Code of Practice on Data Protection for the Insurance Sector

(Approved by the Data Protection Commissioner under Section 13 (2) of the Data Protection Acts, 1988 and 2003)

Introduction

This Code of Practice is intended to confirm and clarify the nature of insurers’ responsibilities as “data controllers” under Irish Data Protection legislation. 

This Code applies to all personal data held by or on behalf of insurance companies established in the State.  This includes data relating to persons who hold policies (or who have applied for or held policies in the past) and any other individual whose claim is being assessed, processed or negotiated under a policy issued by an insurer. 

The Eight Rules of Data Protection require that a data controller must:

1.   OBTAIN AND PROCESS INFORMATION FAIRLY

The collection of data by insurers happens at three main stages:

• the application or proposal stage, when the insurer requests relevant and appropriate information about the proposer’s health, financial situation and goals, driving history, claims experience and other information in order to assess the risk and determine the premium and any special provisions and to comply with the relevant identification and other requirements of the Criminal Justice Act, 1994 (as amended);
• the term of the policy, during which premiums are paid and the policy is in force, administered by the insurer; and
• claim stage when the insurer may again require detailed health and other information in order to assess whether a claim is payable under the policy, and if so, the correct amount of any claims payments.

Insurers will include on application forms, or other appropriate documentation, a clear statement advising the applicant of the identity of the data controller, the purpose of collecting the data, to whom it may be disclosed and any other relevant information necessary to ensure that all processing meets the requirements of fair processing.

Data may be obtained from the customer or someone acting on their behalf (e.g. an insurance intermediary or an employer).  In relation to the adding of named drivers to a policy, the customer will be made aware of their responsibility for ensuring that the consent of the named driver for the processing of his or her data by the insurer has been fully and fairly obtained.  Data are obtained from application forms, claim forms and other documentation completed or provided by the individual as well as through call centres or electronically e.g. by point of sale systems or over the internet.  Personal data may be kept on computer systems and/or in paper files. 

Where the claimant is a third party and would not otherwise have received information that could be deemed to provide for fair processing of their personal data, an appropriate fair processing notice will be made available at a suitable point in the business process, e.g., when responding to their solicitor or if the claim has been dealt with entirely over the phone upon issuing the claim cheque.  The notice will be reflective of the following template: 

“The information you provide to us as part of your claim application will be processed by us to confirm your identity, process your application and to record and cross reference particulars of your claim in insurance industry databases for fraud prevention purposes.  In certain cases, this may involve the sharing of your information with other insurance providers and private investigators. Guidelines for sharing of information in this regard are contained in a Code of Practice on Data Protection for the Insurance Sector which has been approved by the Data Protection Commissioner.”

Insurance policies should not other than in compliance with a specific legal obligation such as that contained in the Road Traffic Acts, as a condition of the policy, require the provision of personal data of potential claimants at a pre-claim stage of any incidents, e.g. workplace accidents that might lead to a claim.  Where notification is required of incidents that fall within the scope of the policy, this should take place by the provision of anonymised data only, except where there is clear evidence that a claim is likely to be made by the subject(s) of the report.

Insurers should have a written privacy policy setting out clearly for what purposes personal data is processed and will ensure that a privacy statement appears on websites where personal data is collected.

Where telephone conversations are recorded the customer must be advised accordingly and for what purpose.  This also relates to the recording of outbound calls if applicable.

Where insurers collect sensitive data including data relating to physical and mental health and criminal convictions, the data subject must give explicit consent to the processing unless the processing is otherwise permitted under another enactment.  Appropriate security measures should be put in place to ensure the confidentiality of the data.

Where information may be sought from other insurance companies who hold a policy or other relevant information about a risk, insurance companies must make it clear on application forms (for life assurance) or on application or claim forms (for non life insurance) that such data will be sought and obtain the customer’s acknowledgement of this. Where the information to be disclosed is sensitive data, the explicit opt-in consent of the individual must be in place before the disclosure takes place.

Occasionally insurers may use other sources to verify independently information provided by the insured. These may include industry databases containing claims information.  Where this is the case, the insurer will ensure that a reference to the existence and purpose of any databases to be consulted is included in relevant customer documentation.

If a private investigator may be instructed by an insurer to investigate a claim, this should be mentioned in relevant customer documentation.  Insurers will use licensed private investigators and contractually engage the private investigator on the basis that the private investigator will comply with applicable Data Protection legislation.  Instructions to private investigators should clearly state the investigations to be undertaken at the insurer’s request.  Insurers will have a written agreement in place with private investigators so that there is a compliant disclosure of personal data from the insurance company or its agents, as appropriate, e.g. its solicitors to the private investigator and vice versa.  Such contracts shall ordinarily include terms reflecting those set out in the Appendix to this Code.  To further protect themselves, the insurer should obtain appropriate indemnities from the private investigator in relation to any non-compliance with the Data Protection Acts by the private investigator.

Personal data will be processed only in accordance with the provisions of Data Protection legislation and this Code.

2. KEEP IT ONLY FOR ONE OR MORE SPECIFIED, EXPLICIT AND LAWFUL PURPOSES

Insurers will keep data for purposes that are specific, lawful and clearly stated.

Primary purposes include:

• where relevant, the provision of advice as to the type of insurance policy to recommend;
• the underwriting of the risk proposed;
• the administration of the policy;
• the assessment and processing of any claims arising under the policy;
• compliance with regulatory, legal and tax laws and regulations; and
• participation in internal or market-level statistical exercises.

Secondary purposes include the direct marketing of products to existing and potential customers. The table below is intended to be of assistance in relation to describing the responsibilities in relation to marketing pursuant to the Data Protection Acts and the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003, as appropriate.

  
# Where electronic contact details are obtained from a customer in the context of the sale of a product or service then e-mail and SMS marketing may take place if customers are given the opportunity to object to such use, free of charge and in an easy manner at the time the details are collected and on the occasion of each message sent.  Direct marketing of products to existing customers using such electronic contact details may only be in relation to the Insurer’s own similar products, [e.g. life assurance, breakdown cover, travel insurance, etc] unless the customer has explicitly opted-in to receiving more general marketing material. In order to be regarded as a customer, the Insurer must have sold a product or service to that individual or the individual must have given their contact details directly to the sender in connection with the sale of a product or service.

* When engaging in telephone based direct marketing, Insurers should consider paragraph 32 of the Financial Regulator’s Consumer Protection Code (when contacting a consumer who is an existing customer) and  paragraph 33 of the Financial Regulator’s Consumer Protection Code (when contacting a consumer other than an existing customer).

Where a policy was not incepted and the customer was given an opportunity not to receive direct marketing during the quotation process, the information provided may be used to direct market the customer the following year once one of the conditions in Paragraph 33 of the Financial Regulator’s Consumer Protection Code is met.  The customer can be contacted again in subsequent years as long as they are given an opportunity to opt out at each mailing and do not avail of this opportunity.

Where a policy quote is not incepted, the quote can only be kept for 15 months to check against fraudulent applications.

More detailed advice is contained on the website of the Data Protection Commissioner: www.dataprotection.ie

3. USE AND DISCLOSE IT ONLY IN WAYS COMPATIBLE WITH THESE PURPOSES

Insurers will ensure that any use and disclosure must be necessary for the purposes or compatible with the purposes for which the data is collected or otherwise in compliance with Data Protection legislation.

Persons to whom data may be disclosed include the following:

• persons acting on the customer’s behalf e.g. insurance intermediaries, loss assessors, solicitors, executors, etc;
• the Financial Services Ombudsman, the Pensions Ombudsman, the Financial Regulator or any equivalent foreign supervisory or complaints body to whom a complaint has been made;
• other group companies (subject to disclosure of this fact to the customer);
• other insurance companies, where this is clearly stated on the application or claim form or other correspondence with a claimant.  In the unlikely event of a mismatch occurring which results in the accidental disclosure of information to another insurer, the information will be destroyed immediately upon receipt;
• the Irish Insurance Federation (IIF), which administers several databases on behalf of its members, or its agents. These are subject to similar confidentiality provisions as insurers’ own data files and act as a check against non-disclosure and fraud;
• the Motor Insurers’ Bureau of Ireland;
• the Garda Síochána, the Revenue Commissioners or any other person authorised by law to access customer records.  Such requests should be in writing and quoting the basis on which access is sought; 
• agents of the insurer e.g. loss adjusters and other external investigators, medical practitioners, firms responsible for computer maintenance or similar services, solicitors, other subcontractors or advisers, etc; and 
• reinsurers. 

4.    KEEP IT SAFE AND SECURE

Insurers will ensure that appropriate security measures are taken against unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction.  This will include appropriate procedures in relation to back-up of data.  Particular focus should be placed on the security of personal data held on portable devices, with appropriate security measures such as encryption applied.

On a going forward basis, developments of IT systems should ensure that access to personal data can be logged and audited.  This should include access on a read-only basis.  Such logs should be routinely checked on a random basis to ensure that access is appropriate. Where such systems are not in place, insurers have a duty to ensure that robust procedures for limiting access to personal data are in place, that staff are aware of these limits and that any breaches can be identified.

An appropriate external access policy should also be in place to ensure that only the data subject or their clearly chosen representative has access to their personal data during the course of a policy or claim.

Each insurer should have a confidentiality policy in place pertaining to the collection, processing, keeping and use of medical and sensitive data.  Access to sensitive data should be restricted to authorised staff.  In particular it is expected that access to sensitive medical information should be restricted to relevant underwriters, claims assessors and persons needing to access a particular file as part of their role.   

5. KEEP IT ACCURATE, COMPLETE AND UP-TO-DATE

Insurers will ensure that data is kept accurate, complete and up-to-date in accordance with the provisions of the Data Protection Acts.

This will be achieved through correction of incorrect data in line with the Data Protection Acts including where this is identified by the data subject to be the case in a verifiable way.  Each company should also have appropriate procedures in place to check the accuracy of information following its entry.

6. ENSURE THAT IT IS ADEQUATE, RELEVANT AND NOT EXCESSIVE
 
Insurers will not collect any more information than is necessary for the purposes described at 2 above.  The method of seeking information from customers will be checked on an ongoing basis to ensure that only relevant information is sought and provided.

For certain types of life assurance policies, particularly in relation to critical illness cover, an insurer may request information about a proposer’s family medical history.  This information will be used only in underwriting the proposer’s application (and any subsequent application) and will not be used in underwriting the application of any third party who is related to the applicant.  Appropriate access procedures will be in place to ensure that this practice is followed.

Insurers will comply with all other relevant statutory obligations, e.g., duties under the Equal Status Act to use only underwriting criteria which can be justified on commercial or actuarial grounds.  Section 9 outlines the procedures that will be followed where genetic information is provided.

7. RETAIN IT FOR NO LONGER THAN IS NECESSARY FOR THE PURPOSE OR PURPOSES

Insurers will have a written data retention policy.

Policyholder information will be held for a period of at least 6 years after the ending of the client/insurer relationship to take account of the insurer’s responsibilities under the Statute of Limitations, the Financial Regulator’s Consumer Protection Code and money laundering legislation. 

Limited policyholder information may be held, in narrow circumstances, for longer periods by insurance companies to allow for compliance with other various legislation requiring such information (e.g. Unclaimed Life Assurance Policies Act) or for other legitimate reasons permitted by the Data Protection Acts.

Where an individual proposes for but does not subsequently proceed with a life assurance policy, or is declined, underwriting  details will be kept on file for a period of up to 6 years  to facilitate a subsequent application or as a check against non-disclosure. 

In the case of non-life insurance, information may be retained for longer periods where it may be required for the investigation of future claims.

8. GIVE A COPY OF HIS/HER PERSONAL DATA TO THAT INDIVIDUAL, ON REQUEST

Insurers will have procedures in place to ensure that subject access requests are dealt with in accordance with the Data Protection Acts.

Where medical information is requested by the customer, the disclosure must be in accordance with the provisions of the Data Protection (Access Modifications) (Health) Regulations 1989.

There are limited circumstances under the Data Protection Acts when an insured person or claimant will not be permitted to see information which relates to an insurance company’s dealings with him/her.  These circumstances will generally be confined to the methods and results of the insurer’s investigation of a policy and/or legal liability in relation to the claim, any estimate of the insurer’s liability in respect of a claim, material whose release to the data subject may prejudice a criminal investigation and items which would be subject to legal privilege. 

In addition, any person who feels that an insurance company or the IIF may hold personal data in relation to them will, under Section 3 of the Data Protection Acts, on request be informed of the existence of such data, and be provided with a description of it and the purposes for which it is being kept.

9. SPECIAL PROVISIONS RELATING TO GENETIC TEST RESULTS
The Disability Act 2005 provides that the processing of genetic data in relation to insurance, life insurance, health insurance or health-related insurance, an occupational pension, a retirement annuity contract or any other pension arrangement is prohibited.

An Insurer will not request an applicant to have a genetic test.

Application or other forms which ask health questions of an individual or his/her doctor must not include any question about genetic tests.  Forms which ask health questions directly of the individual must include a form of words bringing to his/her attention the fact that he/she should not disclose a genetic test result.

Each request to a person’s GP, an independent doctor or a claims visitor to assess and/or examine an individual on an insurer’s behalf which may involve the taking of a health history other than by way of completing a standard medical examination report form must include a form of words bringing to the doctor’s attention the fact that he/she should not include any genetic test result in his/her report.

Despite the inclusion of the above wordings on relevant insurance forms it is possible that applicants, claimants or doctors will in some instances include genetic test results in such forms.

In the event of a genetic test result coming into the possession of an insurer, the genetic test result must be ignored and not taken account of by the insurer in any way whatsoever. This applies both to positive and negative test results. 
 
Genetic test results coming into an insurer’s possession in this way are likely to be included in the body of an application form or medical report. Ideally the genetic test results should be deleted from the paper and/or electronic file. Where this is not practical, a note should be made on the file confirming that the genetic test result has been ignored in accordance with the Disability Act 2005.

The handling of files including inadvertently disclosed genetic test results is a sensitive matter and one which must be dealt with properly in accordance with the Disability Act and this Code.  In the event that there is any doubt in relation to how such a file should be handled it should be referred to the underwriting manager.

20 August, 2008

Any processing of information by private investigators, when undertaken on behalf of an insurance company, in the context of the assessment of a claim or other similar reason must be undertaken in full compliance with the Data Protection Acts.

The private investigator shall be expected to comply at all times with the Data Protection Acts and shall not perform their functions in such a way as to cause (the insurance company) to breach any of its obligations under the Data Protection Acts.

Any unauthorised processing, use or disclosure of personal data by the private investigator is strictly prohibited.

Where the private investigator, pursuant to its obligations under contract from the insurance company, processes the personal data of a policy holder, a claimant or other person on behalf of (the insurance company), the private investigator shall:

• Process the personal data only in accordance with the specific instructions of the insurance company;
• Process the personal data only as is necessary for the fulfilment of  its duties and obligations under the contract with the instructing insurance company;
• Implement appropriate measures to protect against accidental loss, destruction, damage, alteration, disclosure or unlawful access to the personal data in their possession;
• At the conclusion of each investigation deliver all data collected and processed under the contract of service to the instructing insurance company and delete all such personal data held by itself at that time;
• Not further disclose the personal data to any other party except with the express approval of the  insurance company;
• Not seek to access personal data held by other data controllers which is not in the public domain without the consent of the data subject or unless otherwise permitted by law.