You can be on Entrepreneur’s cover!

Data Protection & Privacy in the Insurance Industry Here's the additional framework for the protection of policyholder information and data, which is required to be followed in addition to the general framework under the IT Act

By Sonam Chandwani

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

The digital revolution in India has disrupted the business environment in all industries and the insurance industry is no exception. Digitization enhances efficiency and reduces the cost of transacting business however there remain several challenges to the adoption of emerging technologies such as disruption to the traditional insurance ecosystem, uncertain consumer adoption, return on investment and data privacy and security.

Emerging technologies usually deal in customer data which can be used to drive insights related to historical health issues and behavioural patterns of customers. Increasing regulations related to customer personal data around the globe and in India will continue to pose additional challenges for insurers and insurance providers alike.

The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) set out the general framework with respect to data protection in India. However, given the nature of the business of insurance companies and intermediaries, the Insurance Regulatory and Development Authority of India (IRDAI) has prescribed an additional framework for the protection of policyholder information and data, which is required to be followed in addition to the general framework under the IT Act.

Regulatory Framework Governing Insurance Companies

The IRDAI has made it mandatory for all the insurance companies to ensure the protection and maintenance of confidentiality of all the information that they have collected. Below are some of the relevant data protection regulations applicable to insurance companies:

  1. IRDAI (Maintenance of Insurance Records) Regulations, 2015 – Pursuant to Regulation 3(3)(b), 3(9) insurers are required to ensure that: The system in which the policy and claim records are maintained has adequate security features, and the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centres located and maintained in India.

  2. IRDAI (Health Insurance Regulations), 2016 – Pursuant to Regulation 35(c) insurers, third party administrators (TPAs) and network providers (i.e., hospitals) are required to comply with data related matters as may be specified in guidelines prescribed by the IRDAI (if any).

  3. IRDAI (Protection of Policyholders' Interests) Regulations, 2017 – Pursuant to Regulation 19(5) insurers are required to maintain total confidentiality of policyholder information unless it is legally necessary to disclose the same to statutory authorities.

  4. IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 – Pursuant to Regulation 12 insurers are required to ensure that the:

    • The outsourcing service provider has adequate security policies to protect the confidentiality and security of policyholder information;

    • Information and data parted to outsourcing service providers remain confidential; and

    • Customer data is retrieved with no further use of the same by the service provider once the outsourcing agreement is terminated.

Regulatory Framework Governing Insurance Intermediaries

Intermediaries in the insurance sector such as – brokers, individual agents, corporate agents, third party administrators (TPAs), surveyors, loss assessors, and web aggregators – serve as a bridge between customers and insurance companies, by facilitating the process for selection and purchase of insurance products and assisting in the servicing of policies and assessment of claims. Therefore, intermediaries are also bearers of confidential information and thus are subject to obligations relating to data protection and preservation of confidentiality prescribed by the IRDAI.

Whilst each intermediary is subject to its own regulations and code of conduct as set out in the table hereinbelow, the provisions in relation to data protection of the policyholder are common for all intermediaries. Inter alia, they prescribe that insurance intermediaries –

  • Treat all information supplied to them by prospective clients as completely confidential to themselves and to the insurer(s) to which the business is being offered

  • Take appropriate steps to maintain the security of confidential documents in their possession, including by way of restricting access to such information, execution of confidentiality undertakings, etc.

While a similar regime has been prescribed for insurance surveyors and loss assessors, the extant regulations permit surveyors and loss assessors, as an exception, to disclose information pertaining to a client, employer or policyholder to any third party, only where necessary consent has been obtained from the interested party. It is however clear that the surveyors and loss assessors are prohibited from using (or appearing to use) any confidential information to their personal advantage or to the advantage of a third party.

Specifically, in relation to TPAs, the IRDAI (Third Party Administrators – Health Services) Regulations, 2016 (TPA Regulations) requires the TPAs to not share the data and personal information of customers received by them for servicing insurance policies or claims. A limited exception to this rule has been carved out for disclosure of confidential information to any court of law, tribunal, government or the IRDAI in the event of any investigation being carried out (or proposed to be carried out) against the insurer, TPA or any other person or for any other reason. The aforesaid exception is similar to the carve-out under Rule 6 of the SPDI Rules, which permits government agencies mandated under law to obtain information (including sensitive personal data or information) for specified purposes, without obtaining the prior permission of the provider of such information.

Insurance Regulatory Sandbox

A 'Regulatory Sandbox' is a testing environment created by the relevant regulatory authority to provide market players with an opportunity to safely and securely execute and test their innovative products, services, business models and delivery mechanisms, in an orderly manner, which aims at protecting the customers and at the same time safeguarding the interest of the stakeholders.

Shortly after the issuance of the RBI Regulatory Sandbox, on 18th May 2019, the IRDAI issued the "Draft Insurance Regulatory and Development Authority of India (Regulatory Sandbox) Regulations, 2019" (IRDAI Regulatory Sandbox). The objective of the IRDAI Regulatory Sandbox is to create a balance between the orderly development of the insurance sector on one hand and protection of interests of policyholders on the other, while at the same time facilitating technological innovation by way of relaxing provisions of any existing regulations framed by the IRDAI, for a limited scope and limited duration.

On approval of an application, the IRDAI chair may relax the applicability of one or more provisions of any regulations, guidelines or circulars requested in the application, subject to the conditions for approving the application or any other conditions which the chair deems necessary. The Regulatory Sandbox Regulations expressly state that no relaxation will be granted in relation to the Insurance Act 1938 or the Insurance Regulatory and Development Authority (IRDA) Act 1999.


The underlying objective of the regulation is to encourage good data practices and retain customer trust in the insurance businesses. Instead of treating it as a mere compliance task, companies should welcome the newly introduced regulations as a great opportunity for them to win customer trust and gain competitive advantages. Though insurers may be acutely impacted by the regulation, their path to compliance is similar to any other impacted sector: revisiting systems and processes to assess readiness for this regulation and investing in filling gaps.

Sonam Chandwani

Managing Partner at KS Legal and Associates

Sonam Chandwani founded KS Legal & Associates in 2013 with the vision of having a client-driven firm which offers proactive and feasible legal solutions.  

She had an experience of working with a leading engineering and trading company, wherein she oversaw high-value disputes, advised company management and led the company's legal functions. Sonam has focused on complex litigation and advisory for over seven years, with extensive experience in the areas of Arbitration, Insolvency and Bankruptcy, Banking and Finance, Real Estate Disputes and Corporate Litigation, to name a few. Her combination of substantial litigation experience and in-house responsibility positions her to understand needs and earn the trust of clients, both in contentious disputes and proactive risk avoidance.

She is especially noted for her exacting attention to efficiency in litigation, both in controlling costs and in being selective about avenues to pursue in litigation.

Business News

James Clear Explains Why the 'Two Minute Rule' Is the Key to Long-Term Habit Building

The hardest step is usually the first one, he says. So make it short.

News and Trends

What Led Elon Musk To Postpone India Trip

'Heavy Obligations', global layoffs and huge bot operations running on the micro-blogging site X, the reasons are plenty

News and Trends

IT Firm Happiest Minds Technologies Acquires Macmillan Learning India

The deal will likely be finished by April 30 and will cost INR 4.5 crore.

Business News

Microsoft's New AI Can Make Photographs Sing and Talk — and It Already Has the Mona Lisa Lip-Syncing

The VASA-1 AI model was not trained on the Mona Lisa but could animate it anyway.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business Solutions

Grab Microsoft Project Professional 2021 for $20 During This Flash Sale

This small investment is well worth the time it will save your team in organizing and monitoring project work.