Skip to content
Privacy Policy > Privacy Policy

Privacy Policy

  1. Privacy policy statement

    We respect personal data privacy and are committed to complying with the requirements of the Personal Data (Privacy) Ordinance  (“PDPO”) (Cap. 486 of the Laws of Hong Kong). In doing so, we strive to ensure compliance by our staff with the strictest standards of security and confidentiality.

  2. Statement of practice on personal data held by us

    We may collect and hold personal data as an insurance regulator, an employer and in performing our statutory functions under the relevant laws and regulations. When we collect personal data from individuals, we will provide them with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner. The PICS will state (among other matters) the purpose of the collection.

    The broad categories of personal data held by us, and the main purposes of use are:

    (a) authorisation, licensing and registration application records and related returns and notifications, and submissions in response to public consultation papers, used for the purposes of processing the relevant applications, carrying out the consultation, displaying at the public registers (e.g. Register of Insurance Intermediaries) and performing our statutory and administrative functions and activities;

    (b) enquiry, complaint, inspection, supervisory, investigation and enforcement records, used for responding to and handling enquiries, comments or complaints, including conciliation between the parties concerned, investigation, if appropriate, and any enforcement or prosecution, and performing our statutory and administrative functions and activities;

    (c) personnel records, which include job applications and the Insurance Authority (“IA”) staff personal details, job particulars, details of salary, payments, benefits, leave and training records, group medical and dental insurance records, mandatory provident fund schemes participation, performance appraisals and disciplinary matters, etc., used for recruitment and human resources management purposes;

    (d) other administration and operational records, used for various purposes depending on the nature of the records (e.g. for administration of functions and activities, organizing and delivering promotional, educational and training activities, subscription of publications etc.).

    Such personal data may include sensitive personal data (e.g. health information). The provision of personal data is generally voluntary unless otherwise specified. A failure to provide the requested personal data, or the provision of inaccurate or incomplete information may result in us not being able to process your request, application, submission, enquiry, complaint or matter (as the case may be), or for us to perform our statutory and administrative functions under the relevant laws and regulations.

    In performing our statutory and administrative functions under the relevant laws and regulations, personal data held by us may be disclosed to relevant courts, tribunals and committees, and/or other local and/or overseas regulatory / government / judicial bodies as permitted or required under the law, pursuant to any regulatory / supervisory / investigatory assistance arrangements between us and other regulators (local / overseas), or persons engaged by us to assist us in the performance of our statutory functions. Information collected in response to public consultation papers may be disclosed to members of the public in Hong Kong or elsewhere.

    Where personal data is transferred to place(s) outside of Hong Kong in connection with such purposes, such place(s) may or may not offer the same or a similar level of personal data protection as in Hong Kong.

  3. Personal data collected via forms / sections of our website 

    Without prejudice to our statement of practice on personal data held by us as mentioned above, generally:

    (a) The information you provide in the “Contact Us” section, the “Insurtech Corner” or other similar section / function on our website is used by us to respond to or handle your enquiries, comments, suggestions or matter.  The personal data will not be used for any other purposes, disclosed or transferred without your consent, unless such use, disclosure or transfer is permitted or required by law.

    (b) Personal data collected from subscribers of our subscription service is used by us to alert you, to send you copies of the requested information and to compile statistics of our readership.  The personal data will not be used for any other purposes, disclosed or transferred without your consent, unless such use, disclosure or transfer is permitted or required by law.

    (c) Personal data collected through online forms or service portals will be used, disclosed or transferred for the purposes of performing our statutory and administrative functions and activities, including but not limited to processing the relevant applications, carrying out consultation and displaying at public registers.

    (d) Personal data collected through submissions in response to public consultation papers is used, disclosed or transferred for the purposes as set out in the PICS for the relevant consultation paper.

    (e) Personal data provided in the “Complaint Form” will be used, disclosed or transferred only for those purposes related to the complaint (for example, it may need to be disclosed to the relevant insurer or insurance intermediary against whom a complaint has been made or other relevant regulatory body), for discharging our statutory functions or where permitted or required by law.  If the information provided is inaccurate or incomplete, consideration of the complaint may be affected (see Note below).

    (f) Personal data collected from job applicants who respond to a recruitment notice posted on our website is used for consideration of the applicant’s job application and for recruitment related purposes, and will not be used for any other purposes, disclosed or transferred without your consent, unless such use, disclosure or transfer is permitted or required by law.

  4. Information collected when you visit our website

    When you visit our website, a record of your visit is made as a "hit", which may show your Internet Protocol (“IP”) address and the pages you have visited. No personally identifiable information is collected under this circumstance. We use such information for statistical purposes, and for the purposes of maintaining and improving our website.

    When you browse our website, you should be aware that cookies are used. Cookies are data files stored on your computer’s hard drive. Our website automatically installs and uses cookies on your browser or computer’s hard drive when you access it. The types of cookies used on our website are session cookies and persistent cookies. The purpose of using cookies is to help us improve website performance and user’s experience as they store the font size and language information when you are browsing our website.

    The cookies used in connection with our website does not collect or store personally identifiable information. You may refuse to accept cookies on your browser by modifying the settings in your browser or internet security software. This may prevent you from taking full advantage of all the functions of our website.

  5. Outsourcing arrangements

    The IA’s internal Information Technology (“IT”) systems are developed and maintained by in-house staff and local third-party service providers. The third-party service providers do not have access to personal data stored in the IT systems except when they are carrying out trouble-shooting on them at IA’s offices or data centres under the supervision of the IA’s staff.

    The IA’s website is developed and maintained by local third-party service providers. All the IA’s service providers are bound by contractual duty to keep confidential any data they come into contact with against unauthorized access, use, retention, disclosure and transfer.

  6. Retention

    Different retention periods apply to the various kinds of personal data collected and held by us. We take all reasonably practicable steps to ensure that personal data will not be kept longer than is necessary for the fulfilment of the purposes (or any directly related purpose) for which the data is or is to be used, unless the retention is otherwise permitted or required by law. 

    In general, the following retention periods apply to the personal data collected via our website:

    (a)  Personal data provided through general enquiries and “Insurtech Corner” or other similar section / function on our website is retained for a maximum of one year after the last communication with the person to whom the personal data belongs.  

    (b)  Personal data provided when you subscribe our subscription service will automatically be deleted after you unsubscribe from the service.

    (c)  Personal data provided (whether submitted electronically or physically via forms available on this website) in any authorization, licensing or registration applications, returns, access to information request and any other form of request for information is retained for a maximum of seven years for the proper discharge of our functions (save for the cases where authorization, licence or registration is granted or accepted).

    (d)  Personal data provided in submissions in response to public consultation papers will be destroyed after one year upon publication of the conclusion of the consultation exercise.

    (e)  Personal data provided in the “Complaint Form” is retained for a maximum of seven years from the date of the case closure under normal circumstances.

    (f)  Personal data collected from job applicants who respond to a recruitment notice posted on our website, where the application is unsuccessful, will be destroyed after six months from the close of application.

  7. Public registers

    We are required to maintain public registers containing specified data relating to authorized insurers and licensed insurance intermediaries pursuant to the relevant provisions of the Insurance Ordinance (Cap. 41 of the Laws of Hong Kong) or any rules or regulations made thereunder. In this connection, such public registers may contain certain personal data of individuals, and the public in Hong Kong or elsewhere may inspect such public registers.

  8. Security

    We take appropriate steps to protect personal data we hold against loss, unauthorized access, use, modification or disclosure. All personal data you provide to us on this website is secured on our website.

  9. Access and correction

    You have the right to request access to and correction of your personal data held by us about you in accordance with the provisions of the PDPO. Please note that all data access requests should be made using the form specified by the Privacy Commissioner for Personal Data which is accessible from the following link  "Data Access Request Form".

    When handling a data access or correction request, we will check the identity of the requestor to ensure that he/she is the person legally entitled to make the data access or correction request. A reasonable fee may be charged to offset our administrative and actual costs incurred in complying with your data access requests

    We do not provide online facilities for you to delete or correct personal data held by us.

    Any requests for access to or correction of personal data held by us should be sent by post to:

    The Data Privacy Officer
    Insurance Authority
    19/F, 41 Heung Yip Road
    Wong Chuk Hang
    Hong Kong

  10. Enquiries
    Any enquiries regarding personal data privacy policy and practice may be addressed to the Data Privacy Officer at the above correspondence address by post or via e-mail.

Note: Please note however, that where a complainant discloses information to us, and notwithstanding our policy that wherever possible the identity of complainants should not be revealed to outside parties, if the information is held or used for certain purposes related to law enforcement and regulation, we are exempt from the application of data protection principles 3 and 6 (use of personal data and access to personal data) by section 58 of the PDPO. The information can then be used for these purposes whether or not a complainant gives authority. The purposes include the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, and protecting the public from financial loss arising from dishonesty, incompetence, malpractice or seriously improper conduct by persons concerned in the provision of financial services.