Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

13. Data Protection in the Banking and Insurance Sectors


13.1 Can a lender (who is not a member of the ICB) request a prospective borrower to carry out an ICB credit check for submission to the lender as part of the loan application process?

No. It is an offence under Section 4 (13) of the Data Protection Acts to require an individual to make an access request in such circumstances. For more information see Enforced Subject Access Requests.


13.2 My personal information has been passed to a debt collection agency?

The provision of personal details to a debt collection agency to pursue a debt of behalf of a business does not give rise to any data protection concerns provided an acceptable data protection contract was in place between the two entities.  For instance the debt collection agency would only be able to use the data provided for the purpose of pursuing the debt.  This Office would consider it good practice in any case to highlight the possible use of a debt collection agency in a "terms and conditions" document.


3.3 What information is shared within the Insurance sector?

The insurance sector (both insurance companies annd entities which self-insure) operate a database known as Insurance Link which contains information on all claims submitted within the previous ten years. It lists claims by name, address, nature of claim, date of claim and insurance company. If you wish to establish what information, if any, is held about you on Insurance link, you can do so by following the procedures outlined on www.inslink.ie. If there are any inaccuracies, you can apply via the website to have them corrected.


13.4 Can a financial institution ask for my PPSN when I am opening a new account?

From 1st January 2009, financial institutions are  required to seek the PPSN of all persons opening a new account in accordance with the Return of Payments Regulations (S.I. No 136 of 2008).


The Revenue Commissioners, following consultation with this Office, developed guidance in this area which is available on its website. These guidelines state that 'while there is a requirement in Regulation 7 (4)(a) to seek the tax reference number (including PPSN)', this does not equate to an obligation on the part of your bank to collect this information.  Account opening can proceed if a person does not provide their PPSN.  In addition, Regulation 7 (8) sets out that the PPSN can only be sought by the financial institution for the purposes of making the return to Revenue and for no other purpose.


13.5 How long can an insurance quote be held for?

This is an issue that is covered in the Code of Practice for the Insurance Sector.  Where a policy was not incepted and the customer was given an opportunity not to receive direct marketing during the quotation process, the information provided may be used to direct market the customer the following year.  An explicit opt-in will be required if it is intended to direct market the customer by phone or electronic means including email or text message.

Where an insurance policy quote is not incepted, the quote can only be kept for 15 months to check against fraudulent applications.  However, where an individual proposes for but does not subsequently proceed with a life assurance policy, or is declined, underwriting details may be kept on file for a period of up to 6 years to facilitate a subsequent application or as a check against non-disclosure.


13.6 Can my insurance company request a copy of my full medical records from my GP?

The Code of Practice for the Insurance Sector states that "for certain types of life assurance policies, particularly in relation to critical illness cover, an insurer may request information about a proposer's family medical history". It would be the view of this Office that this would not generally extend to the seeking of complete medical files, which could be considered excessive. We generally recommend that a proportionality test should be applied; only seeking access to information that is directly relevant to the particular claim/application.

The following extract from the ICGP's "Guide to Data Protection Legislation for the Irish General Practice", compiled in consultation with this Office, provides guidance to GPs in relation to the completion of Private Medical Attendant Reports:

"The completion of private medical attendant reports for GPs on behalf of their patients has long been an area of concern. In many cases patients do not appear to be aware of the extent of information sought about their health by the insurance companies. Nor do they appear to be aware of the implications of adverse health information and that insurance companies are allowed to share "adverse" health information with each other. GPs can easily get caught up in a dispute between patients and their insurance companies and patients can feel angry that GPs have disclosed information to insurance companies even though they have provided consent. In order to protect the GP and the patient from the negative effects of this practice the GP should:

  • Ensure written consent is provided with every request for a PMA report.
  • Not send actual copies of recorded consultations.
  • Not send specialist reports even if these are requested by the company. These can be sought together with an opinion on their relevance from the specialist separately if the company so wishes.
  • Include in your patient information leaflet the fact that medical information is passed on to insurance companies (as is standard practice) on receipt of a signed consent form by the patient.

Some GPs offer patients the opportunity to review their PMA report before it is returned to the insurance company, particularly if it is likely to have a negative impact on their insurance risk. GPs may wish to consider this action, where they have concerns that the patient has consented to what may be considered excessive disclosure of their information, to ensure the patient fully understands the nature of the consent provided.

In the completion of PMA reports it is important that GPs do not suppress or omit information in order to help patients avoid financial "loading" by the insurance company. To do so would make the policy invalid and could leave the GP exposed to legal action. If patients are unhappy with the terms offered based on medical information provided by the GP they should be referred to the chief medical officer of the insurance company in the first instance and failing this, the Financial Services Ombudsman www.financialombudsman.ie and\or the Equality Authority www.equality.ie who may be able to help."


13.7 Can an organisation retain my credit card / bank account details after I close my account with that organisation?

Section 2(1)(c)(iv) of the Acts provide that "the data shall not be kept for longer than is necessary for that purpose or those purposes [for which it was obtained]". Where the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. Information should never be kept 'just in case' a use can be found for it in the future.

The Data Protection Acts do not specify a maximum retention period and accordingly it is a matter for the data controller to decide on an appropriate retention policy based on the circumstances and the reason why the information is being retained. We would not generally raise an issue from a data protection perspective with a retention policy that provides for banking information to be retained for a short period following termination of a customer contract in order to deal with any subsequent queries about payments made on the account/closing balances etc.  We would not expect that such companies would be required to delete a person's bank details immediately when a person requests the closure of their account.


13.8 Can an organisation re-use my retained credit card information for a subsequent purpose?

Where personal data stored on a credit/debit card is collected for the purpose of a transaction, unless it is clearly stated, it can be assumed that the purpose for its collection ends following a certain period following completion of the payment for a product or service (to allow for follow-up payment related queries).

Where an organisation retains personal data for automatic renewal of a subscription service, we would expect the customer to have agreed in some way to this further processing.  Where an organisation can point to an ongoing customer relationship and where it is using payment details in line with the terms and conditions which it outlined at the time the person signed up for the product/service, then the use of the credit card details in an auto-renewal transaction will not likely give rise to a data protection issue.