Interpellation Bendahan (19.4577): How is the risk of data transfer within an insurer monitored?
Insurers have more and more means at their disposal to collect data about their customers. Technological developments (such as the smart watch) now make it possible, for example, for insured persons to transmit health data and thus obtain a small reduction in their insurance premium. Premiums can also be influenced by recording and transmitting one’s own behavior (for example, driving behavior). Some insurance companies also send their policyholders health questionnaires. In doing so, there is a risk that the data collected will be passed on within the company to another insurance company, or even to third parties, even though the company has indicated that it will not pass on the information.
1. what measures are currently in place to ensure internal and external Control transmission of data by insurers?
2. can the Federal Council guarantee that there will be no transfer of information between the basic and supplementary insurances if the insured person has taken out both insurance policies with the same company?
(3) Can the Federal Council ensure that the data collected in the context of an insurance policy are not for the decision to take out another insurance be used?
(4) Does the Federal Council consider it compatible with the law for health insurers to use data collected under the basic or supplementary insurance as Basis of decision for the other insurance since one is not allowed to make a profit and the other is?
Statement of the Federal Council dated 19.2.2020
1 In its regular audits of insurers, the Federal Office of Public Health (FOPH) checks whether sensitive personal data (diagnoses, detailed medical reports) are stored in the patient file and how access to this data is regulated. It also checks that medical examiners only pass on to the responsible offices of the insurers the information that is necessary to decide on the obligation to pay benefits, in particular in accordance with Article 57 Paragraph 7 of the Federal Health Insurance Act (KVG; SR 832.10).
2. The transfer of data between basic insurance and supplementary insurance is only permitted with the consent of the insured person. In addition, the Federal Administrative Court in its ruling of March 19, 2019 (A‑3548/2018) regarding the legality of a data exchange between supplementary insurance and basic insurance within the framework of a smartphone app, ruled that the Collection of personal data by the supplementary insurer from the KVG insurer not lawful is, since the insured person had not validly consented. The supplementary insurer is to be regarded as a third party within the meaning of Article 84a (5) letter b KVG.
Since there is no strict separation between basic insurance and supplementary insurance, the Federal Council cannot rule out the possibility that data may be exchanged between insurers without the consent of insured persons if the two classes of insurance are within the same legal entity or the same insurance group be operated. For this reason, in view of the high sensitivity of the health data, the Federal Council considers it essentialthat the insured person their express written consent in each individual case for editing of their personal data must be given.
The Federal Council has already commented on this issue in its response of November 27, 2019, and rejected the motion 19.3960 “Legal Basis for the Disclosure of Data to Private Health Insurance Institutions” proposed by the National Council’s State Policy Committee. In addition, in fulfillment of the Heim postulate (08.3493) a Report “Protection of patient data and protection of insured persons” of December 18, 2013. was created. This inventory enabled it to examine in detail how insurers ensure the protection of patient data. The Federal Council attaches great importance to this topic and has therefore undertaken to draw up a new report, which is currently being prepared.
3. and 4. For the Federal Council it is important that the Transmission of data between basic insurance and supplementary insurance avoided which are naturally different.
Article 84 KVG stipulates that insurers may only process personal data to fulfill the tasks assigned to them under the KVG. In addition, processing must also comply with the principle of proportionality: Only personal data that is actually necessary to achieve the purpose for which it was collected may be processed (Art. 4 Para. 2 of the Federal Data Protection Act [FADP; SR 235.1]). Collecting and processing data beyond this purpose would not be in compliance with the law.
However, without a strict separation between basic insurance and supplementary insurance, the Federal Council cannot guarantee, based on the legal bases mentioned above, that the data collected in the context of basic insurance will not be used by the supplementary insurer to refuse to conclude a contract.