Skip to content
Privacy Policy

Privacy Policy

  1. Privacy policy statement

    We respect personal data privacy and are committed to complying with the requirements of the Personal Data (Privacy) Ordinance (“PDPO”) (Cap. 486 of the Laws of Hong Kong). In doing so, we strive to ensure compliance by our staff with the strictest standards of security and confidentiality.

  2. Statement of practice on personal data held by us

    We may collect and hold personal data as an insurance regulator, an employer and in performing our statutory functions under the relevant laws and regulations. When we collect personal data from individuals, we will provide them with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner. The PICS will state (among other matters) the purpose of the collection.

    The broad categories of personal data held by us, and the main purposes of use are:

    (a) authorisation, licensing and registration application records and related returns and notifications, and submissions in response to public consultation papers, used for the purposes of processing the relevant applications, carrying out the consultation, displaying at the public registers (e.g. Register of Insurance Intermediaries) and performing our statutory and administrative functions and activities;

    (b) enquiry, complaint, inspection, supervisory, investigation and enforcement records, used for responding to and handling enquiries, comments or complaints, including conciliation between the parties concerned, investigation, if appropriate, and any enforcement or prosecution, and performing our statutory and administrative functions and activities;

    (c) personnel records, which include job applications and IA staff personal details, job particulars, details of salary, payments, benefits, leave and training records, group medical and dental insurance records, mandatory provident fund schemes participation, performance appraisals and disciplinary matters, etc., used for recruitment and human resources management purposes;

    (d) other administration and operational records, used for various purposes depending on the nature of the records (e.g. for administration of functions and activities, organizing and delivering promotional, educational and training activities, subscription of publications etc.).

    Such personal data may include sensitive personal data (e.g. health information). The provision of personal data is generally voluntary unless otherwise specified. A failure to provide the requested personal data, or the provision of inaccurate or incomplete information may result in us not being able to process your request, application, submission, enquiry, complaint or matter (as the case may be), or for us to perform our statutory and administrative functions under the relevant laws and regulations.

    In performing our statutory and administrative functions under the relevant laws and regulations, personal data held by us may be disclosed to relevant courts, tribunals and committees, and/or other local and/or overseas regulatory / government / judicial bodies as permitted or required under the law, pursuant to any regulatory / supervisory / investigatory assistance arrangements between us and other regulators (local / overseas), or persons engaged by us to assist us in the performance of our statutory functions (see Note below). Information collected in response to public consultation papers may be disclosed to members of the public in Hong Kong or elsewhere.

    Where personal data is transferred to place(s) outside of Hong Kong in connection with such purposes, such place(s) may or may not offer the same or a similar level of personal data protection as in Hong Kong.

  3. Information collected when you visit our website

    When you visit our website, a record of your visit is made as a "hit", which may show your Internet Protocol (IP) address and the pages you have visited. No personally identifiable information is collected under this circumstance. We use such information for statistical purposes, and for the purposes of maintaining and improving our website.

    When you browse our website, you should be aware that cookies are used. Cookies are data files stored on your computer’s hard drive. Our website automatically installs and uses cookies on your browser when you access it. The types of cookies used on our website are session cookies and persistent cookies and they are used to store the font size and language information when you are browsing our website. This cookie cannot read data off your hard disk. The purpose of using cookies is to help us improve website performance and user’s experience.

    The cookies used in connection with our website does not collect or store personally identifiable information. You may refuse to accept cookies on your browser by modifying the settings in your browser or internet security software. This may prevent you from taking full advantage of the website.

  4. Outsourcing arrangements

    The IA’s internal IT systems are developed and maintained by in-house staff and local third-party service providers. The third-party service providers do not have access to personal data stored in the IT systems except when they are carrying out trouble-shooting on them at IA’s offices or data centres under the supervision of IA’s staff.

    The IA’s website is developed and maintained by local third-party service providers. All IA’s service providers are bound by contractual duty to keep confidential any data they come into contact with against unauthorized access, use and retention.

  5. Retention

    Different retention periods apply to the various kinds of personal data collected and held by us. We take all reasonably practicable steps to ensure that personal data will not be kept longer than is necessary for the fulfilment of the purposes (or any directly related purpose) for which the data is or is to be used, unless the retention is otherwise permitted or required by law.

    We do not normally request any personal data via this website. Personal data submitted in making a complaint to the IA will be used, disclosed or transferred only for purposes related to the complaint (e.g. it may be required to be disclosed to the relevant insurer or insurance intermediary against whom a complaint has been made) or where permitted by law. If the information provided is inaccurate or incomplete, consideration of the complaint may be affected.

    Personal data provided (whether submitted electronically or physically via forms available on this website) in any authorization or licensing application form, statement of personal information, annual return, notification on change of information and any other form of request for information or submissions in response to public consultation papers is retained for such period as may be necessary for the proper discharge of our functions.

  6. Public registers

    We are required to maintain public registers containing specified data relating to insurers, insurance brokers and bodies of insurance brokers authorized or approved by the IA pursuant to the relevant provisions of the Insurance Ordinance (Cap. 41 of the Laws of Hong Kong) or any rules or regulations made thereunder. In this connection, such public registers may contain certain personal data of individuals, and the public in Hong Kong or elsewhere may inspect such public registers.

  7. Security

    We take appropriate steps to protect personal data we hold against loss, unauthorized access, use, modification or disclosure. All personal data you provide to us on this website is secured on our website.

  8. Access and correction

    You have the right to request access to and correction of your personal data held by us about you in accordance with the provisions of the PDPO. Please note that all data access requests should be made using the form specified by the Privacy Commissioner for Personal Data which is accessible from the following link "Data Access Request Form".

    When handling a data access or correction request, we will check the identity of the requestor to ensure that he/she is the person legally entitled to make the data access or correction request. A reasonable fee may be charged to offset our administrative and actual costs incurred in complying with your data access requests.

    We do not provide online facilities for you to delete or correct personal data held by us.

    Any requests for access to or correction of personal data held by us should be sent by post to:

    The Data Privacy Officer
    Insurance Authority
    21.F, Queensway Government Offices
    66 Queensway
    Hong Kong

  9. Enquiries

    Any enquiries regarding personal data privacy policy and practice may be addressed to the Data Privacy Officer at the above correspondence address by post or via e-mail at [email protected]

Note: Please note however, that where a complainant discloses information to us, and notwithstanding our policy that wherever possible the identity of complainants should not be revealed to outside parties, if the information is held or used for certain purposes related to law enforcement and regulation, we are exempt from the application of data protection principles 3 and 6 (use of personal data and access to personal data) by section 58 of the PDPO. The information can then be used for these purposes whether or not a complainant gives authority. The purposes include the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, and protecting the public from financial loss arising from dishonesty, incompetence, malpractice or seriously improper conduct by persons concerned in the provision of financial services.