The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Irish Insurance Federation - Complaint about information on central registry

My Office received a complaint from an individual regarding the refusal of the Irish Insurance Federation (IIF) to delete information from its central registry. The individual concerned had requested that the Irish Insurance Federation remove the details relating to her from the IIF central registry as she believed the information to be incorrect. Under Section 6 of the Data Protection Acts, 1988 and 2003, an individual can request a data controller, who keeps personal data relating to him/her, to have that data corrected or deleted if the information held is inaccurate.

My Office contacted the IIF, which is the representative body for insurance companies in Ireland. We established that, if an applicant for life assurance is declined or is offered insurance on special terms, then this fact will be noted on the central registry administered by the IIF. The entry in the Registry comprises the first three letters of the applicant's surname, the first five letters of the first name, the date of birth, together with the date and codes for the relevant insurer and the type of policy. The Registry does not contain medical information. (If an applicant is given life assurance without any special conditions he/she would not be entered in the Registry). If an individual applies again for some form of cover, the insurance company to which the individual applies may seek a copy of any medical evidence obtained from the insurer to which the individual had previously applied in order to ensure that it is consistent with the new application. (This is an issue which I am taking up separately with the IIF during discussions on a Code of Practice)

The IIF informed my Office that the information on its central registry in relation to the data subject concerned was correct as a life assurance company had refused her a life assurance policy and the entry on the central registry reflected that fact. In addition, evidence was submitted to my Office to show that the data subject was made aware by the life assurance company at the time of her application for a policy that, in the event that she was declined life assurance or offered it with an increased premium, this information would be shared with the IIF central registry and with other insurance companies as a safeguard against nondisclosure or fraudulent claims. While I might have wished that this information would be more prominently positioned (again an issue that will feature in discussions on the Code of Practice), it was nevertheless provided to the data subject.

Following an investigation of the issues involved in this case, my Office contacted the complainant and explained that the information contained on the IIF central registry was factually correct and that she was not entitled to have the information deleted under Section 6 of the Data Protection Acts, 1988 and 2003.

I am grateful to the complainant for bringing this matter to my attention. In investigating her complaint, my Office became aware of the practice of the sharing of medical reports amongst life assurance companies in cases where cover was declined or offered on special terms. While I can see that this practice serves life assurance companies well as a safeguard against non-disclosure or fraudulent claims, I have to consider it in terms of the disclosure of sensitive personal data in the form of medical reports.

From a data protection perspective, there is a strong argument that the disclosure of medical records should be undertaken only with explicit consent and the applicant for insurance should have a right to withhold their consent but (one would assume) on the basis that it may mean a subsequent application to another company not progressing.