Global Privacy Framework and Privacy Approach Summary

QBE is committed to respecting QBE customers’ privacy and protecting their personal information from misuse or unauthorised disclosure and complying with privacy laws.

QBE’s Global Privacy Framework (“Framework”) defines the core principles of QBE’s privacy program which are the foundation of QBE’s ongoing compliance with privacy laws globally. The Framework requires that QBE’s privacy programs support four key privacy principles:

Principle 1 – Embed - QBE will embed a culture of respect for privacy that enables compliance. Good privacy management begins with good governance and respect for privacy issues and its risk across our organisation’s activities. #dotherightthing

Principle 2 – Establish - QBE will establish robust and effective privacy practices, procedures and systems. Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.

Principle 3 – Evaluate – QBE will regularly evaluate the effectiveness and appropriateness of our privacy practices, procedures and systems to ensure they remain effective and appropriate.

Principle 4 – Enhance – QBE will enhance our response to privacy issues. Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.

The Framework should be read in the context of local privacy requirements and laws. The Framework applies across QBE and to all our divisions, along with all employees, contractors, contingent workers, directors and agents of QBE and all of QBE’s controlled entities and to QBE joint ventures, where appropriate. 

QBE has a Group Privacy Officer (“GPO”) who is responsible for the Framework which seeks to ensure that there are robust and effective privacy practices, procedures and systems in place across the global business.  The GPO reports to the Chief Compliance Officer - who reports to the Group Chief Risk Officer.

Each division has a local privacy officer or privacy compliance lead (or equivalent), who is responsible for handling local internal and external privacy enquiries, complaints and for managing individual privacy rights requests, such as for access and correction. 

The Global Privacy Council (“GPC”) is chaired by the GPO and is populated with local divisional privacy officers/ privacy compliance leads (or equivalent), legal, IT-security and compliance personnel. The GPC is a second line advisory information sharing and evaluation group for considering global (or multi divisional) matters with high potential or actual privacy implications. Its role is to ensure there is adequate advice, consideration and review of privacy implications relating to any potentially high privacy risk activities, whether new, existing and changing, this includes undertaking privacy impact assessments with business stakeholders to identify and advise mitigations to privacy risks. 

The GPC is also responsible for the Group wide privacy governance and work program and for ensuring that the program meets the requirements of the Group Compliance Risk Policy. QBE operates in compliance with applicable privacy laws in the countries in which it operates, including the EU General Data Protection Regulation and the Australian Privacy Act 1988 (Cth).

All staff at QBE receive compliance training. This includes Information Security and Privacy training which is relevant to the employee’s role. The online training course content includes topics such as data protection, collection/storage/security of personal information, sensitive information and dealing with data breaches.

The Group Privacy Officer can be contacted via