Sector Analysis
Insurance
44%
SECTOR PERFORMANCE
36
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The insurance sector across East, Southern, and parts of West Africa continues to expand steadily, driven by rising awareness of insurance as a risk management tool, growing middle-class populations, increased mobile phone penetration, and the rapid digitisation of financial services. In countries such as Kenya, Tanzania, Uganda, Zimbabwe, Nigeria, Ghana, and Botswana, the market now comprises both long-established insurers and a growing number of technology-driven providers, including insurtech startups that use digital platforms to deliver more flexible and affordable insurance products.
Although growth has been notable, insurance penetration across the region remains below global averages, particularly in low- and middle-income markets. Nonetheless, improving economic conditions, expanding urban populations, and increased financial literacy are contributing to rising demand for both life and non-life insurance products. In West African markets such as Nigeria and Ghana, digital channels and mobile money ecosystems have accelerated the uptake of micro-insurance, health insurance, and usage-based products, while Botswana has seen steady development in more traditional insurance offerings supported by a relatively stable financial regulatory environment.
Digital transformation is now a defining feature of the sector. Insurers increasingly rely on mobile applications, web platforms, digital onboarding tools, and electronic payment systems to reach customers and streamline service delivery. Insurtech innovations including pay-as-you-go insurance, mobile health coverage, and embedded insurance products have expanded access, particularly for underserved populations. However, this shift has also intensified the collection and processing of personal and sensitive data, amplifying privacy and data protection risks.
Insurance providers routinely collect large volumes of personal information, including names, identification details, contact information, employment status, and financial data. For underwriting and claims management, insurers also process highly sensitive data, such as medical records, health histories, biometric identifiers, and claims histories. With increased digitalisation, data is often collected through mobile devices, online forms, and, in some cases, biometric verification tools such as facial recognition or fingerprints, particularly in mobile-based insurance services.
Customer data is frequently shared with third parties, including reinsurers, healthcare providers, claims assessors, payment processors, and analytics service providers. While such data sharing is integral to insurance operations, inadequate safeguards, limited transparency, or weak contractual controls can expose customers to privacy violations, data misuse, or security breaches.
Regulatory environments across the assessed countries vary significantly. Some jurisdictions, such as South Africa, Kenya, Nigeria, and Uganda, have enacted comprehensive data protection laws, while others including parts of Southern Africa and West Africa are still strengthening enforcement mechanisms and regulatory capacity. Ghana and Botswana, for instance, have established legal frameworks for data protection but continue to face challenges related to enforcement consistency and institutional oversight. As a result, compliance levels among insurers vary, and accountability for data misuse is uneven across the region.
Consumer trust remains a critical challenge for the insurance sector. In many countries, insurance is still perceived as costly or unnecessary, and concerns about fraud, opaque practices, and poor service delivery persist. These perceptions directly affect consumers' willingness to share personal data and engage fully with insurance providers. Compounding this issue is limited public awareness of data protection rights; many customers do not fully understand how their data is collected, used, shared, or retained, nor how to seek redress when their rights are violated.
Cybersecurity risks further complicate the landscape. As insurers increasingly rely on digital infrastructure, the sector faces growing exposure to cyberattacks, system vulnerabilities, and internal data breaches. Smaller insurers and insurtech startups, particularly in emerging markets, may lack the technical resources and expertise required to implement robust security controls, making them especially vulnerable.
Overall, the insurance sector is undergoing rapid transformation, marked by innovation, market expansion, and increasing reliance on personal data. However, this growth has not always been matched by equivalent advances in privacy governance, data protection compliance, and transparency. Given the sensitive nature of the data involved, insurers must prioritise strong legal compliance, effective data security measures, and clear communication with customers. Strengthening privacy practices through compliance with national data protection laws, adoption of best practices for data security, responsible third party data sharing, and improved consumer awareness will be essential for building trust, reducing regulatory risk, and supporting the long-term sustainability of the insurance sector across the region.
Analysis of Compliance With Each Criterion
This sectoral evaluation draws on a sample of 36 companies, with four (4) companies assessed per participating country, namely: AllCO Insurance, Leadway Assurance, Sovereign Trust Insurance and Mutual Benefits Assurance from Nigeria; Enterprise Insurance Company Limited, Star Assurance Limited, Hollard Insurance Ghana Limited and Vanguard Assurance Company Limited from Ghana; Botswana Life Insurance, Metropolitan Botswana, Hollard Botswana and Botswana Insurance Company from Botswana; Britam Rwanda, Old Mutual Rwanda, Prime Insurance and BK Insurance Rwanda from Rwanda; Jubilee Life Insurance Tanzania, NIC Tanzania, Britam Insurance Tanzania and Heritage Insurance Tanzania from Tanzania; Sicom–State Insurance Company of Mauritius Ltd, Jubilee Allianz General Insurance Mauritius Ltd, Eagle Insurance and Mauritius Union Assurance from Mauritius; Old Mutual Zimbabwe, Zimnat Lion Insurance, Alliance Insurance and Cell Insurance from Zimbabwe; Jubilee Insurance Kenya, Britam Insurance Kenya, ICEA Lion Insurance and CIC Kenya in Kenya; and UAP Old Mutual Uganda, Sanlam, Britam Uganda and Jubilee Insurance Uganda in Uganda.
Findings - Insurance
Insurance Sector - Nigeria
AllCO Insurance, Leadway Assurance, Sovereign Trust Insurance and Mutual Benefits Assurance in Nigeria
All assessed insurance companies fulfilled the registration requirements with the national data protection regulator, with each institution achieving a perfect score of 100%. This reflects sector-wide compliance with baseline regulatory obligations and indicates formal recognition of oversight responsibilities in relation to the processing of personal data. The companies also demonstrated varying levels of effort in ensuring the availability of accessible privacy policies. AllCO Insurance, Leadway Assurance, and Mutual Benefits Assurance performed strongest in this area, each scoring 88%, suggesting that their privacy policies are publicly available and reasonably accessible to customers. In contrast, Sovereign Trust Insurance scored 50%, indicating limited accessibility and raising concerns about transparency and user awareness of data processing practices.
With respect to the observance of data subject rights, performance across the sector was mixed. Mutual Benefits Assurance leads with a score of 69%, followed closely by AllCO Insurance and Leadway Assurance, each scoring 68%. These results suggest moderate alignment with data protection principles related to user rights such as access, correction, and complaint mechanisms. Sovereign Trust Insurance scored 0%, reflecting a failure to meaningfully recognise or facilitate data subject rights, which presents a significant compliance gap.
All assessed insurers reported sharing personal data with third parties; however, compliance in this area remains low across the sector. Even the highest-performing institution, AllCO Insurance, scored only 34%, followed by Mutual Benefits Assurance at 28% and Leadway Assurance at 16%. These low scores indicate insufficient transparency regarding third-party recipients, data categories shared, and safeguards applied, which undermines core obligations of lawfulness, fairness, and accountability under data protection laws.
In terms of data security practices, the insurers demonstrated moderate effort. Sovereign Trust Insurance led with a score of 67%, while AllCO Insurance, Leadway Assurance, and Mutual Benefits Assurance each scored 61%. These results suggest the presence of basic technical and organisational safeguards, although the absence of detailed disclosures limits the ability to assess the robustness and effectiveness of these measures.
Notably, none of the assessed insurance companies published transparency reports, and all recorded 0% compliance for internal data breach resolution mechanisms. The absence of clear procedures for detecting, reporting, and resolving data breaches along with a lack of user notification frameworks represents a critical weakness in accountability and poses significant risks to regulatory compliance and consumer trust.
Mutual Benefits Assurance emerges as the strongest performer in the sector, supported by a relatively comprehensive privacy policy. The company provides detailed contact information, including dedicated customer service channels, and clearly identifies the categories of personal data collected, such as policyholder information, claims data, medical records, and financial details. Its policy outlines defined purposes for data processing including underwriting, claims management, fraud prevention, and regulatory compliance and offers reasonable transparency around data retention and third-party sharing. Importantly, the policy recognises key data subject rights, including access, correction, and complaint procedures, contributing to stronger alignment with data protection requirements.
AIICO Insurance demonstrates solid, though less comprehensive, privacy compliance. The company provides basic contact information and describes general categories of personal data collected through insurance operations. While AIICO acknowledges standard data subject rights and offers some transparency regarding third-party data sharing, gaps remain in specifying retention periods and detailing the nature of third-party arrangements, limiting full compliance.
Leadway Assurance shows moderate compliance, with privacy policies addressing fundamental requirements such as data collection purposes and basic data subject rights. However, the lack of detailed retention timelines and limited clarity around third-party sharing practices reduce the effectiveness of its privacy framework and weaken accountability.
Sovereign Trust Insurance faces the most significant compliance challenges. Limited accessibility of privacy information and insufficient detail regarding data processing practices restrict customer understanding and expose the company to heightened regulatory risk. The absence of meaningful recognition of data subject rights and internal breach response mechanisms further compounds these concerns.
Overall, the assessment indicates that while insurance companies in this sector demonstrate awareness of regulatory registration obligations and have taken initial steps toward transparency and data security, compliance with data protection laws remains partial and uneven. Persistent weaknesses in third-party data governance, transparency reporting, and internal breach response mechanisms highlight the need for stronger accountability frameworks. To improve compliance and build consumer trust, insurers must move beyond baseline measures and adopt clearer disclosures, enforceable data protection practices, and effective breach management systems.
All assessed insurance companies fulfilled the registration requirements with the national data protection regulator, with each institution achieving a perfect score of 100%. This reflects sector-wide compliance with baseline regulatory obligations and indicates formal recognition of oversight responsibilities in relation to the processing of personal data. The companies also demonstrated varying levels of effort in ensuring the availability of accessible privacy policies. AllCO Insurance, Leadway Assurance, and Mutual Benefits Assurance performed strongest in this area, each scoring 88%, suggesting that their privacy policies are publicly available and reasonably accessible to customers. In contrast, Sovereign Trust Insurance scored 50%, indicating limited accessibility and raising concerns about transparency and user awareness of data processing practices.
With respect to the observance of data subject rights, performance across the sector was mixed. Mutual Benefits Assurance leads with a score of 69%, followed closely by AllCO Insurance and Leadway Assurance, each scoring 68%. These results suggest moderate alignment with data protection principles related to user rights such as access, correction, and complaint mechanisms. Sovereign Trust Insurance scored 0%, reflecting a failure to meaningfully recognise or facilitate data subject rights, which presents a significant compliance gap.
All assessed insurers reported sharing personal data with third parties; however, compliance in this area remains low across the sector. Even the highest-performing institution, AllCO Insurance, scored only 34%, followed by Mutual Benefits Assurance at 28% and Leadway Assurance at 16%. These low scores indicate insufficient transparency regarding third-party recipients, data categories shared, and safeguards applied, which undermines core obligations of lawfulness, fairness, and accountability under data protection laws.
In terms of data security practices, the insurers demonstrated moderate effort. Sovereign Trust Insurance led with a score of 67%, while AllCO Insurance, Leadway Assurance, and Mutual Benefits Assurance each scored 61%. These results suggest the presence of basic technical and organisational safeguards, although the absence of detailed disclosures limits the ability to assess the robustness and effectiveness of these measures.
Notably, none of the assessed insurance companies published transparency reports, and all recorded 0% compliance for internal data breach resolution mechanisms. The absence of clear procedures for detecting, reporting, and resolving data breaches along with a lack of user notification frameworks represents a critical weakness in accountability and poses significant risks to regulatory compliance and consumer trust.
Mutual Benefits Assurance emerges as the strongest performer in the sector, supported by a relatively comprehensive privacy policy. The company provides detailed contact information, including dedicated customer service channels, and clearly identifies the categories of personal data collected, such as policyholder information, claims data, medical records, and financial details. Its policy outlines defined purposes for data processing including underwriting, claims management, fraud prevention, and regulatory compliance and offers reasonable transparency around data retention and third-party sharing. Importantly, the policy recognises key data subject rights, including access, correction, and complaint procedures, contributing to stronger alignment with data protection requirements.
AIICO Insurance demonstrates solid, though less comprehensive, privacy compliance. The company provides basic contact information and describes general categories of personal data collected through insurance operations. While AIICO acknowledges standard data subject rights and offers some transparency regarding third-party data sharing, gaps remain in specifying retention periods and detailing the nature of third-party arrangements, limiting full compliance.
Leadway Assurance shows moderate compliance, with privacy policies addressing fundamental requirements such as data collection purposes and basic data subject rights. However, the lack of detailed retention timelines and limited clarity around third-party sharing practices reduce the effectiveness of its privacy framework and weaken accountability.
Sovereign Trust Insurance faces the most significant compliance challenges. Limited accessibility of privacy information and insufficient detail regarding data processing practices restrict customer understanding and expose the company to heightened regulatory risk. The absence of meaningful recognition of data subject rights and internal breach response mechanisms further compounds these concerns.
Overall, the assessment indicates that while insurance companies in this sector demonstrate awareness of regulatory registration obligations and have taken initial steps toward transparency and data security, compliance with data protection laws remains partial and uneven. Persistent weaknesses in third-party data governance, transparency reporting, and internal breach response mechanisms highlight the need for stronger accountability frameworks. To improve compliance and build consumer trust, insurers must move beyond baseline measures and adopt clearer disclosures, enforceable data protection practices, and effective breach management systems.
Insurance Sector - Ghana
Enterprise Insurance Company Limited, Star Assurance Limited, Hollard Insurance Ghana Limited and Van
guard Assurance Company Limited in Ghana
The assessed insurance companies in Ghana demonstrated varying levels of compliance with data protection requirements, with notable strengths in regulatory registration but significant gaps in transparency, third-party data governance, and breach management.
Most of the reviewed insurers demonstrated compliance with registration requirements under Ghana's data protection framework. Enterprise Insurance Company Limited, Star Assurance Limited, and Hollard Insurance Ghana Limited achieved full compliance, each scoring 100%, reflecting active registration with the national regulator. Their certifications remain valid until April 30, 2026, August 7, 2026, and April 12, 2027, respectively.
In contrast, Vanguard Assurance Company Limited scored 50%, as its registration expired on May 29, 2023, exposing the company to regulatory and accountability risks.
The sector displays uneven performance in the availability and accessibility of privacy policies. Enterprise Insurance Company Limited leads with a score of 100%, indicating that its privacy policy is prominently displayed and reasonably accessible to users. Star Assurance Limited and Hollard Insurance Ghana Limited each scored 63%, reflecting the existence of published policies, albeit with lower visibility and reduced clarity. Vanguard Assurance Company Limited scored 0%, as it does not provide a publicly accessible privacy policy, creating a significant transparency and accountability gap. Readability analysis shows variability across available policies, with Hemingway grades ranging from 8 to 11, indicating moderate clarity but room for improvement. Word counts exceed 200 words for all companies except Vanguard, suggesting relatively comprehensive disclosures where policies exist. However, limited visibility and accessibility undermine their effectiveness in informing data subjects.
In terms of pre-collection data transparency and respect for data subject rights, performance across the sector remains inconsistent. Hollard Insurance Ghana Limited leads with a score of 72%, demonstrating a comparatively strong framework that includes full contact details, detailed categories of personal data collected, defined retention periods, extensive third-party disclosures, recognition of core data subject rights, and accessible complaint mechanisms. This positions Hollard as the sector's strongest performer and a reference point for best practice.
Enterprise Insurance Company Limited scored 39%, reflecting basic compliance through clearly stated purposes for data processing and defined retention periods ranging from six months to seven years. However, its policy lacks sufficient detail on third-party disclosures, deletion rights, and complaint procedures, limiting full alignment with data protection principles. Star Assurance Limited scored 20%, indicating weak compliance. Its policy contains vague retention timelines, limited specificity regarding data categories collected, minimal recognition of data subject rights, and poor transparency in relation to third-party data sharing. Vanguard Assurance Company Limited scored 0%, as the absence of any privacy policy leaves users without information on how their personal data is collected, used, or protected.
All assessed companies engage in third-party data sharing, but compliance levels remain very low across the sector. Star Assurance Limited leads marginally with a score of 24%, followed by Hollard Insurance Ghana Limited at 16%, while Enterprise Insurance Company Limited and Vanguard Assurance Company Limited each scored 0%. Enterprise permits sharing of personal data with third-party processors and group companies for service delivery, account management, and marketing, including advertising. However, it fails to identify specific third parties, clarify the types of data shared, or outline conditions for law enforcement access and reporting mechanisms, resulting in weak compliance.
Star Assurance allows data sharing for standard business operations and excludes advertisers, but the lack of clear reporting channels and limited disclosure on data categories shared reduces transparency and user protection. Hollard shares data with a wide range of third parties, including brokers, agents, reinsurers, and potential acquirers, with marketing-related sharing subject to user consent. Nevertheless, the absence of clarity on the specific data shared and limited breach reporting channels weakens accountability. Vanguard provides no disclosures due to the absence of a privacy policy.
Moderate effort was observed in relation to data security. Enterprise Insurance Company Limited and Hollard Insurance Ghana Limited lead with scores of 61% each. Enterprise achieves an A SSL rating and a C security headers score, and its privacy policy references storage safeguards and protective measures. Hollard scores B for both SSL and security headers, with its policy outlining precautionary measures and periodic security testing.
Star Assurance Limited scored 39%, reflecting a B SSL rating but an F security headers score, alongside general assurances about data protection without meaningful technical detail. Vanguard Assurance Company Limited scored 28%, despite holding an A SSL rating, due to the absence of a privacy policy addressing data security and a failing security headers score.
None of the assessed insurance companies publish transparency reports. Performance in this area is uniformly poor, signalling limited prioritisation of openness, weak accountability practices, and misalignment with national data protection expectations and international best practices. All companies registered very low levels of compliance in relation to internal data breach resolution. Enterprise Insurance Company Limited, Star Assurance Limited, and Hollard Insurance Ghana Limited each scored 8%, while Vanguard Assurance Company Limited scored 0%.
Enterprise acknowledges the right of users to be notified if personal data is accessed without authorisation but does not define internal procedures, investigation standards, reporting timelines, or clear channels for escalation. Star Assurance references general data protection obligations but lacks detail on breach notification, investigation processes, or user reporting mechanisms. Hollard similarly emphasises general security measures but fails to outline specific breach management procedures or notification frameworks. Vanguard provides no information due to the absence of a privacy policy.
Overall, the assessment indicates that while most insurance companies in Ghana demonstrate compliance with registration requirements and have taken initial steps toward transparency and data security, substantive gaps persist in third-party data governance, transparency reporting, and breach response mechanisms. The absence of comprehensive breach handling frameworks and limited disclosure of third-party data sharing practices pose significant risks to regulatory compliance and consumer trust. Strengthening these areas is essential for aligning insurance sector practices with data protection laws and for ensuring meaningful protection of policyholders' personal and sensitive data.
The assessed insurance companies in Ghana demonstrated varying levels of compliance with data protection requirements, with notable strengths in regulatory registration but significant gaps in transparency, third-party data governance, and breach management.
Most of the reviewed insurers demonstrated compliance with registration requirements under Ghana's data protection framework. Enterprise Insurance Company Limited, Star Assurance Limited, and Hollard Insurance Ghana Limited achieved full compliance, each scoring 100%, reflecting active registration with the national regulator. Their certifications remain valid until April 30, 2026, August 7, 2026, and April 12, 2027, respectively.
In contrast, Vanguard Assurance Company Limited scored 50%, as its registration expired on May 29, 2023, exposing the company to regulatory and accountability risks.
The sector displays uneven performance in the availability and accessibility of privacy policies. Enterprise Insurance Company Limited leads with a score of 100%, indicating that its privacy policy is prominently displayed and reasonably accessible to users. Star Assurance Limited and Hollard Insurance Ghana Limited each scored 63%, reflecting the existence of published policies, albeit with lower visibility and reduced clarity. Vanguard Assurance Company Limited scored 0%, as it does not provide a publicly accessible privacy policy, creating a significant transparency and accountability gap. Readability analysis shows variability across available policies, with Hemingway grades ranging from 8 to 11, indicating moderate clarity but room for improvement. Word counts exceed 200 words for all companies except Vanguard, suggesting relatively comprehensive disclosures where policies exist. However, limited visibility and accessibility undermine their effectiveness in informing data subjects.
In terms of pre-collection data transparency and respect for data subject rights, performance across the sector remains inconsistent. Hollard Insurance Ghana Limited leads with a score of 72%, demonstrating a comparatively strong framework that includes full contact details, detailed categories of personal data collected, defined retention periods, extensive third-party disclosures, recognition of core data subject rights, and accessible complaint mechanisms. This positions Hollard as the sector's strongest performer and a reference point for best practice.
Enterprise Insurance Company Limited scored 39%, reflecting basic compliance through clearly stated purposes for data processing and defined retention periods ranging from six months to seven years. However, its policy lacks sufficient detail on third-party disclosures, deletion rights, and complaint procedures, limiting full alignment with data protection principles. Star Assurance Limited scored 20%, indicating weak compliance. Its policy contains vague retention timelines, limited specificity regarding data categories collected, minimal recognition of data subject rights, and poor transparency in relation to third-party data sharing. Vanguard Assurance Company Limited scored 0%, as the absence of any privacy policy leaves users without information on how their personal data is collected, used, or protected.
All assessed companies engage in third-party data sharing, but compliance levels remain very low across the sector. Star Assurance Limited leads marginally with a score of 24%, followed by Hollard Insurance Ghana Limited at 16%, while Enterprise Insurance Company Limited and Vanguard Assurance Company Limited each scored 0%. Enterprise permits sharing of personal data with third-party processors and group companies for service delivery, account management, and marketing, including advertising. However, it fails to identify specific third parties, clarify the types of data shared, or outline conditions for law enforcement access and reporting mechanisms, resulting in weak compliance.
Star Assurance allows data sharing for standard business operations and excludes advertisers, but the lack of clear reporting channels and limited disclosure on data categories shared reduces transparency and user protection. Hollard shares data with a wide range of third parties, including brokers, agents, reinsurers, and potential acquirers, with marketing-related sharing subject to user consent. Nevertheless, the absence of clarity on the specific data shared and limited breach reporting channels weakens accountability. Vanguard provides no disclosures due to the absence of a privacy policy.
Moderate effort was observed in relation to data security. Enterprise Insurance Company Limited and Hollard Insurance Ghana Limited lead with scores of 61% each. Enterprise achieves an A SSL rating and a C security headers score, and its privacy policy references storage safeguards and protective measures. Hollard scores B for both SSL and security headers, with its policy outlining precautionary measures and periodic security testing.
Star Assurance Limited scored 39%, reflecting a B SSL rating but an F security headers score, alongside general assurances about data protection without meaningful technical detail. Vanguard Assurance Company Limited scored 28%, despite holding an A SSL rating, due to the absence of a privacy policy addressing data security and a failing security headers score.
None of the assessed insurance companies publish transparency reports. Performance in this area is uniformly poor, signalling limited prioritisation of openness, weak accountability practices, and misalignment with national data protection expectations and international best practices. All companies registered very low levels of compliance in relation to internal data breach resolution. Enterprise Insurance Company Limited, Star Assurance Limited, and Hollard Insurance Ghana Limited each scored 8%, while Vanguard Assurance Company Limited scored 0%.
Enterprise acknowledges the right of users to be notified if personal data is accessed without authorisation but does not define internal procedures, investigation standards, reporting timelines, or clear channels for escalation. Star Assurance references general data protection obligations but lacks detail on breach notification, investigation processes, or user reporting mechanisms. Hollard similarly emphasises general security measures but fails to outline specific breach management procedures or notification frameworks. Vanguard provides no information due to the absence of a privacy policy.
Overall, the assessment indicates that while most insurance companies in Ghana demonstrate compliance with registration requirements and have taken initial steps toward transparency and data security, substantive gaps persist in third-party data governance, transparency reporting, and breach response mechanisms. The absence of comprehensive breach handling frameworks and limited disclosure of third-party data sharing practices pose significant risks to regulatory compliance and consumer trust. Strengthening these areas is essential for aligning insurance sector practices with data protection laws and for ensuring meaningful protection of policyholders' personal and sensitive data.
Insurance Sector - Botswana
Botswana Life Insurance, Metropolitan Botswana, Hollard Botswana and Botswana Insurance Company in
Botswana
The assessed insurance companies in Botswana demonstrate uneven performance in relation to privacy practices and compliance with data protection requirements, with notable disparities across key indicators such as policy accessibility, data subject rights, third-party data sharing, and internal breach response mechanisms.
The companies made varying efforts to ensure the availability of accessible privacy policies. Botswana Insurance Company (BIC) performed strongest in this area, scoring 100%, indicating that its privacy policy is clearly published and readily accessible. Metropolitan Botswana followed with a score of 75%, while Hollard Botswana scored 63%, reflecting moderate accessibility. In contrast, Botswana Life Insurance scored 0%, as no accessible privacy policy was identified, raising significant transparency and accountability concerns.
With respect to the observance of data subject rights, Hollard Botswana leads with a score of 65%, followed closely by Botswana Insurance Company at 64%. Metropolitan Botswana scored 49%, indicating partial recognition of user rights. Botswana Life Insurance again scored 0%, suggesting a failure to meaningfully acknowledge or facilitate data subject rights such as access, correction, deletion, or complaint mechanisms. These gaps directly affect individuals' ability to exercise control over their personal data, a core requirement under data protection laws.
All assessed companies were found to share personal data with third parties; however, compliance levels in this area remain very low across the sector. Hollard Botswana leads with a score of 38%, followed by Metropolitan Botswana at 34% and Botswana Insurance Company at 26%, while Botswana Life Insurance scored 0%. These low scores reflect insufficient disclosure regarding the categories of data shared, the identities of third-party recipients, and the legal safeguards governing such transfers, exposing customers to heightened risks of misuse and unlawful processing.
Demonstrable efforts were observed in relation to data security. Hollard Botswana recorded the strongest performance with a score of 78%, suggesting relatively robust technical and organisational safeguards. This was followed by Botswana Insurance Company at 56%, Botswana Life Insurance at 50%, and Metropolitan Botswana at 45%. While these results indicate some awareness of data security obligations, inconsistencies in policy disclosures limit transparency around how effectively these safeguards are implemented.
Only Botswana Life Insurance and Botswana Insurance Company published transparency reports, with each scoring 100% in this category. The absence of such reports from Hollard Botswana and Metropolitan Botswana highlights a lack of sector-wide commitment to proactive disclosure and public accountability regarding government requests, data access, or systemic privacy risks.
All assessed insurers registered very low levels of compliance with respect to internal data breach resolution mechanisms. The absence of clearly defined procedures for detecting, reporting, investigating, and remedying data breaches significantly undermines accountability and poses compliance risks, particularly given the volume and sensitivity of personal data processed within the insurance sector.
Overall, most insurance companies in Botswana score poorly on the accessibility of privacy policies, internal breach resolution, and the extent of customer control over personal data. While insurers routinely collect and process large volumes of sensitive personal information, their governance frameworks are often insufficiently transparent and not customer-centric.
Botswana Life Insurance emerges as a relatively stronger performer in certain respects, particularly in transparency and pre-collection disclosure. Its policy explains the categories of personal data collected, the purposes of processing, and provides some clarity on third-party transfers and data security. However, significant weaknesses remain, including the absence of an internal breach resolution framework, limited complaint mechanisms, and no explicit guarantee of data deletion rights, which undermine otherwise detailed disclosures.
Botswana Insurance Company demonstrates moderate performance, with strengths in articulating the purposes of data collection and outlining basic data security measures. It provides partial rights of access and correction but lacks clear retention timelines, user-friendly complaint mechanisms, and procedures for withdrawal of consent. These shortcomings limit customer control over personal data and weaken compliance with data protection principles.
Metropolitan Life Insurance performs weakly across most indicators. Although it scores relatively well on certain transparency measures, its low accessibility score, absence of meaningful data subject rights (including deletion and complaint mechanisms), lack of an internal breach response system, and sharing of personal data with advertisers significantly heighten privacy risks.
Hollard Botswana has an accessible privacy policy and demonstrates the strongest data security practices within the sector. However, like its peers, it lacks adequate internal data breach resolution mechanisms. While it recognises partial rights of access and correction and records the highest score for third-party data sharing, compliance remains below average due to the failure to specify the types of personal data shared and the absence of clear channels for individuals to report data breaches.
In sum, Botswana Life Insurance shows comparatively better practices, though still lacking in customer control and breach management mechanisms. Botswana Insurance Company and Hollard Botswana demonstrate only partial compliance, while Metropolitan Life Insurance trails significantly, offering minimal customer protections. Overall, the insurance sector in Botswana reveals an urgent need for reform, particularly in improving policy accessibility, establishing robust and transparent breach response frameworks, and ensuring enforceable data subject rights in line with data protection laws.
The assessed insurance companies in Botswana demonstrate uneven performance in relation to privacy practices and compliance with data protection requirements, with notable disparities across key indicators such as policy accessibility, data subject rights, third-party data sharing, and internal breach response mechanisms.
The companies made varying efforts to ensure the availability of accessible privacy policies. Botswana Insurance Company (BIC) performed strongest in this area, scoring 100%, indicating that its privacy policy is clearly published and readily accessible. Metropolitan Botswana followed with a score of 75%, while Hollard Botswana scored 63%, reflecting moderate accessibility. In contrast, Botswana Life Insurance scored 0%, as no accessible privacy policy was identified, raising significant transparency and accountability concerns.
With respect to the observance of data subject rights, Hollard Botswana leads with a score of 65%, followed closely by Botswana Insurance Company at 64%. Metropolitan Botswana scored 49%, indicating partial recognition of user rights. Botswana Life Insurance again scored 0%, suggesting a failure to meaningfully acknowledge or facilitate data subject rights such as access, correction, deletion, or complaint mechanisms. These gaps directly affect individuals' ability to exercise control over their personal data, a core requirement under data protection laws.
All assessed companies were found to share personal data with third parties; however, compliance levels in this area remain very low across the sector. Hollard Botswana leads with a score of 38%, followed by Metropolitan Botswana at 34% and Botswana Insurance Company at 26%, while Botswana Life Insurance scored 0%. These low scores reflect insufficient disclosure regarding the categories of data shared, the identities of third-party recipients, and the legal safeguards governing such transfers, exposing customers to heightened risks of misuse and unlawful processing.
Demonstrable efforts were observed in relation to data security. Hollard Botswana recorded the strongest performance with a score of 78%, suggesting relatively robust technical and organisational safeguards. This was followed by Botswana Insurance Company at 56%, Botswana Life Insurance at 50%, and Metropolitan Botswana at 45%. While these results indicate some awareness of data security obligations, inconsistencies in policy disclosures limit transparency around how effectively these safeguards are implemented.
Only Botswana Life Insurance and Botswana Insurance Company published transparency reports, with each scoring 100% in this category. The absence of such reports from Hollard Botswana and Metropolitan Botswana highlights a lack of sector-wide commitment to proactive disclosure and public accountability regarding government requests, data access, or systemic privacy risks.
All assessed insurers registered very low levels of compliance with respect to internal data breach resolution mechanisms. The absence of clearly defined procedures for detecting, reporting, investigating, and remedying data breaches significantly undermines accountability and poses compliance risks, particularly given the volume and sensitivity of personal data processed within the insurance sector.
Overall, most insurance companies in Botswana score poorly on the accessibility of privacy policies, internal breach resolution, and the extent of customer control over personal data. While insurers routinely collect and process large volumes of sensitive personal information, their governance frameworks are often insufficiently transparent and not customer-centric.
Botswana Life Insurance emerges as a relatively stronger performer in certain respects, particularly in transparency and pre-collection disclosure. Its policy explains the categories of personal data collected, the purposes of processing, and provides some clarity on third-party transfers and data security. However, significant weaknesses remain, including the absence of an internal breach resolution framework, limited complaint mechanisms, and no explicit guarantee of data deletion rights, which undermine otherwise detailed disclosures.
Botswana Insurance Company demonstrates moderate performance, with strengths in articulating the purposes of data collection and outlining basic data security measures. It provides partial rights of access and correction but lacks clear retention timelines, user-friendly complaint mechanisms, and procedures for withdrawal of consent. These shortcomings limit customer control over personal data and weaken compliance with data protection principles.
Metropolitan Life Insurance performs weakly across most indicators. Although it scores relatively well on certain transparency measures, its low accessibility score, absence of meaningful data subject rights (including deletion and complaint mechanisms), lack of an internal breach response system, and sharing of personal data with advertisers significantly heighten privacy risks.
Hollard Botswana has an accessible privacy policy and demonstrates the strongest data security practices within the sector. However, like its peers, it lacks adequate internal data breach resolution mechanisms. While it recognises partial rights of access and correction and records the highest score for third-party data sharing, compliance remains below average due to the failure to specify the types of personal data shared and the absence of clear channels for individuals to report data breaches.
In sum, Botswana Life Insurance shows comparatively better practices, though still lacking in customer control and breach management mechanisms. Botswana Insurance Company and Hollard Botswana demonstrate only partial compliance, while Metropolitan Life Insurance trails significantly, offering minimal customer protections. Overall, the insurance sector in Botswana reveals an urgent need for reform, particularly in improving policy accessibility, establishing robust and transparent breach response frameworks, and ensuring enforceable data subject rights in line with data protection laws.
Insurance Sector - Rwanda
Britam Rwanda, Old Mutual Rwanda, Prime Insurance and BK Insurance Rwanda in Rwanda
Overall, the Rwandan insurance sector continues to demonstrate uneven and largely partial compliance with data protection and privacy obligations. While some companies have maintained or modestly improved their performance in specific areas since last year, structural weaknesses persist particularly in transparency reporting, third-party data sharing, and internal data breach resolution mechanisms.
As in the previous assessment, Britam Rwanda, Old Mutual Rwanda, and Prime Insurance continue to lead in the accessibility of privacy policies, each maintaining a score of 88%. Their policies are publicly available, exceed the minimum length threshold of 200 words, and are fairly readable, though the relatively high readability grades (12–13) suggest that complexity remains a barrier for average users.
In contrast, BK Insurance Rwanda again scored 0%, as no publicly available privacy policy could be identified. This represents no improvement from last year and continues to signal a serious lack of transparency and accountability, exposing customers to heightened privacy risks and potential regulatory non-compliance.
Performance in pre-collection transparency and observance of data subject rights shows mixed progress compared to last year. Old Mutual Rwanda strengthened its lead, improving from 66% to 71%, reflecting clearer contact disclosures, more comprehensive categorization of personal data collected, broader recognition of data subject rights (including access, correction, deletion, restriction, withdrawal of consent, and complaint mechanisms), and marketing opt-out options. However, its policy still provides only general descriptions of retention periods and law enforcement access.
Prime Insurance declined from 45% to 40%, while Britam Rwanda dropped from 30% to 20%, indicating regression in the clarity and scope of rights disclosure, retention practices, and complaint mechanisms. Both companies continue to provide only basic explanations of data collection purposes and limited recognition of user rights. BK Insurance Rwanda again scored 0%, offering no transparency or safeguards due to the absence of a privacy policy. These trends suggest that while Old Mutual is consolidating its position as the sector leader, other insurers are failing to build on earlier progress, weakening overall sectoral compliance with data protection principles.
All assessed insurers were found to share personal data with third parties, but compliance levels remain low, albeit with some shifts compared to last year. Prime Insurance remains the highest performer, scoring 44%, though this represents a decline from 50% last year. Old Mutual Rwanda improved significantly, rising from 16% to 36%, reflecting clearer identification of third-party categories and reporting channels, though it still fails to specify the exact data types shared. Britam Rwanda and BK Insurance Rwanda both scored 0%, unchanged from last year, due to a lack of transparency around third-party recipients, data categories shared, law enforcement access conditions, and breach reporting mechanisms. Despite modest improvements by Old Mutual, the sector overall continues to fall short of legal expectations regarding lawful, transparent, and accountable data sharing.
Data security practices remain one of the relatively stronger areas across the sector, with performance largely stable compared to last year. Britam Rwanda maintained its leading position at 67%, supported by strong technical indicators (B SSL rating and A security headers), though its policy still lacks detailed explanations of safeguards. Old Mutual Rwanda, Prime Insurance, and BK Insurance Rwanda each scored 61%. Prime Insurance improved from 45% to 61%, reflecting more detailed disclosures on physical, electronic, and procedural safeguards, despite weak security headers. Old Mutual and BK Insurance maintained their previous scores. Notably, BK Insurance's relatively strong technical security scores contrast sharply with its complete lack of policy transparency, underscoring a disconnect between technical controls and governance disclosure.
As in the previous assessment, none of the assessed insurance companies have published transparency reports. Britam Rwanda, Old Mutual Rwanda, Prime Insurance, and BK Insurance Rwanda all scored 0% in this category. This continued absence of reporting reflects a persistent lack of proactive accountability and alignment with international best practices, particularly regarding disclosures on government access requests and systemic risks.
Internal data breach resolution remains a critical weakness, though there has been limited improvement. Old Mutual Rwanda showed notable progress, increasing its score from 17% to 50%, indicating clearer acknowledgment of breach handling and complaint processes, albeit still lacking detailed timelines, investigation standards, and guarantees of impartiality.
All other insurers (Britam Rwanda, Prime Insurance, and BK Insurance Rwanda) maintained scores of 0%, unchanged from last year. Their policies either fail to address data breaches altogether or do not provide actionable guidance on notification, investigation, or remediation, leaving data subjects with little recourse in the event of a breach.
Compared to last year, the overall picture remains largely unchanged, with modest improvements by Old Mutual Rwanda offset by stagnation or decline among other insurers. Old Mutual continues to emerge as the strongest performer, particularly in data subject rights, third-party disclosures, and breach handling, though gaps remain in retention specificity and transparency reporting.
Prime Insurance and Britam Rwanda show weakening compliance, especially in user rights and third-party transparency, raising concerns about regression rather than continuous improvement. BK Insurance Rwanda remains the most problematic, with persistent zero scores across multiple indicators, representing a significant compliance risk under data protection laws.
In sum, while technical data security measures are relatively consistent across the sector, governance, transparency, and accountability mechanisms remain underdeveloped. The lack of transparency reports, weak third-party data transfer disclosures, and inadequate internal breach response frameworks highlight the urgent need for regulatory enforcement, clearer guidance, and stronger institutional commitment to data protection compliance in Rwanda's insurance sector.
Overall, the Rwandan insurance sector continues to demonstrate uneven and largely partial compliance with data protection and privacy obligations. While some companies have maintained or modestly improved their performance in specific areas since last year, structural weaknesses persist particularly in transparency reporting, third-party data sharing, and internal data breach resolution mechanisms.
As in the previous assessment, Britam Rwanda, Old Mutual Rwanda, and Prime Insurance continue to lead in the accessibility of privacy policies, each maintaining a score of 88%. Their policies are publicly available, exceed the minimum length threshold of 200 words, and are fairly readable, though the relatively high readability grades (12–13) suggest that complexity remains a barrier for average users.
In contrast, BK Insurance Rwanda again scored 0%, as no publicly available privacy policy could be identified. This represents no improvement from last year and continues to signal a serious lack of transparency and accountability, exposing customers to heightened privacy risks and potential regulatory non-compliance.
Performance in pre-collection transparency and observance of data subject rights shows mixed progress compared to last year. Old Mutual Rwanda strengthened its lead, improving from 66% to 71%, reflecting clearer contact disclosures, more comprehensive categorization of personal data collected, broader recognition of data subject rights (including access, correction, deletion, restriction, withdrawal of consent, and complaint mechanisms), and marketing opt-out options. However, its policy still provides only general descriptions of retention periods and law enforcement access.
Prime Insurance declined from 45% to 40%, while Britam Rwanda dropped from 30% to 20%, indicating regression in the clarity and scope of rights disclosure, retention practices, and complaint mechanisms. Both companies continue to provide only basic explanations of data collection purposes and limited recognition of user rights. BK Insurance Rwanda again scored 0%, offering no transparency or safeguards due to the absence of a privacy policy. These trends suggest that while Old Mutual is consolidating its position as the sector leader, other insurers are failing to build on earlier progress, weakening overall sectoral compliance with data protection principles.
All assessed insurers were found to share personal data with third parties, but compliance levels remain low, albeit with some shifts compared to last year. Prime Insurance remains the highest performer, scoring 44%, though this represents a decline from 50% last year. Old Mutual Rwanda improved significantly, rising from 16% to 36%, reflecting clearer identification of third-party categories and reporting channels, though it still fails to specify the exact data types shared. Britam Rwanda and BK Insurance Rwanda both scored 0%, unchanged from last year, due to a lack of transparency around third-party recipients, data categories shared, law enforcement access conditions, and breach reporting mechanisms. Despite modest improvements by Old Mutual, the sector overall continues to fall short of legal expectations regarding lawful, transparent, and accountable data sharing.
Data security practices remain one of the relatively stronger areas across the sector, with performance largely stable compared to last year. Britam Rwanda maintained its leading position at 67%, supported by strong technical indicators (B SSL rating and A security headers), though its policy still lacks detailed explanations of safeguards. Old Mutual Rwanda, Prime Insurance, and BK Insurance Rwanda each scored 61%. Prime Insurance improved from 45% to 61%, reflecting more detailed disclosures on physical, electronic, and procedural safeguards, despite weak security headers. Old Mutual and BK Insurance maintained their previous scores. Notably, BK Insurance's relatively strong technical security scores contrast sharply with its complete lack of policy transparency, underscoring a disconnect between technical controls and governance disclosure.
As in the previous assessment, none of the assessed insurance companies have published transparency reports. Britam Rwanda, Old Mutual Rwanda, Prime Insurance, and BK Insurance Rwanda all scored 0% in this category. This continued absence of reporting reflects a persistent lack of proactive accountability and alignment with international best practices, particularly regarding disclosures on government access requests and systemic risks.
Internal data breach resolution remains a critical weakness, though there has been limited improvement. Old Mutual Rwanda showed notable progress, increasing its score from 17% to 50%, indicating clearer acknowledgment of breach handling and complaint processes, albeit still lacking detailed timelines, investigation standards, and guarantees of impartiality.
All other insurers (Britam Rwanda, Prime Insurance, and BK Insurance Rwanda) maintained scores of 0%, unchanged from last year. Their policies either fail to address data breaches altogether or do not provide actionable guidance on notification, investigation, or remediation, leaving data subjects with little recourse in the event of a breach.
Compared to last year, the overall picture remains largely unchanged, with modest improvements by Old Mutual Rwanda offset by stagnation or decline among other insurers. Old Mutual continues to emerge as the strongest performer, particularly in data subject rights, third-party disclosures, and breach handling, though gaps remain in retention specificity and transparency reporting.
Prime Insurance and Britam Rwanda show weakening compliance, especially in user rights and third-party transparency, raising concerns about regression rather than continuous improvement. BK Insurance Rwanda remains the most problematic, with persistent zero scores across multiple indicators, representing a significant compliance risk under data protection laws.
In sum, while technical data security measures are relatively consistent across the sector, governance, transparency, and accountability mechanisms remain underdeveloped. The lack of transparency reports, weak third-party data transfer disclosures, and inadequate internal breach response frameworks highlight the urgent need for regulatory enforcement, clearer guidance, and stronger institutional commitment to data protection compliance in Rwanda's insurance sector.
Insurance Sector - Tanzania
Jubilee Life Insurance Tanzania, NIC Tanzania, Britam Insurance Tanzania and Heritage Insurance Tanza
nia in Tanzania
All four companies have publicly accessible privacy policies, demonstrating a commitment to transparency. Jubilee, Britam, and Heritage lead with 88%, while NIC lags at 63%, suggesting potential difficulty for users in locating or understanding its policy, which may impact customer trust. Jubilee Life Insurance Privacy Policy was observed as clear and readable with 1478 words and a Hemingway score of 14. A secure website (A grade) with three trackers on the website and two trackers on the app. The policy does not specify third parties, does not allow data sharing with advertisers. It provides rights to access, correct, object to, and restrict data processing, but subject to conditions. Also it mentions breach procedures but lacks specifics on investigation timelines, reporting methods, and fairness in investigations. Users are notified of breaches within an unspecified period. Mentions data security but without specifics.
Britam Insurance privacy policy was more detailed with 7252 words and a Hemingway score of 23. A secure website (A grade) and three trackers on both app and website. The policy does not specify third parties nor allow data sharing with advertisers. Similar to Jubilee, it provides rights to access, correct, object to, and restrict data processing, but subject to conditions. Mentions breaches but lacks specifics on investigation timelines, user notification, and reporting channels. It provides more specifics on security, outlining technical, physical, and organizational safeguards.
Equally, the companies were credited for implementing security measures to protect user data, though performance varied with Britam as the top performer at 83%, followed by Jubilee and NIC exhibiting strong compliance at 78% and 72% respectively. While Heritage Insurance was observed with the weakest performance at 44%. Whereas Britam and Jubilee demonstrated robust security, Heritage's low score suggests potential vulnerabilities that could expose user data to breaches or cyber threats.
The level of transparency in informing users about data collection varied with Heritage observed as the most transparent at 69% while moderate transparency was exhibited by Jubilee (61%), NIC (56%) and Britam (53%). The lower scores indicate that some companies may not clearly communicate what data is collected and why, potentially leading to compliance risks and customer dissatisfaction.
Companies differed significantly in how they manage third-party data sharing with Jubilee topping the sector at 70% and lower compliance was observed with Britam (36%), Heritage (20%) and NIC (10%). While Jubilee provides more transparency, the other companies lacked clarity, raising concerns over potential non-compliance with best data protection practices.
All four companies performed poorly in these areas, failing to provide transparency reports or robust internal data breach resolution mechanisms. The lack of transparency reports limits public awareness of how these companies handle personal data. Weak data breach resolution measures mean customers may not have clear procedures to follow in case of a data breach, exposing companies to reputational and legal risks.
Heritage should strengthen security protocols to meet industry standards. All companies should publish transparency reports to increase accountability. Clear, structured policies on data breach investigation, reporting mechanisms, and resolution timelines are needed. NIC and Britam should enhance how they communicate data collection practices to users. Companies with low compliance (NIC, Heritage and Britam) should be more transparent about third-party data transfers. By addressing these gaps, Tanzanian insurance companies can enhance trust, regulatory compliance, and overall data protection standards.
All four companies have publicly accessible privacy policies, demonstrating a commitment to transparency. Jubilee, Britam, and Heritage lead with 88%, while NIC lags at 63%, suggesting potential difficulty for users in locating or understanding its policy, which may impact customer trust. Jubilee Life Insurance Privacy Policy was observed as clear and readable with 1478 words and a Hemingway score of 14. A secure website (A grade) with three trackers on the website and two trackers on the app. The policy does not specify third parties, does not allow data sharing with advertisers. It provides rights to access, correct, object to, and restrict data processing, but subject to conditions. Also it mentions breach procedures but lacks specifics on investigation timelines, reporting methods, and fairness in investigations. Users are notified of breaches within an unspecified period. Mentions data security but without specifics.
Britam Insurance privacy policy was more detailed with 7252 words and a Hemingway score of 23. A secure website (A grade) and three trackers on both app and website. The policy does not specify third parties nor allow data sharing with advertisers. Similar to Jubilee, it provides rights to access, correct, object to, and restrict data processing, but subject to conditions. Mentions breaches but lacks specifics on investigation timelines, user notification, and reporting channels. It provides more specifics on security, outlining technical, physical, and organizational safeguards.
Equally, the companies were credited for implementing security measures to protect user data, though performance varied with Britam as the top performer at 83%, followed by Jubilee and NIC exhibiting strong compliance at 78% and 72% respectively. While Heritage Insurance was observed with the weakest performance at 44%. Whereas Britam and Jubilee demonstrated robust security, Heritage's low score suggests potential vulnerabilities that could expose user data to breaches or cyber threats.
The level of transparency in informing users about data collection varied with Heritage observed as the most transparent at 69% while moderate transparency was exhibited by Jubilee (61%), NIC (56%) and Britam (53%). The lower scores indicate that some companies may not clearly communicate what data is collected and why, potentially leading to compliance risks and customer dissatisfaction.
Companies differed significantly in how they manage third-party data sharing with Jubilee topping the sector at 70% and lower compliance was observed with Britam (36%), Heritage (20%) and NIC (10%). While Jubilee provides more transparency, the other companies lacked clarity, raising concerns over potential non-compliance with best data protection practices.
All four companies performed poorly in these areas, failing to provide transparency reports or robust internal data breach resolution mechanisms. The lack of transparency reports limits public awareness of how these companies handle personal data. Weak data breach resolution measures mean customers may not have clear procedures to follow in case of a data breach, exposing companies to reputational and legal risks.
Heritage should strengthen security protocols to meet industry standards. All companies should publish transparency reports to increase accountability. Clear, structured policies on data breach investigation, reporting mechanisms, and resolution timelines are needed. NIC and Britam should enhance how they communicate data collection practices to users. Companies with low compliance (NIC, Heritage and Britam) should be more transparent about third-party data transfers. By addressing these gaps, Tanzanian insurance companies can enhance trust, regulatory compliance, and overall data protection standards.
Insurance Sector - Mauritius
Sicom – State Insurance Company of Mauritus Ltd, Jubilee Allianz General Insurance Mauritius Ltd, Eagle
Insurance and Mauritius Union Assurance in Mauritius
The Mauritian insurance sector continues to demonstrate moderate to strong awareness of data protection obligations, with notable improvements in some areas since last year, alongside regression in others.
Overall, the sector reflects growing maturity in privacy governance, though inconsistencies persist across companies and compliance indicators.
All assessed insurance companies (SICOM-State Insurance Company of Mauritius Limited, Jubilee Allianz General Insurance Mauritius Ltd, Eagle Insurance, and Mauritius Union Assurance) continue to maintain accessible privacy policies, each scoring 88% in the current assessment. This represents a decline for Mauritius Union Assurance, which dropped from a perfect score of 100% last year, while SICOM, Jubilee Allianz, and Eagle Insurance maintained their previous scores. These results indicate that while policy availability and visibility remain strong across the sector, some firms have lost ground in terms of clarity or accessibility, underscoring the need for regular review and updating of privacy documentation to ensure continued compliance.
All companies demonstrated efforts to recognise and facilitate data subject rights, though performance levels vary and some scores declined compared to last year. Jubilee Allianz General Insurance Mauritius Ltd leads with a score of 82%, down from 88%, reflecting continued strong disclosure of data practices, lawful bases for processing, and user rights, albeit with less clarity in certain areas. Eagle Insurance and Mauritius Union Assurance both improved, scoring 77%, up from 70% and 68% respectively, reflecting stronger articulation of data subject rights, lawful processing bases, and complaint mechanisms. SICOM maintained its score of 62%, indicating stable but limited progress in this area. Overall, the sector demonstrates growing recognition of data subject rights, though declining scores for some insurers highlight the need for consistent and continuous improvement to meet evolving regulatory expectations.
All assessed companies share personal data with third parties, but compliance in this area remains uneven. Jubilee Allianz General Insurance Mauritius Ltd shows a marked improvement, scoring 80%, up from 44% last year, and clearly leading the sector. This improvement reflects better disclosure of third-party recipients, consent requirements, and safeguards for cross-border transfers. By contrast, Eagle Insurance declined to 28% from 36%, SICOM improved slightly to 26% from 20%, and Mauritius Union Assurance dropped to 20% from 34%. These lower scores point to continued deficiencies in identifying third-party recipients, specifying the categories of data shared, and clarifying law enforcement access, which may undermine compliance with data protection principles of transparency and accountability.
Visible and significant improvements were recorded in data security practices across most companies. Mauritius Union Assurance now leads with 83%, up from 61% last year, reflecting strengthened organisational and technical safeguards and clearer governance frameworks. SICOM improved to 78% from 67%, and Eagle Insurance rose to 67% from 50%, indicating increased investment in data security controls. In contrast, Jubilee Allianz General Insurance Mauritius Ltd declined to 39% from 56%, suggesting potential gaps between policy commitments and technical or operational implementation. These trends indicate that while data security is increasingly prioritised, progress remains uneven and should be reinforced through detailed disclosures and consistent implementation.
Transparency reporting presents a mixed picture. Jubilee Allianz General Insurance Mauritius Ltd maintained its perfect score of 100%, continuing its leadership in public accountability. SICOM recorded a significant improvement, increasing from 0% last year to 100%, demonstrating enhanced commitment to openness and regulatory best practices. In contrast, Mauritius Union Assurance experienced a sharp decline, falling from 100% last year to 0%, while Eagle Insurance continues to lack transparency reports. These fluctuations highlight inconsistencies in sector-wide accountability and underscore the importance of sustained transparency efforts.
All companies continue to demonstrate efforts to establish internal data breach resolution mechanisms, though overall compliance remains limited. Mauritius Union Assurance leads with a score of 67%, maintaining its performance from last year and reflecting clearly defined breach notification obligations and regulatory reporting timelines. SICOM maintained a low score of 17%, indicating limited procedural clarity. Eagle Insurance improved slightly to 8% from 0%, suggesting early steps toward formalisation. In contrast, Jubilee Allianz General Insurance Mauritius Ltd declined from 8% to 0%, reflecting the absence of clear internal breach response procedures in publicly available policies. These findings suggest that while awareness of breach obligations exists, most insurers still lack comprehensive, transparent, and user-facing breach response frameworks, posing compliance and trust risks.
Compared to last year, the Mauritian insurance sector shows both progress and regression, resulting in a more complex and uneven compliance landscape. Jubilee Allianz General Insurance Mauritius Ltd and Mauritius Union Assurance remain sector leaders, though both exhibit notable weaknesses in certain areas. SICOM demonstrates steady improvement, particularly in transparency and security, while Eagle Insurance shows incremental gains but continues to lag in accountability mechanisms. Overall, the sector performs well in terms of policy accessibility and recognition of data subject rights, reflecting alignment with the Data Protection Act 2017. However, persistent gaps in third-party data sharing transparency, breach response mechanisms, and consistency in transparency reporting indicate a need for stronger regulatory enforcement, clearer guidance, and ongoing internal governance improvements to ensure full and sustained compliance with data protection laws.
The Mauritian insurance sector continues to demonstrate moderate to strong awareness of data protection obligations, with notable improvements in some areas since last year, alongside regression in others.
Overall, the sector reflects growing maturity in privacy governance, though inconsistencies persist across companies and compliance indicators.
All assessed insurance companies (SICOM-State Insurance Company of Mauritius Limited, Jubilee Allianz General Insurance Mauritius Ltd, Eagle Insurance, and Mauritius Union Assurance) continue to maintain accessible privacy policies, each scoring 88% in the current assessment. This represents a decline for Mauritius Union Assurance, which dropped from a perfect score of 100% last year, while SICOM, Jubilee Allianz, and Eagle Insurance maintained their previous scores. These results indicate that while policy availability and visibility remain strong across the sector, some firms have lost ground in terms of clarity or accessibility, underscoring the need for regular review and updating of privacy documentation to ensure continued compliance.
All companies demonstrated efforts to recognise and facilitate data subject rights, though performance levels vary and some scores declined compared to last year. Jubilee Allianz General Insurance Mauritius Ltd leads with a score of 82%, down from 88%, reflecting continued strong disclosure of data practices, lawful bases for processing, and user rights, albeit with less clarity in certain areas. Eagle Insurance and Mauritius Union Assurance both improved, scoring 77%, up from 70% and 68% respectively, reflecting stronger articulation of data subject rights, lawful processing bases, and complaint mechanisms. SICOM maintained its score of 62%, indicating stable but limited progress in this area. Overall, the sector demonstrates growing recognition of data subject rights, though declining scores for some insurers highlight the need for consistent and continuous improvement to meet evolving regulatory expectations.
All assessed companies share personal data with third parties, but compliance in this area remains uneven. Jubilee Allianz General Insurance Mauritius Ltd shows a marked improvement, scoring 80%, up from 44% last year, and clearly leading the sector. This improvement reflects better disclosure of third-party recipients, consent requirements, and safeguards for cross-border transfers. By contrast, Eagle Insurance declined to 28% from 36%, SICOM improved slightly to 26% from 20%, and Mauritius Union Assurance dropped to 20% from 34%. These lower scores point to continued deficiencies in identifying third-party recipients, specifying the categories of data shared, and clarifying law enforcement access, which may undermine compliance with data protection principles of transparency and accountability.
Visible and significant improvements were recorded in data security practices across most companies. Mauritius Union Assurance now leads with 83%, up from 61% last year, reflecting strengthened organisational and technical safeguards and clearer governance frameworks. SICOM improved to 78% from 67%, and Eagle Insurance rose to 67% from 50%, indicating increased investment in data security controls. In contrast, Jubilee Allianz General Insurance Mauritius Ltd declined to 39% from 56%, suggesting potential gaps between policy commitments and technical or operational implementation. These trends indicate that while data security is increasingly prioritised, progress remains uneven and should be reinforced through detailed disclosures and consistent implementation.
Transparency reporting presents a mixed picture. Jubilee Allianz General Insurance Mauritius Ltd maintained its perfect score of 100%, continuing its leadership in public accountability. SICOM recorded a significant improvement, increasing from 0% last year to 100%, demonstrating enhanced commitment to openness and regulatory best practices. In contrast, Mauritius Union Assurance experienced a sharp decline, falling from 100% last year to 0%, while Eagle Insurance continues to lack transparency reports. These fluctuations highlight inconsistencies in sector-wide accountability and underscore the importance of sustained transparency efforts.
All companies continue to demonstrate efforts to establish internal data breach resolution mechanisms, though overall compliance remains limited. Mauritius Union Assurance leads with a score of 67%, maintaining its performance from last year and reflecting clearly defined breach notification obligations and regulatory reporting timelines. SICOM maintained a low score of 17%, indicating limited procedural clarity. Eagle Insurance improved slightly to 8% from 0%, suggesting early steps toward formalisation. In contrast, Jubilee Allianz General Insurance Mauritius Ltd declined from 8% to 0%, reflecting the absence of clear internal breach response procedures in publicly available policies. These findings suggest that while awareness of breach obligations exists, most insurers still lack comprehensive, transparent, and user-facing breach response frameworks, posing compliance and trust risks.
Compared to last year, the Mauritian insurance sector shows both progress and regression, resulting in a more complex and uneven compliance landscape. Jubilee Allianz General Insurance Mauritius Ltd and Mauritius Union Assurance remain sector leaders, though both exhibit notable weaknesses in certain areas. SICOM demonstrates steady improvement, particularly in transparency and security, while Eagle Insurance shows incremental gains but continues to lag in accountability mechanisms. Overall, the sector performs well in terms of policy accessibility and recognition of data subject rights, reflecting alignment with the Data Protection Act 2017. However, persistent gaps in third-party data sharing transparency, breach response mechanisms, and consistency in transparency reporting indicate a need for stronger regulatory enforcement, clearer guidance, and ongoing internal governance improvements to ensure full and sustained compliance with data protection laws.
Insurance Sector - Zimbabwe
Ecocash, Zibuko Capital, InnBucks and eShagi in Zimbabwe
Compared to last year, the insurance sector in Zimbabwe shows measured but uneven progress in privacy practices and data protection compliance. While some companies have made notable improvements particularly in policy accessibility and recognition of data subject rights, systemic weaknesses remain, especially in transparency reporting and internal data breach resolution.
Unlike last year, when only one insurer had an accessible privacy policy, two companies now demonstrate policy accessibility. Zimnat Lion Insurance leads with a score of 100%, representing a significant improvement from 0% last year, while Old Mutual Zimbabwe maintains its score of 88%, reflecting consistent performance. In contrast, Alliance Insurance and Cell Insurance continue to have no accessible privacy policies, maintaining scores of 0%, which indicates ongoing non-compliance with basic transparency and accountability requirements.
Only Old Mutual Zimbabwe and Zimnat Lion Insurance demonstrated efforts to observe data subject rights. Old Mutual Zimbabwe improved to 46% from 35% last year, while Zimnat Lion Insurance recorded a substantial increase to 81% from 0%, now leading the sector in this category. The remaining companies (Alliance Insurance and Cell Insurance) again recorded 0%, reflecting the absence of publicly available information on how personal data is collected, used, or how individuals may exercise their rights. This continued lack of transparency raises compliance risks and undermines consumer trust.
Although all assessed companies share personal data with third parties, only Zimnat Lion Insurance (34%, up from 0%) and Old Mutual Zimbabwe (26%, up from 10%) demonstrated partial compliance by disclosing some aspects of third-party data sharing. Alliance Insurance and Cell Insurance maintained scores of 0%, suggesting that data may be shared without any publicly disclosed safeguards or explanations. This presents a significant concern, as third-party data transfers are a high-risk area under data protection laws and require clear justification and transparency.
All companies showed some effort to secure personal data, with Old Mutual Zimbabwe maintaining its sector-leading score of 61%, unchanged from last year. Zimnat Lion Insurance improved to 45% from 28%, and Cell Insurance increased to 33% from 22%, indicating incremental progress. Alliance Insurance maintained its score of 22%, reflecting minimal improvement. While these results suggest a baseline level of technical protection across the sector, security measures are not consistently supported by comprehensive policy disclosures or governance frameworks.
Transparency reporting remains a major weakness. Old Mutual Zimbabwe is the only company that previously published a transparency report, but its score declined from a perfect 100% last year to 0%, indicating the absence of a current or updated report. All other companies maintained scores of 0%, continuing the sector-wide lack of public accountability. The absence of transparency reports significantly weakens oversight, limits public trust, and signals misalignment with international best practices.
As in the previous assessment, all companies recorded very low compliance in relation to internal data breach resolution mechanisms. Old Mutual Zimbabwe made limited efforts, scoring 33%, while Zimnat Lion Insurance, Alliance Insurance, and Cell Insurance each maintained scores of 0%. This persistent gap suggests that most insurers lack clear internal procedures for investigating, resolving, and communicating data breaches, posing serious risks to both consumers and regulatory compliance.
Taken together, the current assessment shows incremental improvements over last year, particularly among larger insurers such as Zimnat Lion Insurance and Old Mutual Zimbabwe, which have expanded policy accessibility and improved recognition of data subject rights. However, these gains are undermined by the continued absence of transparency reporting and robust breach-handling frameworks, which remain systemic weaknesses across the sector. Smaller insurers, notably Alliance Insurance and Cell Insurance, continue to operate with minimal or no visible data protection frameworks, despite handling sensitive financial and health-related information. This highlights a significant regulatory and governance gap within the industry. Overall, while progress is evident, Zimbabwe's insurance sector remains partially compliant at best. Without sustained improvements in transparency, third-party data governance, and internal breach resolution, current practices fall short of fully meeting data protection law requirements and international standards, leaving consumers exposed and confidence in the sector weakened.
Compared to last year, the insurance sector in Zimbabwe shows measured but uneven progress in privacy practices and data protection compliance. While some companies have made notable improvements particularly in policy accessibility and recognition of data subject rights, systemic weaknesses remain, especially in transparency reporting and internal data breach resolution.
Unlike last year, when only one insurer had an accessible privacy policy, two companies now demonstrate policy accessibility. Zimnat Lion Insurance leads with a score of 100%, representing a significant improvement from 0% last year, while Old Mutual Zimbabwe maintains its score of 88%, reflecting consistent performance. In contrast, Alliance Insurance and Cell Insurance continue to have no accessible privacy policies, maintaining scores of 0%, which indicates ongoing non-compliance with basic transparency and accountability requirements.
Only Old Mutual Zimbabwe and Zimnat Lion Insurance demonstrated efforts to observe data subject rights. Old Mutual Zimbabwe improved to 46% from 35% last year, while Zimnat Lion Insurance recorded a substantial increase to 81% from 0%, now leading the sector in this category. The remaining companies (Alliance Insurance and Cell Insurance) again recorded 0%, reflecting the absence of publicly available information on how personal data is collected, used, or how individuals may exercise their rights. This continued lack of transparency raises compliance risks and undermines consumer trust.
Although all assessed companies share personal data with third parties, only Zimnat Lion Insurance (34%, up from 0%) and Old Mutual Zimbabwe (26%, up from 10%) demonstrated partial compliance by disclosing some aspects of third-party data sharing. Alliance Insurance and Cell Insurance maintained scores of 0%, suggesting that data may be shared without any publicly disclosed safeguards or explanations. This presents a significant concern, as third-party data transfers are a high-risk area under data protection laws and require clear justification and transparency.
All companies showed some effort to secure personal data, with Old Mutual Zimbabwe maintaining its sector-leading score of 61%, unchanged from last year. Zimnat Lion Insurance improved to 45% from 28%, and Cell Insurance increased to 33% from 22%, indicating incremental progress. Alliance Insurance maintained its score of 22%, reflecting minimal improvement. While these results suggest a baseline level of technical protection across the sector, security measures are not consistently supported by comprehensive policy disclosures or governance frameworks.
Transparency reporting remains a major weakness. Old Mutual Zimbabwe is the only company that previously published a transparency report, but its score declined from a perfect 100% last year to 0%, indicating the absence of a current or updated report. All other companies maintained scores of 0%, continuing the sector-wide lack of public accountability. The absence of transparency reports significantly weakens oversight, limits public trust, and signals misalignment with international best practices.
As in the previous assessment, all companies recorded very low compliance in relation to internal data breach resolution mechanisms. Old Mutual Zimbabwe made limited efforts, scoring 33%, while Zimnat Lion Insurance, Alliance Insurance, and Cell Insurance each maintained scores of 0%. This persistent gap suggests that most insurers lack clear internal procedures for investigating, resolving, and communicating data breaches, posing serious risks to both consumers and regulatory compliance.
Taken together, the current assessment shows incremental improvements over last year, particularly among larger insurers such as Zimnat Lion Insurance and Old Mutual Zimbabwe, which have expanded policy accessibility and improved recognition of data subject rights. However, these gains are undermined by the continued absence of transparency reporting and robust breach-handling frameworks, which remain systemic weaknesses across the sector. Smaller insurers, notably Alliance Insurance and Cell Insurance, continue to operate with minimal or no visible data protection frameworks, despite handling sensitive financial and health-related information. This highlights a significant regulatory and governance gap within the industry. Overall, while progress is evident, Zimbabwe's insurance sector remains partially compliant at best. Without sustained improvements in transparency, third-party data governance, and internal breach resolution, current practices fall short of fully meeting data protection law requirements and international standards, leaving consumers exposed and confidence in the sector weakened.
Insurance Sector - Kenya
Branch International Kenya, Tala Kenya, Zenka and LendPlus in Kenya
As in the previous assessment period, all insurance companies reviewed in Kenya fully complied with registration requirements under the national data protection framework, each maintaining a perfect score of 100%. This sustained performance reflects a strong and institutionalised commitment to regulatory compliance at the entry level and indicates that registration with the national regulator is now well embedded across the sector.
Insurance companies also continued to demonstrate efforts to maintain accessible privacy policies. ICEA Lion Insurance Kenya and CIC Insurance Kenya lead the sector with scores of 88%. ICEA Lion showed notable improvement, increasing from 75% last year to 88%, suggesting enhancements in the visibility, clarity, or completeness of its privacy policy. CIC Kenya, by contrast, maintained its 88% score, indicating consistency but no further improvement. Jubilee Insurance Kenya and Britam Insurance Kenya followed closely, each maintaining scores of 75%, unchanged from last year. While these scores indicate basic compliance, the lack of progress suggests that accessibility and user-friendliness of privacy policies have largely plateaued for these insurers.
All assessed companies demonstrated observable efforts to respect data subject rights, although performance levels varied. Jubilee Insurance Kenya remains the strongest performer, maintaining a score of 77%, consistent with last year. This reflects a relatively mature framework for informing users about data collection practices and recognising rights such as access and correction. ICEA Lion Insurance Kenya improved its performance, rising from 68% to 73%, indicating progress in pre-collection transparency and user rights recognition. In contrast, CIC Kenya experienced a significant decline, dropping from 76% last year to 52%, suggesting reduced clarity or completeness in disclosures related to data subject rights. This regression raises concerns about sustained compliance and consistency in privacy governance.
All companies were found to share personal data with third parties, but compliance levels in this area remain low across the sector, mirroring last year's findings. ICEA Lion Insurance leads with 38%, improving from 26%, which indicates some progress in disclosing third-party sharing practices. Jubilee Insurance Kenya scored 28%, slightly declining from 30%, while CIC Kenya maintained a low score of 26%. Britam Insurance Kenya recorded the lowest score at 16%, dropping from 26%. These results underscore a persistent weakness in transparency around third-party data transfers, including limited disclosure of recipient categories, data types shared, and safeguards in place, an area of heightened regulatory risk under data protection law. All companies demonstrated efforts to secure personal data, with performance remaining relatively strong overall. Britam Insurance Kenya continues to lead, maintaining a high score of 83%, unchanged from last year. Jubilee Insurance Kenya improved to 67%, up from 61%, reflecting strengthened technical or organisational safeguards. By contrast, ICEA Lion Insurance's score declined sharply, falling from 78% to 50%, while CIC Kenya also dropped from 61% to 45%. These declines suggest potential gaps in the consistency or documentation of security measures and highlight the need for ongoing investment in data protection infrastructure and practices.
A notable improvement compared to last year is the availability of transparency reports. Jubilee Insurance Kenya, Britam Insurance Kenya, and CIC Kenya each published transparency reports, scoring 100%, a substantial improvement from 0% across the sector last year. This marks a positive step toward greater accountability and public disclosure. However, internal data breach resolution mechanisms remain weak, with little progress since last year. Jubilee Insurance Kenya scored only 17%, declining from 25%, while ICEA Lion Insurance and CIC Kenya both dropped from 8% to 0%. These persistently low scores indicate that most insurers lack clear, fair, and time-bound procedures for managing data breaches and notifying affected individuals, which remains a critical compliance gap.
Overall, the Kenyan insurance sector demonstrates strong commitment to foundational compliance, particularly in registration, privacy policy availability, and data security. Compared to last year, there are notable improvements in transparency reporting and selective gains in data subject rights and third-party disclosure. However, these gains are uneven and offset by regressions in key areas, including third-party data sharing clarity, data security consistency for some firms, and internal breach response mechanisms.
The sector's privacy frameworks reflect the heightened sensitivity of insurance data, including health information for medical underwriting, location data for motor insurance, and detailed risk profiling for actuarial analysis. While insurers show a sophisticated understanding of consent management and data use for pricing and risk assessment, persistent weaknesses in breach handling and third-party transparency continue to undermine full compliance with data protection laws. In sum, compared to last year, Kenya's insurance sector shows incremental but uneven progress. While transparency reporting has improved significantly, internal accountability mechanisms and comprehensive third-party data governance remain underdeveloped, posing ongoing risks to consumer trust and regulatory compliance.
As in the previous assessment period, all insurance companies reviewed in Kenya fully complied with registration requirements under the national data protection framework, each maintaining a perfect score of 100%. This sustained performance reflects a strong and institutionalised commitment to regulatory compliance at the entry level and indicates that registration with the national regulator is now well embedded across the sector.
Insurance companies also continued to demonstrate efforts to maintain accessible privacy policies. ICEA Lion Insurance Kenya and CIC Insurance Kenya lead the sector with scores of 88%. ICEA Lion showed notable improvement, increasing from 75% last year to 88%, suggesting enhancements in the visibility, clarity, or completeness of its privacy policy. CIC Kenya, by contrast, maintained its 88% score, indicating consistency but no further improvement. Jubilee Insurance Kenya and Britam Insurance Kenya followed closely, each maintaining scores of 75%, unchanged from last year. While these scores indicate basic compliance, the lack of progress suggests that accessibility and user-friendliness of privacy policies have largely plateaued for these insurers.
All assessed companies demonstrated observable efforts to respect data subject rights, although performance levels varied. Jubilee Insurance Kenya remains the strongest performer, maintaining a score of 77%, consistent with last year. This reflects a relatively mature framework for informing users about data collection practices and recognising rights such as access and correction. ICEA Lion Insurance Kenya improved its performance, rising from 68% to 73%, indicating progress in pre-collection transparency and user rights recognition. In contrast, CIC Kenya experienced a significant decline, dropping from 76% last year to 52%, suggesting reduced clarity or completeness in disclosures related to data subject rights. This regression raises concerns about sustained compliance and consistency in privacy governance.
All companies were found to share personal data with third parties, but compliance levels in this area remain low across the sector, mirroring last year's findings. ICEA Lion Insurance leads with 38%, improving from 26%, which indicates some progress in disclosing third-party sharing practices. Jubilee Insurance Kenya scored 28%, slightly declining from 30%, while CIC Kenya maintained a low score of 26%. Britam Insurance Kenya recorded the lowest score at 16%, dropping from 26%. These results underscore a persistent weakness in transparency around third-party data transfers, including limited disclosure of recipient categories, data types shared, and safeguards in place, an area of heightened regulatory risk under data protection law. All companies demonstrated efforts to secure personal data, with performance remaining relatively strong overall. Britam Insurance Kenya continues to lead, maintaining a high score of 83%, unchanged from last year. Jubilee Insurance Kenya improved to 67%, up from 61%, reflecting strengthened technical or organisational safeguards. By contrast, ICEA Lion Insurance's score declined sharply, falling from 78% to 50%, while CIC Kenya also dropped from 61% to 45%. These declines suggest potential gaps in the consistency or documentation of security measures and highlight the need for ongoing investment in data protection infrastructure and practices.
A notable improvement compared to last year is the availability of transparency reports. Jubilee Insurance Kenya, Britam Insurance Kenya, and CIC Kenya each published transparency reports, scoring 100%, a substantial improvement from 0% across the sector last year. This marks a positive step toward greater accountability and public disclosure. However, internal data breach resolution mechanisms remain weak, with little progress since last year. Jubilee Insurance Kenya scored only 17%, declining from 25%, while ICEA Lion Insurance and CIC Kenya both dropped from 8% to 0%. These persistently low scores indicate that most insurers lack clear, fair, and time-bound procedures for managing data breaches and notifying affected individuals, which remains a critical compliance gap.
Overall, the Kenyan insurance sector demonstrates strong commitment to foundational compliance, particularly in registration, privacy policy availability, and data security. Compared to last year, there are notable improvements in transparency reporting and selective gains in data subject rights and third-party disclosure. However, these gains are uneven and offset by regressions in key areas, including third-party data sharing clarity, data security consistency for some firms, and internal breach response mechanisms.
The sector's privacy frameworks reflect the heightened sensitivity of insurance data, including health information for medical underwriting, location data for motor insurance, and detailed risk profiling for actuarial analysis. While insurers show a sophisticated understanding of consent management and data use for pricing and risk assessment, persistent weaknesses in breach handling and third-party transparency continue to undermine full compliance with data protection laws. In sum, compared to last year, Kenya's insurance sector shows incremental but uneven progress. While transparency reporting has improved significantly, internal accountability mechanisms and comprehensive third-party data governance remain underdeveloped, posing ongoing risks to consumer trust and regulatory compliance.
Insurance Sector - Uganda
UAP Old Mutual Uganda, Sanlam, Britam Uganda and Jubilee Insurance Uganda in Uganda
All assessed insurance companies in Uganda (UAP Old Mutual Uganda, Jubilee Insurance Uganda, Britam Uganda, and Sanlam Uganda) continued to fully comply with registration requirements with the national data protection regulator, each maintaining a perfect score of 100%, unchanged from last year. This sustained performance confirms that regulatory registration is now a baseline compliance requirement within the sector.3
All companies also demonstrated continued efforts to maintain accessible privacy policies, although performance trends were mixed. UAP Old Mutual Uganda remains the sector leader, maintaining a strong score of 88%, consistent with last year. Britam Uganda and Jubilee Insurance Uganda each scored 75%; while Jubilee maintained its previous score, Britam experienced a decline from 88%, suggesting reduced visibility, clarity, or accessibility of its policy. Sanlam Uganda recorded the lowest score at 63%, representing a notable drop from 88% last year, and indicating a regression in policy accessibility.
Efforts to observe data subject rights improved overall compared to last year. UAP Old Mutual Uganda continued to lead, maintaining a score of 75%, reflecting a relatively mature approach to transparency and rights recognition. Jubilee Insurance Uganda showed notable improvement, increasing from 61% to 69%, while Britam Uganda also improved, rising from 52% to 58%. Sanlam Uganda maintained a score of 56%, showing no progress but also no decline.
These results indicate gradual strengthening of pre-collection transparency and user rights across the sector, though gaps remain in consistency and depth of implementation.
All companies were found to share personal data with third parties, but compliance in this area improved significantly compared to last year. Jubilee Insurance Uganda emerged as the strongest performer, increasing sharply from 24% to 70%, reflecting clearer disclosure and stronger safeguards around third-party access. UAP Old Mutual Uganda improved from 16% to 36%, Sanlam Uganda from 26% to 28%, and Britam Uganda from 16% to 26%.
Despite these gains, third-party data sharing remains a moderate-risk area, as disclosures are still often general and lack specificity regarding data types shared, safeguards applied, and law enforcement access conditions.
All companies demonstrated continued efforts to secure personal data, though performance shifted compared to last year. Britam Uganda remains the strongest performer, maintaining a high score of 83%. Jubilee Insurance Uganda declined to 72%, down from 83%, while UAP Old Mutual Uganda dropped to 61%, from 78%. Sanlam Uganda remained the weakest performer, maintaining a low score of 39%. These changes suggest that while baseline security measures remain in place, some insurers may not be consistently updating or documenting their technical and organisational safeguards.
A major improvement over last year is the availability of transparency reports. UAP Old Mutual Uganda, Jubilee Insurance Uganda, and Sanlam Uganda each published transparency reports, scoring 100%, compared to 0% across the sector last year. Britam Uganda remains the only insurer without a transparency report, maintaining a score of 0%. However, internal data breach resolution mechanisms remain weak, despite slight improvements. UAP Old Mutual Uganda leads with 33%, up from 17%, followed by Jubilee Insurance Uganda at 25%, also up from 17%. Britam Uganda improved marginally to 8%, from 0%, while Sanlam Uganda remained at 0%. These low scores indicate persistent deficiencies in clear reporting channels, investigation timelines, user notification, and impartial resolution procedures.
The insurance sector in Uganda demonstrates a relatively higher level of compliance compared to many other sectors, particularly in registration, policy availability, and gradual improvements in transparency reporting and third-party disclosure. UAP Old Mutual Uganda and Jubilee Insurance Uganda emerge as stronger performers, combining accessible privacy policies with moderate security, improved transparency, and clearer third-party data practices. UAP's privacy policy is highly visible, readable, and user-friendly, with a Hemingway readability score of 10, and is supported by an available transparency report. The policy clearly outlines data collection purposes, categories of data collected, lawful retention periods, behavioural marketing with opt-out options, and core data subject rights including access, correction, deletion, and complaint lodging. However, its approach to data breach management remains largely reactive, relying on statutory requirements rather than defined internal standards, with no clear timelines or investigative procedures.
Jubilee Insurance Uganda recorded the highest score on third-party data transfer, largely due to strict consent-based sharing practices and its refusal to share data with advertisers. Nonetheless, its limited reporting channels and lack of detailed breach-handling procedures constrain full compliance.
Britam Uganda, while strong on data security, continues to underperform on transparency and breach resolution. Its absence of a transparency report and lack of clear internal breach-handling procedures pose ongoing compliance risks.
Sanlam Uganda, despite having a transparency report, remains weak in data security and internal breach resolution, reflecting uneven implementation of privacy safeguards.
Compared to last year, Uganda's insurance sector shows measurable progress, particularly in third-party data transfer disclosures and transparency reporting. However, internal data breach resolution remains a systemic weakness, and recent declines in policy accessibility and data security for some firms suggest the need for renewed focus on sustaining compliance. In sum, while foundational compliance is strong and several indicators have improved, effective breach management, consistent security practices, and clearer accountability mechanisms remain critical gaps that must be addressed to ensure full alignment with data protection laws and to strengthen consumer trust.
All assessed insurance companies in Uganda (UAP Old Mutual Uganda, Jubilee Insurance Uganda, Britam Uganda, and Sanlam Uganda) continued to fully comply with registration requirements with the national data protection regulator, each maintaining a perfect score of 100%, unchanged from last year. This sustained performance confirms that regulatory registration is now a baseline compliance requirement within the sector.3
All companies also demonstrated continued efforts to maintain accessible privacy policies, although performance trends were mixed. UAP Old Mutual Uganda remains the sector leader, maintaining a strong score of 88%, consistent with last year. Britam Uganda and Jubilee Insurance Uganda each scored 75%; while Jubilee maintained its previous score, Britam experienced a decline from 88%, suggesting reduced visibility, clarity, or accessibility of its policy. Sanlam Uganda recorded the lowest score at 63%, representing a notable drop from 88% last year, and indicating a regression in policy accessibility.
Efforts to observe data subject rights improved overall compared to last year. UAP Old Mutual Uganda continued to lead, maintaining a score of 75%, reflecting a relatively mature approach to transparency and rights recognition. Jubilee Insurance Uganda showed notable improvement, increasing from 61% to 69%, while Britam Uganda also improved, rising from 52% to 58%. Sanlam Uganda maintained a score of 56%, showing no progress but also no decline.
These results indicate gradual strengthening of pre-collection transparency and user rights across the sector, though gaps remain in consistency and depth of implementation.
All companies were found to share personal data with third parties, but compliance in this area improved significantly compared to last year. Jubilee Insurance Uganda emerged as the strongest performer, increasing sharply from 24% to 70%, reflecting clearer disclosure and stronger safeguards around third-party access. UAP Old Mutual Uganda improved from 16% to 36%, Sanlam Uganda from 26% to 28%, and Britam Uganda from 16% to 26%.
Despite these gains, third-party data sharing remains a moderate-risk area, as disclosures are still often general and lack specificity regarding data types shared, safeguards applied, and law enforcement access conditions.
All companies demonstrated continued efforts to secure personal data, though performance shifted compared to last year. Britam Uganda remains the strongest performer, maintaining a high score of 83%. Jubilee Insurance Uganda declined to 72%, down from 83%, while UAP Old Mutual Uganda dropped to 61%, from 78%. Sanlam Uganda remained the weakest performer, maintaining a low score of 39%. These changes suggest that while baseline security measures remain in place, some insurers may not be consistently updating or documenting their technical and organisational safeguards.
A major improvement over last year is the availability of transparency reports. UAP Old Mutual Uganda, Jubilee Insurance Uganda, and Sanlam Uganda each published transparency reports, scoring 100%, compared to 0% across the sector last year. Britam Uganda remains the only insurer without a transparency report, maintaining a score of 0%. However, internal data breach resolution mechanisms remain weak, despite slight improvements. UAP Old Mutual Uganda leads with 33%, up from 17%, followed by Jubilee Insurance Uganda at 25%, also up from 17%. Britam Uganda improved marginally to 8%, from 0%, while Sanlam Uganda remained at 0%. These low scores indicate persistent deficiencies in clear reporting channels, investigation timelines, user notification, and impartial resolution procedures.
The insurance sector in Uganda demonstrates a relatively higher level of compliance compared to many other sectors, particularly in registration, policy availability, and gradual improvements in transparency reporting and third-party disclosure. UAP Old Mutual Uganda and Jubilee Insurance Uganda emerge as stronger performers, combining accessible privacy policies with moderate security, improved transparency, and clearer third-party data practices. UAP's privacy policy is highly visible, readable, and user-friendly, with a Hemingway readability score of 10, and is supported by an available transparency report. The policy clearly outlines data collection purposes, categories of data collected, lawful retention periods, behavioural marketing with opt-out options, and core data subject rights including access, correction, deletion, and complaint lodging. However, its approach to data breach management remains largely reactive, relying on statutory requirements rather than defined internal standards, with no clear timelines or investigative procedures.
Jubilee Insurance Uganda recorded the highest score on third-party data transfer, largely due to strict consent-based sharing practices and its refusal to share data with advertisers. Nonetheless, its limited reporting channels and lack of detailed breach-handling procedures constrain full compliance.
Britam Uganda, while strong on data security, continues to underperform on transparency and breach resolution. Its absence of a transparency report and lack of clear internal breach-handling procedures pose ongoing compliance risks.
Sanlam Uganda, despite having a transparency report, remains weak in data security and internal breach resolution, reflecting uneven implementation of privacy safeguards.
Compared to last year, Uganda's insurance sector shows measurable progress, particularly in third-party data transfer disclosures and transparency reporting. However, internal data breach resolution remains a systemic weakness, and recent declines in policy accessibility and data security for some firms suggest the need for renewed focus on sustaining compliance. In sum, while foundational compliance is strong and several indicators have improved, effective breach management, consistent security practices, and clearer accountability mechanisms remain critical gaps that must be addressed to ensure full alignment with data protection laws and to strengthen consumer trust.