A woman wanted an insurance company to delete all the personal information it had about her. She said she had not made a claim and had since taken her business to another insurer. When the insurance company refused to do so, she complained to our office.
The woman told us she had taken out a contents insurance policy with the insurer but cancelled it after only two months because she was dissatisfied with the service.
She said if she had made a claim with the insurer, she could understand the company wanting to retain the financial details. But there had been no claim and she couldn’t understand why the company would not comply with her request. She said if other organisations would delete personal details on request, insurance companies should do so too.
The insurer told the woman it could not delete information about her for ‘validation and financial reasons’. Its privacy officer told us it retained the personal information as a claim could still be made on the policy in certain circumstances. The privacy officer said the company had engaged in an extensive complaints process with the woman whose real issue was information about her behaviour towards staff that had been recorded in her file.
The privacy officer said she had discussed the reasons for retaining this information with the woman. The privacy officer had explained the company’s security measures, and the circumstances in which the information could be used. She had also discussed principle 7 of the Privacy Act with the complainant.
Principle 7 says where an agency holds personal information, an individual is entitled to request correction of the information; or to have a note attached to the information that a statement of correction had been sought but not made. The definition of “correct” includes deletion.
Although a person can ask an agency to correct personal information, they cannot compel an agency to delete information. This is because when an agency has collected information for a specific purpose, it is allowed to keep the information for as long as it needs in order to meet that purpose.
Additionally, depending on the type of information, an agency may be required to keep information under another law (for example, the Employment Relations Act 2000 requires that time and wage records are kept for seven years).
In this case, we advised the woman that the insurer had complied with the Privacy Act. It did not have to delete the information but it must attach a note to her file to indicate that the information was disputed.
We advised the woman that there did not appear to have been an interference with her privacy and we were unable to assist her any further. We then closed the file.
Insurance company ̶ retention of personal information ̶ statement of correction ̶ no interference ̶ Privacy Act 1993; principle 7