Global Privacy Framework and Privacy Approach Summary

Last updated - August 2022

QBE is committed to respecting QBE customers’ privacy and protecting their personal data from misuse or unauthorised disclosure and complying with privacy laws.

QBE’s Global Privacy Framework (“Framework”) defines the core principles of QBE’s privacy program which are the foundation of QBE’s ongoing compliance with applicable privacy laws globally. The Framework requires that QBE’s privacy programs support four key privacy principles:

Principle 1 – Embed - Embed a culture of respect for privacy that enables compliance. Good privacy management begins with good governance and respect for privacy issues and its risk across our organisation’s activities. Diligence #DoTheRightThing

Principle 2 – Establish - Establish robust and effective privacy practices, procedures and systems. Good privacy management requires the development and implementation of robust and effective practices, procedures and systems. Transparency #OutsideIn, Fairness, #Together 

QBE maintains local policies or processes that meet the principles known as ‘Fair Information Practice Principles’. 

Principle 3 – Evaluate – Evaluate our privacy practices, procedures and systems. Regularly examine the effectiveness and appropriateness of our privacy practices, procedures and systems to ensure they remain effective and appropriate. Awareness #KnowYourStuff

Principle 4 – Enhance – Enhance our response to privacy issues. Good privacy management requires the development and implementation of robust and effective practices, procedures and systems. Responsibility #OwnItNow

The Framework applies to all employees and should be read in conjunction with applicable Divisional privacy frameworks and policies.

QBE’s global privacy program is governed centrally through the QBE Group Compliance team: the Group Privacy Officer reports to the Chief Compliance Officer, who in turn reports to the Group Chief Risk Officer. Divisional local privacy programs are managed locally in addition. The Group Privacy Officer is responsible for the Framework which seeks to ensure that there are robust and effective privacy practices, procedures and systems in place across the enterprise.

Each division has a local privacy officer or privacy compliance lead (or equivalent), who is responsible for: providing internal privacy advice (including in local privacy impact assessments) and applicable local privacy trainings; supporting First Line with privacy compliance, maintaining privacy notices, retention requirements, handling local internal and external privacy enquiries and/or complaints and breach response; and supporting First Line with considering and managing data subject rights requests including access, correction and deletion requests.

The Global Privacy Council is chaired by the Group Privacy Officer and is populated with local Divisional privacy officers/ privacy compliance leads (or equivalent), Legal, IT-security and compliance personnel. The Global Privacy Council is a second line advisory information sharing and evaluation group for considering global (or multi divisional) matters with high potential or actual privacy implications.

We consider and assess privacy risk locally and globally including undertaking Global privacy impact assessments via the Global Privacy Council for activities that involve multiple Divisions and high or potentially high privacy risk. 

QBE operates in compliance with applicable privacy laws in the countries in which it operates, including the EU General Data Protection Regulation and the Australian Privacy Act 1988 (Cth).

All staff at QBE receive compliance training. This includes Information Security and Privacy training which is relevant to the employee’s role. The online training course content includes topics such as data protection, collection/storage/security of personal data, sensitive personal data and dealing with data breaches.

The Group Privacy Officer can be contacted via [email protected].