Global Privacy Framework and Privacy Approach Summary

QBE is committed to respecting QBE customers’ privacy and protecting their personal data from misuse or unauthorised disclosure and complying with privacy laws.

QBE’s Global Privacy Framework (“Framework”) defines the core principles of QBE’s privacy program which are the foundation of QBE’s ongoing compliance with privacy laws globally. The Framework requires that QBE’s privacy programs support four key privacy principles:

Principle 1 – Embed - QBE will embed a culture of respect for privacy that enables compliance. Good privacy management begins with good governance and respect for privacy issues and its risk across our organisation’s activities. #dotherightthing

Principle 2 – Establish - QBE will establish robust and effective privacy practices, procedures and systems. Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.

Principle 3 – Evaluate – QBE will regularly evaluate the effectiveness and appropriateness of our privacy practices, procedures and systems to ensure they remain effective and appropriate.

Principle 4 – Enhance – QBE will enhance our response to privacy issues. Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.

The Framework should be read in the context of local privacy requirements and laws. The Framework applies across QBE and to all our divisions, along with all employees, contractors, contingent workers, directors and agents of QBE and all of QBE’s controlled entities and to QBE joint ventures, where appropriate. 

QBE has a Group Privacy Officer (“GPO”) who is responsible for the Framework which seeks to ensure that there are robust and effective privacy practices, procedures and systems in place across the global business.  The GPO reports to the Chief Compliance Officer.

Each division has a local Privacy Officer, who is responsible for handling local internal and external privacy enquiries, complaints and for managing access and correction requests. 

The Global Privacy Council (“GPC”) is chaired by the GPO and is populated with local Privacy Officers, legal, IT-security and compliance personnel. The GPC is an advice, evaluation and approval group for matters with potential or actual privacy implications. Its role is to ensure there is adequate consideration and review of privacy implications relating to any activities, whether new, existing and changing, this includes undertaking privacy impact assessments to identify and mitigate privacy risks. 

The GPC is also responsible for the Group wide privacy governance and work program and for ensuring that the program meets the requirements of the Group Compliance Risk Policy. QBE operates in compliance with applicable privacy laws in the countries in which it operates, including the EU General Data Protection Regulation and the Australian Privacy Act 1988 (Cth).

All staff at QBE receive compliance training. This includes Information Security and Privacy training which is relevant to the employee’s role. The online training course content includes topics such as data protection, collection/storage/security of personal information, sensitive information, the QBE privacy impact assessment process and dealing with data breaches.

The Group Privacy Officer can be contacted via groupprivacy@qbe.com.