The Life Insurance Code Compliance Committee (Life CCC) has issued a formal warning to a life insurer after finding that underwriting staff collected medical information from customers over a four-year period without first obtaining valid consent under the Life Insurance Code of Practice.
In a de-identified case summary, the committee said the conduct occurred between March 2020 and March 2024 and affected more than 2,000 customers across 2,171 applications. During that period, the insurer requested and received medical information from health providers before obtaining a medical authority that met the code’s consent requirements. The issue arose after the insurer redeployed staff from a business area where consent was captured using prescribed wording as part of the application process to another area where consent was not automated. In that new setting, staff requested medical information on the assumption that valid consent had already been obtained, when it had not.
The problem was not identified through internal quality assurance or monitoring and was first detected following a customer complaint in early 2024. Life CCC chair Jan McClelland AM said the conduct related to a central protection under the code. “Collecting medical information without valid consent is a serious failure of a fundamental customer protection under the code. Customers must clearly understand what medical information is being requested, how it will be used, and how it will be protected. That transparency is central to informed consent,” McClelland said.
Under clause 4.10 of the Life Insurance Code of Practice, life insurers must obtain customers’ consent using prescribed authority wording, developed by the Council of Australian Life Insurers (CALI) and the Royal Australian College of General Practitioners, before seeking medical information. The wording is designed to ensure customers understand what information will be collected, how it may be used or shared, and the privacy safeguards that apply. The Life CCC found that the insurer’s consent controls did not operate as intended once manual steps replaced automated capture of authority.
The committee said the case showed that process changes and manual workarounds can affect how existing controls perform if they are not backed by effective oversight. “Operational changes must not compromise core compliance safeguards. This case highlights the need for strong oversight and monitoring, especially where manual steps are introduced,” McClelland said. Because customers had not provided explicit, informed consent, the committee said they faced a risk that their medical information could be handled or used in ways they might not have agreed to if fully informed.
After identifying the issue, the insurer carried out an internal review to determine the cause, scope, and duration of the breach and apologised to affected customers. It introduced additional training and guidance for underwriting teams, implemented system changes to automate consent processes, and adjusted quality assurance and monitoring procedures to help detect similar issues. In deciding on a sanction, the Life CCC considered the length of time over which the breach occurred, the number of customers affected, the fact that a customer complaint rather than internal monitoring led to discovery, and the remediation and longer-term rectification measures taken by the insurer.
The committee concluded that a formal warning was an appropriate outcome in this case. The warning sets out the committee’s expectations for changes to consent controls and monitoring, particularly where manual procedures are used, and indicates that further non-compliance in similar circumstances could result in stronger enforcement action. The Life CCC stated that sanctions are determined individually and that this outcome does not establish a precedent for public naming or for future penalties. The committee said it released the case summary to describe how the breach occurred, outline the factors it considered in assessing seriousness, and provide information to the industry on how gaps in consent processes can arise during operational changes.
The sanction is aligned with the Life CCC’s broader compliance focus. In recent reporting on its activities, the committee has outlined an oversight approach that places more attention on systemic issues and links monitoring activity to customer outcomes. As part of this approach, the Life CCC has continued inquiries into mental health underwriting and into how life insurers work with Aboriginal and Torres Strait Islander customers, and has begun a review of how claims are managed for policyholders who are sick or injured.
In January 2026, the committee issued Guidance Note 1-2026 on interpreting and applying significant breach obligations under the code. The guidance explains how subscribers should assess whether a breach is significant, report it to the Life CCC within 30 business days of discovery, and plan rectification and remediation. It is accompanied by a Significant Breach Report template that sets out the information to be provided on root causes, controls, and planned corrective actions. McClelland said the committee’s current focus is on how code commitments are put into operation, including consent and privacy requirements. “This is a core commitment under the code. We will continue to actively monitor compliance and take action where necessary,” McClelland.
