General Insurance Code Governance Committee (CGC) Privacy Policy

‘CGC’, ‘we’, ‘us’ or ‘our’ refers to the General Insurance Code Governance Committee (CGC) its members and the Secretariat

About the CGC

The CGC provides stewardship of the Code by helping the general insurance industry understand and comply with the Code and is responsible for the independent administration and enforcement of the Code. The CGC comprises an independent Chair, Consumer Member and Industry Member and is established by the independent Code Governance Committee Association[1] (Association) which under its Constitution sets out the Charter of the CGC.

The Insurance Council of Australia (ICA), the representative body of the general insurance industry, voluntarily established the General Insurance Code of Practice (Code) to improve consumer outcomes, by committing general insurers and other industry participants to high and mandatory standards of service that go beyond legal requirements.

The Code covers most general insurance products bought by consumers and small businesses and it applies to companies that have adopted or ‘subscribed’ to the Code, known as Code Subscribers.

Under the Code the CGC has been tasked with the responsibility of establishing a transparent and independent governance framework to ensure Code Subscribers’ compliance is effectively monitored and enforced, and drive better Code compliance to improve services overall.

The CGC’s functions and responsibilities include:

  • monitoring and enforcing Code Subscribers’ compliance with the Code by
    • requiring Code Subscribers to report breaches and significant breaches of the Code,
    • receiving, investigating, and making decisions about reports of possible breaches from consumers, the Australian Financial Complaints Authority (AFCA) and others,
    • investigations, analysis of data and evidence, and stakeholder engagement,
    • conducting detailed monitoring activities to identify areas for improvement of insurance practices;
  • imposing corrective actions for Code Subscribers to implement within an agreed timeframe and monitoring their compliance;
  • imposing sanctions;
  • publishing reports and guidance notes; and
  • advising the ICA on improvements to the Code.

We publish and share information about our monitoring activities and Code Subscribers’ compliance and provide information to AFCA, government, regulators, consumers, small business and the community.

So that we can carry out our functions and perform our activities we work with a carefully selected group of third parties that include the ICA, the Association , AFCA, Code Subscribers, other industry participants acting on behalf of Code subscribers who are bound by the Code, parties to CGC investigations, regulators, technology and data companies.

Our work with them often involves sharing personal information and this Policy sets out how and when we share that information.

Our Commitment

We are bound by the Privacy and Confidentiality obligations that are set out under the Code and the Charter, and abide by the Privacy Act 1988 (including the Australian Privacy Principles, and Mandatory Data Breach Notification) which sets out the principles for the appropriate handling of personal information that we collect, use, disclose and store.

We are committed to handling all personal information carefully, responsibly and securely ensuring that we manage personal information in an open and transparent way.

Notification of our Privacy Policy

When we collect personal information about an individual, we will notify the individual of our Privacy Policy by:

  • Publishing the Privacy Policy on the CGC website; and
  • Providing a copy of the Privacy Policy on request.

Personal Information (PI)

Is defined as “information or an opinion, whether true or not, in a material form or not, about an identified individual or an individual who is reasonably identifiable.  Common examples include; name, address, email address, date of birth, tax file number, or bank account details.”

The personal information we collect and hold

Most of the personal information we collect will be collected directly from the individual and may include their full name, address, telephone numbers, email, date of birth and gender.

We may also collect personal information about the individual that is publicly available – for example, on social media or available from public registers e.g. Australian Securities and Investments Commission (ASIC), Australian Business Register (ABR). We will only collect this information if it is impractical to collect it directly from the individual, or when we’re permitted to do so.

Sensitive information

Individuals or their representatives may provide us with sensitive personal information which may include health or medical information about an individual, where the information is reasonably necessary for us to undertake one or more of our functions or activities.

We ensure that individuals have always provided explicit consent to the collection and distribution of their sensitive information.


Any consent that we require from an individual to enable us to carry out our functions or activities, and collect, use or share, personal or sensitive information of the individual shall be recorded in our case management system.

When we get information we didn’t ask for

Sometimes we may receive personal information that we haven’t asked for. If we think this information is needed, we will keep it securely; otherwise, we will take reasonable steps to destroy or de-identify it as soon as practicable.

Anonymity and pseudonymity

When dealing with us, individuals may choose not to identify themselves or want to use a pseudonym. This may prevent us from being able to carry out some or all of the functions for which personal information is required, including investigating an allegation, or where certain personal information has not been provided.

Individuals who contact us by telephone are not always required to disclose their identity.

How we use personal information

We may use personal information for the functions and activities that are concerned with:

  • investigating and determining allegations of Code breaches from individuals or their representatives;
  • initiating own motion inquiries or audits into Code Subscribers’ compliance with the Code;
  • monitoring Code Subscribers’ compliance with the Code;
  • investigating and monitoring aspects of the Code that have been referred by AFCA;
  • complying with legal and regulatory obligations;
  • if otherwise permitted or required by law; or
  • for another purpose, only with the individual’s informed consent, unless it has been withdrawn.

How we share personal information

We only share personal information as described above with third parties for the agreed purpose.

We may also share personal information with third parties if permitted or required by law.  Sharing personal information with a third party for any other purpose will only be done with the prior consent of the individual in the manner set out above.

Outside of Australia

The personal information of our employees, systems and most of the third parties we share information with are located in Australia, but some of this personal information might be stored in “cloud” solutions or otherwise in locations overseas.

We will not disclose personal information to third parties overseas, unless we have informed consent from the individual.

Keeping personal information we hold safe

Whether on paper or electronically, we will take all reasonable steps to secure and protect the personal information we hold.

When the personal information is no longer required, we will take reasonable steps to destroy, delete or de-identify it.

Your right of access to personal information we hold

Any individual wishing to gain access to personal information about themselves, should write to us (details below) setting out whether you would like access to all or just a particular part of your personal information. We will acknowledge receipt of your request within 5 working days and provide the information requested, where appropriate, within a reasonable time.

In line with our commitment to protect your privacy, we may ask you to verify your request.

You may ask us to delete personal information we hold about you and your organisation and we will take reasonable steps to do so, following completion of any relevant investigation.

Accuracy of personal information

If you think that personal information we hold about you is inaccurate, please contact us at [email protected] and we will correct any identified inaccuracies or let you know why we cannot do so.

Complaints and enquiries

If you have a complaint about the way we handle personal information, please contact us and we will respond as soon as possible to resolve the issue. We also welcome any questions and comments you may have about our privacy practices.

Contacting CGC

The contact details for these purposes are as follows:

General Manager, Codes

P.O. Box 14240 Melbourne VIC 8001

Telephone: 1800 931 678 (ask for the Code Compliance and Monitoring team)

Email: [email protected]

Changes to this Privacy Policy

This Privacy Policy is effective as of 19 September 2019.

Any changes or amendments will apply to all the information we hold at the time of the update. We will post the updated Privacy Policy on our website and we encourage you to check this page from time to time.

[1] The Association is an incorporated body whose main objective is to provide for the appointment of candidates to the CGC to ensure it can operate independently and fulfil its functions under the Code and Constitution.