IRDA – Data Protection for Insurance Sector

IRDA stands for Insurance Regulatory and Development Authority of India, it is the apex body overseeing the insurance business in India.

Digitisation

Confidentiality

Data protection

IRDA stands for Insurance Regulatory and Development Authority of India, it is the apex body overseeing the insurance business in India. It protects the interests of the policyholders, regulates, promotes and ensures orderly growth of the insurance in India.

A shift towards digitisation has been the central theme for the insurance industry in recent years. Digitisation lowers the cost of transacting business, helps increase penetration, and brings higher efficiencies. However, the convenience of digitisation brings with it concerns related to data protection.

The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) set out the general framework with respect to data protection in India. However, given the nature of the business of insurance companies and intermediaries, the Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which is required to be followed in addition to the general framework under the IT Act.

The IRDAI has mandated insurance companies to protect and maintain the confidentiality of information they collect. Records must be held and maintained in India and disclosure is permitted only in limited circumstances.

Identifying that maintenance of data security is essential through all five phases of the data lifecycle (i.e., data at source, in motion, in use, at rest and at destruction), the IRDAI has prescribed a detailed framework for data protection on the insurer, which includes the following obligations:

  • To classify data as ‘critical’ and ‘non-critical’ (based on the organisation classification standards) and establish security processes to secure critical data including by maintaining an audit trail of critical data access.
  • To provide access to data only on a ‘need to know basis’ and periodically review such access rights.
  • To obtain confidentiality undertakings from users having access to data.
  • To obtain the approval of the information or business owner in the event sensitive data is required to be sent to outsourced services providers, third parties, etc. for business purposes.
  • To design controls to ensure that data is not misused by the third party by way of executing non-disclosure agreements, right protected emails, etc.
  • To have in place effective mechanisms for data destruction.