to enter into a health insurance contract should not be the approach insurers take. To protect the industry against fraud, sharing lists of people that have made fraudulent claims within the industry should not be restricted.
- The OIC should not be restricted by the PDPA but should be exempted for the purpose of performing its public tasks. Complying with OIC regulations should not be restricted as the PDPA provides “lawful basis – for compliance with legal obligations.”
- The appointment of the PDPC is still in progress.
We will continue to monitor PDPA-related developments and provide periodic updates. For further information, please contact Tilleke & Gibbins’ PDPA team at [email protected], [email protected], or [email protected].