ICA calls for clear, outcomes-based rules on AI, data and privacy in insurance

ICA sets clear position on digital reforms for Australia's general insurers

Australia's Productivity Commission has put data and digital policy on the table. The Insurance Council of Australia (ICA) has responded, backing practical reforms that improve efficiency without adding duplicate regulation.

The submission focuses on four fronts that matter to insurers: AI governance, data access, privacy settings, and digital financial reporting. Below is what changed, what didn't, and what to prepare for.

AI in insurance: innovate with accountability

The ICA recognises that AI already lifts productivity across underwriting, claims, fraud, and service. The message: keep adoption moving, but avoid new rules that overlap with existing obligations.

The ask to policymakers: use current frameworks where possible and avoid uncertainty that slows deployment and customer value.

• Map AI use cases to existing laws (privacy, discrimination, product governance) and close any gaps with policy and controls.
• Stand up model risk governance: documentation, testing, monitoring, and escalation for high-impact models.
• Build an explainability playbook for decisions that affect premiums, claims, or eligibility.

Data access and the Consumer Data Right (CDR)

The ICA supports consumer access to data but flags sector-specific limits. General insurance data is built on risk assessments and commercially sensitive inputs, which don't neatly standardise across insurers.

The position: extend data access only where there is clear, evidence-backed consumer benefit and productivity gain, noting insurers already comply with multiple data access and governance rules.

• Inventory data classes (personal, risk-derived, proprietary) and define what is appropriate to share.
• Assess interoperability risks; avoid exposing risk models or pricing IP through standardised interfaces.
• If CDR moves ahead, plan minimum viable APIs and consent flows that meet legal obligations without duplicating existing portals.

See the Consumer Data Right for program scope and updates.

Privacy: outcomes-based rules and a compliance defence

The ICA backs outcomes-based privacy regulation and supports introducing a compliance defence pathway. That defence should act as a safeguard for good-faith compliance, not a new layer of obligations.

The ICA also supports the recommendation against a right to erasure and calls for testing other privacy proposals to keep regulation non-prescriptive and workable.

• Operationalise a compliance defence: evidence risk assessments, DPIAs, retention rules, controls, and audits.
• Refresh retention schedules so they balance legal hold, prudential needs, and customer expectations without implying erasure rights that conflict with record-keeping duties.
• Tighten third-party data processing clauses for audit rights, security, and breach response.

Digital financial reporting: benefits, but time is needed

Digital reporting can deliver efficiency and better analysis, especially alongside AI-driven review. However, general insurers are already aligned to ASIC's Financial Reporting Taxonomy.

The caution: any move to mandatory digital reporting needs sufficient lead time due to ongoing reforms and system upgrades.

• Run a gap analysis against current ASIC taxonomy and reporting pipelines.
• Phase upgrades: data quality, tagging, validation, and audit trail.
• Coordinate finance, actuarial, and IT on controls and sign-off timelines.

What this means for insurance leaders

The ICA is advocating for targeted, workable reforms: clear AI guardrails without duplicate rules, measured data access that protects risk IP, practical privacy settings, and realistic timelines for reporting change.

Expect continued engagement as the Productivity Commission progresses to its final report. Use this window to align internal policies and document compliance evidence so you can move fast when rules are finalised.

For official updates, visit the Productivity Commission.