This article has been written by Devesh Kumar Yadav pursuing a Diploma in Corporate Litigation course from LawSikho.

This article has been edited and published by Shashwat Kaushik


The policyholder’s data sharing by insurance companies and insurance intermediaries was a great concern to the policyholders. There are many Insurance companies as well as Insurance intermediaries engaged in the business of the Insurance sector that collect the data of the policyholders via various sources like form filling, telemarketing, etc. The data of the individuals is protected under the Constitution of India under Article 21. The Government of India has made various laws regarding the protection of the data of individuals. The policyholder’s data is also protected under the right to privacy. Any insurance company may not misuse the policyholders’ data without the consent obtained from the policyholders or information owner.

Download Now

Key terms of the article

If we are unaware of the key terms in the article title mentioned above, then we need to understand the following terms: policyholder, data sharing, robust, and regime.

The meaning of each word is discussed separately and to understand the meaning of the sentence:

  1. Policyholder: A person who holds certain policies is a policyholder. A policyholder is a person who is the owner of the policy and the policies are issued by the insurance companies or intermediaries to the policyholder.
  2. Policy: A type of plan of action agreed upon or chosen by the government or any company, etc. is a policy. It is a situation or a way in which a person can think about any particular situation in a better way. 
  3. Data sharing: Data sharing is a process by which the same data is made available for use in multiple applications by the same or different organisations or companies.
  4. Robust: Something that is healthy and strong is robust.
  5. Regime: The method or system of government is called a regime.

Indian government steps towards protection of policyholder’s data

The government of India has launched several digital initiatives to transform the society and people of India. The government launched various digital initiatives to make government policies easily available to the citizens of India via electronic mode or digitally accessible.

There are various insurance companies, insurance intermediaries, and government companies that provide various insurance policies to individuals. The insurance companies are collecting personal data from the policyholders that is related to their name, date of birth, address proofs, health conditions, and income-related data. Sometimes, a policyholder’s data is sold to third parties. So, it is necessary that the policyholder’s data not be misused under any conditions and to avoid any kind of fraudulent activity with the policyholders.

One of the key pieces of legislation in this regard is the Information Technology Act, 2000 (IT Act). This Act provides a comprehensive framework for regulating electronic transactions and information security in India. It includes provisions related to data protection, such as the requirement for companies to obtain consent from individuals before collecting and processing their personal information. The IT Act also empowers the government to appoint a nodal officer for data protection and establishes a grievance redressal mechanism for individuals who believe their data rights have been violated.

In addition to the IT Act, the Indian government has also introduced specific regulations and guidelines to protect the data of policyholders in the insurance sector. For example, the Insurance Regulatory and Development Authority of India (IRDAI) has issued guidelines on data protection for insurers. These guidelines require insurers to take appropriate measures to secure policyholders’ data, such as implementing strong encryption mechanisms and conducting regular security audits. IRDAI also mandates insurers to provide policyholders with clear and concise information about how their data will be used and protected.

Key requirements outlined by IRDAI include:

  1. Data security: Insurers are mandated to implement robust security measures to protect policyholders’ data from unauthorised access, use, disclosure, or destruction. This includes implementing strong encryption mechanisms, regularly updating software and security patches, and conducting vulnerability assessments and penetration testing.
  2. Access control: Insurers must establish strict access controls to ensure that only authorised personnel have access to policyholders’ data. Access should be granted on a need-to-know basis, and employees should be trained on data security best practices.
  3. Data retention and disposal: Insurers are required to retain policyholders’ data only for as long as necessary for business purposes or as required by law. They must also implement secure disposal methods to prevent unauthorised access to or misuse of discarded data.
  4. Incident response: Insurers must have a comprehensive incident response plan in place to effectively respond to data breaches or security incidents. This plan should include procedures for detecting, containing, and mitigating data breaches, as well as communicating with affected policyholders.
  5. Regular security audits: Insurers are obligated to conduct regular security audits to assess the effectiveness of their data protection measures. These audits should be performed by independent third parties to ensure objectivity and thoroughness.
  6. Policyholder notification: In the event of a data breach or security incident, insurers must promptly notify affected policyholders. The notification should include information about the incident, the potential impact on policyholders, and the steps being taken to mitigate the situation.

By implementing these guidelines, insurers can enhance the protection of policyholders’ data, build trust, and comply with regulatory requirements.

Furthermore, the Indian government has been actively involved in promoting digital initiatives and creating a robust digital infrastructure. These efforts include the implementation of the Aadhaar system, a unique identification system for Indian residents. Aadhaar has played a crucial role in reducing fraud and ensuring transparency in various sectors, including the insurance industry. By linking Aadhaar with insurance policies, policyholders can easily access their policies and avail of various services online.

The government’s focus on data protection is not limited to policyholders alone. It extends to all citizens of India. The Personal Data Protection Bill, 2019, which is currently under consideration by the Indian Parliament, aims to provide a comprehensive framework for the protection of personal data in India. The bill proposes to establish a Data Protection Authority, which will be responsible for enforcing the provisions of the bill and ensuring compliance by companies and organisations.

Overall, the Indian government’s initiatives and laws related to data protection reflect its commitment to safeguarding the privacy and rights of individuals. These measures are essential in the digital age, where data has become a valuable asset and its misuse can have serious consequences for individuals and society as a whole.

Indian government’s vision towards digitalization and data sharing

The vision of the Indian government is to transform India into a digitalized country. The Government of India also launched a flexible programme called Digital India with a vision to transform India into a digitally empowered society and knowledge economy. The digital India programme was launched on July 1, 2015, by the honourable Prime Minister Shri Narendra Modi.

The Indian government launched various digital platforms to empower Indian society into digital India. There are 28 platforms launched by the government of India in higher education, like SWAYAM (Study Waves of Active Learning for Young Aspiring Minds), National Academy Depository (NAD), National Digital Library of India (NDL India), Digilocker, etc.

The Indian government has taken various initiatives towards the protection of the data of the person around the internet-based services provided by the many service providers.

The Indian government has taken several steps towards the connectivity of the people with internet-based services.

The Government of India has launched several digital services, like UPIs (Unified Payment Interfaces) and Digilocker.

Effects of digitalisation in India

As per the report published by the Indian Brand Equity Foundation, the use of digital payment methods through UPIs rose in the number of transactions. In April 2022, the number of UPI transactions as per the data available was 5.58 billions, which made the total number of transactions in the Indian currency of INR 9.83 trillions as per the data. The Government of India launched various digital platforms, like the Digilocker portal. On March 19, 2022, there were 101 million users of Digilocker, as per the data officially available in the records and published in the reports.

IRDA steps towards data protection

The IRDA, which stands for the Insurance Regulatory and Development Authority of India, has supported various digital initiatives. The IRDA issued certain guidelines regarding Insurance and e-commerce on March 9, 2017.

The IRDA promoted the web aggregators. Web aggregators are insurance intermediary websites that provide an interface to insurance prospects for price comparison and information on products of different insurances and other related matters, like MIBL or Mahindra Insurance Brokers Ltd., India Insure Risk Management and Insurance Broking Services Pvt. Ltd., ACME Insurance Broking Services Pvt. Ltd., and Bharat Re-insurance Brokers Pvt. Ltd. The IRDA also establishes a common public service centre platform to market the insurance products of insurers and insurance intermediaries.

Role of IRDA in protection of policyholder’s data

The policyholder information is not defined in the Insurance Act of 1938 or in any rules or regulations framed under the Insurance Act of 1938.

The policyholder’s information includes the information taken by the insurance companies and insurance intermediaries during the course of serving the insurance policy to the policyholders.

The IRDA has made several restrictions on insurance companies and insurance intermediaries sharing the data of policyholders with third parties.

According to Regulation 19(5) of the IRDA Protection of Policyholders Interest Regulation 2017, the IRDA has made that the policyholders data must be kept confidential by the insurance companies and intermediaries, and it can only be disclosed to such authorities if it will be found to be legally necessary to disclose.

Key aspects of Regulation 19(5):

Confidentiality of policyholder data:

  • Insurance companies and intermediaries are obligated to keep policyholders’ data strictly confidential.
  • Personal information, financial details, and health records of policyholders must be protected.
  • Unauthorised access, disclosure, or misuse of policyholder data is prohibited.

Disclosure of data:

Legal obligations:

  • In cases where the law or a court order requires the disclosure of policyholder data, insurers are obligated to comply.

Examples include:

  • Responding to subpoenas or search warrants issued by law enforcement agencies.
  • Providing information in response to regulatory inquiries or investigations.

Insurance-related activities:


  • Insurers may disclose policyholder data to underwriting companies for the purpose of assessing risks and determining insurability.
  • This includes sharing information such as medical history, claims history, and other relevant details.

Claim processing:

  • Policyholder data may be disclosed to third parties involved in the claim process, such as claims adjusters, repair shops, and medical providers.
  • This is necessary to facilitate the efficient processing and settlement of claims.

Other legitimate activities:

Insurers may disclose policyholder data to other entities for legitimate insurance-related purposes, such as:

  • Conducting actuarial studies and rate-making.
  • Developing new insurance products and services.
  • Complying with internal risk management and audit protocols.

Consent from the policyholder:

  • Insurers can disclose policyholder data when they have obtained explicit consent from the policyholder.
  • Consent must be informed, specific, and voluntary.
  • Policyholders should be clearly informed about the purpose of the disclosure and the parties involved.

Consent can be obtained in various forms, such as:

  • Written consent through a signed form.
  • Electronic consent through an online portal.
  • Verbal consent is recorded during a phone conversation.

It’s important to note that insurers have a responsibility to protect policyholder data from unauthorised access, use, or disclosure. They must implement robust security measures and follow strict data protection protocols to safeguard the privacy of their customers.

Data security measures:

  • Insurance companies and intermediaries must implement robust data security measures to safeguard policyholder data.
  • Encryption, access controls, and regular security audits are required to protect against unauthorised access and breaches.

Policyholder consent:

  • In certain cases, insurance companies may seek consent from policyholders before sharing their data with third parties.
  • Policyholders have the right to grant or withhold consent for the disclosure of their personal information.

Compliance and penalties:

  • Failure to comply with Regulation 19(5) may result in penalties and disciplinary action by the IRDA.
  • Insurance companies and intermediaries found responsible for mishandling policyholder data may face fines, licence suspensions, or other consequences.

This regulation reinforces the importance of protecting policyholders’ privacy and ensures that their sensitive information is handled responsibly by insurance companies and intermediaries. It promotes transparency and accountability in the insurance sector and helps build trust between policyholders and the insurance industry.

Policyholder data protection and IRDA

The Insurance Regulatory Development Authority allows insurance companies and insurance intermediaries to share the data for public purchase only with the consent of the policyholder.

The Insurance Regulatory Development Authority has taken several safety measures towards the confidentiality and security of such information in paragraph 11 of the guidelines on information and cyber security for insurance companies and insurance intermediaries dated April 7, 2017.

Before disclosing the information or sharing the data, companies must obtain consent from the policyholders or information holders.

The insurer must ensure adequate control to prevent third parties from misusing data, whether by way of non-disclosure agreements, e-mail, etc.

The IRDA has made policyholder data sharing very rigid.

The IRDA has issued guidelines regarding cyber security and e-commerce guidelines regarding the sharing of policyholder data with insurers and insurance companies. The Reserve Bank of India allowed banks to disclose the data of their customers, inter alia, when they expressed or employed the consent of the customer.

Types of data collected by insurance companies from policyholders

The insurance companies are collecting the personal information of policyholders via a claim form, which is duly filled out by the policyholders while taking out the insurance policy from the insurance companies. The data of policyholders is also collected via filling out various forms, which insurance companies provide to the policyholder and collect the information from.

Sometimes the data of policyholders may be collected via telemarketing by the companies while asking for several details about the policyholders.

There are certain other marketing modules and strategies to collect the data of the individual via various modes, like providing links to any subscription, etc., on the internet, and the user filling in his personal information on the website.

The company asks for the personal information of the policyholder, like the person’s name, address proofs and date of birth.

The insurance company also collects the details of any other insurance policies registered in the name of the policyholder. They also collect the insurance account number details of any other policies that are registered in the name of the policyholder.

The insurance companies collect the contact details, like mobile numbers and email addresses, of the person or policy holders.

The insurance company also collects the educational qualification details, family details and social and economic status of the policyholders.

The insurance companies are collecting the details of employment and occupation of the policyholders, as well as the annual income of the policyholder.

The insurance companies and insurance intermediaries are collecting the financial information of the policyholder, like their credit card, bank account number, debit card and other payment methods.

The companies collect government approved identity cards like PAN, Aadhar Card details, voter cards, driving licences and any other government approved identity card information of the policyholder.

Additional information about the policyholder, which is collected by the companies

  • The companies collect the medical health and medical history of the policyholder.
  • The company also collects data related to the physical and mental health conditions of the policyholders.
  • The company also collects any existing insurance policy details from the policyholder.
  • The company also collects the family and beneficiary details of the policyholder.
  • The company also collects the general insurance policy details, such as name, address, bank details, and the details of any other person who has an interest in the policy of the policyholder.

Need for protection of policyholder data

In the case of Justice K.S. Puttaswamy (retired) vs. Union of India (2017), the Supreme Court of India issued a landmark judgement while recognising the right to privacy as a fundamental right under Article 21 of the Constitution of India. The court held that the right to privacy is part of the right to life and personal liberty, which are guaranteed under Article 21 of the Constitution of India. The Digital Personal Data Protection Act 2023 focuses on the protection of data sharing.

The Insurance Regulatory Development Authority plays an important role in ensuring the benefits of insurance policies. There are certain rules made by the IRDA that are mandatory for insurers to follow when issuing a certain insurance policy to policyholders, such that the interests of policyholders must be protected. There are various penalties on non compliance of the law for insurance companies and insurance intermediaries if they misuse policyholder’s data.


During the COVID pandemic, the use of digital payment methods increased. Many companies incorporate different types of payment methods. Paytm introduced QR-based payment methods. The Indian government has taken several steps towards boosting the internet connectivity of Indian citizens. The Insurance Regulatory Development Authority issues certain guidelines regarding the protection of policyholder’s data for insurance companies, insurance intermediaries and e-commerce entities. The policyholder’s data may not be misused in any way. The policyholder must also be aware of sharing his personal data with any insurance companies or entities and must ensure that his data is not misused. There are several laws made by the government for the protection of the policyholder’s data. If any of the companies are found to be misusing or selling policyholder data to any of the third parties, this may lead to punishment and penalties as per the provisions prescribed by the laws.



Please enter your comment!
Please enter your name here