Governance
From day one, the Hong Kong Federation of Insurers (HKFI) has attached great importance to data privacy protection in line with public expectations. The IFPCD fully embraces the concept of privacy-by-design in respect of system architecture and operations.
An independent Steering Committee comprising of distinguished community leaders and experts in related fields is set up to oversee the proper establishment and operations of the IFPCD to ensure that public interest is well safeguarded.
Steering Committee
To advise on and oversee the setting up and implementation of the IFPCD to ensure that:
The construction of the system fully adheres to the cardinal principle of data privacy protection by design;
It has a proper and effective governance structure on risks control and risks mitigation;
Effective controls and operating procedures are in place to protect personal data privacy;
It is fit for the purpose in detecting potential frauds particularly those involving syndicates;
It operates on the principles of accountability, transparency and independent auditing.
Chairman:
Mr Edward Chan King Sang, SC
Barrister at Law
Non-industry Members:
Industry Members:
Data Privacy
We will be collecting the following data when a new claim is filed:
1. Policy information – e.g. policy number, client ID
2. Claims information – e.g. date of accident, date of treatment
3. Personal data – e.g. ID / passport number, name, date of birth
4. Third party data – e.g. healthcare provider, repair shop
Access to the IFPCD – authorized access only with audit trail
Data Retention – limited to 7 years
Transparency – data subject can access their own personal data in the IFPCD and request to make correction
Accountability – governance structure & sanction for non-compliance insurance companies
Audit – annual and periodic audit by independent party
Data Privacy – Full compliance with Personal Data (Privacy) Ordinance and European Union's General Data Protection Regulation
Data Security
The IFPCD AI technology is provided by Shift Technology, a French Company based in Paris with an office in Hong Kong. Shift Technology has confirmed that:
the IFPCD is European Union (EU) - General Data Protection Regulation (GDPR) compliant.
the IFPCD uses highly secured technology including a restrictive firewall, service separation (databases/processing clusters/web interfaced), and all data transfer is encrypted.
the systems are subject to regular penetration tests.
there are also stringent controls over the access of data by authorized personnel with specific security badges, connection audits and security rules in place.
the Certified Datacentre IFPCD employs is in Hong Kong with physical protections, isolated on a dedicated network that meets SOC1, SOC2 and ISO27001 standards.