Medical information request too broad

Privacy & confidentiality, Life Insurance,
Sarah bought a life insurance policy with death and terminal illness benefits through her bank. Eight years later, she was diagnosed with a serious illness and lodged a terminal illness benefit claim.
May 2014

During its assessment of the claim, the bank asked Sarah to authorise the release of medical information, which she did. The bank asked her doctors for full medical records going back two years. After assessing Sarah’s records, the bank declined her claim because she was seriously ill, not terminally ill.

Sarah complained about the bank’s collection of two years of medical records. She had thought it would collect information only about the diagnosed condition. She did not believe the bank needed the other medical information for her claim and thought it had “over-collected” personal information. She felt embarrassed and humiliated.

The bank explained that its standard practice was to seek information covering a certain period of time. It needed to discover pre-diagnosis events to help with its claim assessment.  

Our investigation

We considered Sarah’s complaint in light of the Privacy Commission’s 2009 review of insurers’ medical notes collection. Its report noted the tension between insurers’ legitimate need for detailed medical information to make claims decisions and an individual’s right to privacy. 

We looked at:

  • whether Sarah had authorised the collection of full medical notes for a two-year period
  • whether the collection of full medical notes was necessary for the insurance decision. 

We were not satisfied Sarah had authorised the collection of full medical notes. The bank’s authority form suggested to us that an insured person could reasonably understand that the information collected would be relevant to the condition claimed for. The bank accepted our finding on this, and undertook to review the information it requested. 

Nor were we satisfied it was necessary to collect Sarah's full medical notes. We appreciated there might be relevant medical information for an insurer in the period leading up to a diagnosis, but we considered this could be obtained by requesting medical notes about the condition claimed for, including pre-diagnosis investigations and symptoms notes. We considered this would have been a better way for the insurer to obtain medical information for this case.

The bank did not accept our finding on this aspect of the complaint, but did not give its reasons. 

We accepted submissions that Sarah had been shocked and upset at the discovery of the scope of the bank’s information collection and recommended a compensation payment of $850.


 Both parties accepted the recommendation.

Print this page