The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Data Protection Commissioner publishes new Data Protection Code of Practice for the Insurance Sector

The Office of the Data Protection Commissioner, today 20 August, published a data protection Code of Practice for the insurance sector in Ireland.  The Data Protection Commissioner has approved the Code under Section 13 of the Data Protection Acts. 

The Code was prepared against a backdrop of significant public concern arising from media reports last year that personal information held by the Gardaí and by the Department of Social & Family Affairs was being routinely accessed by private investigators acting on behalf of insurance companies.  This was confirmed by the Office's own investigations of insurance companies at the time.  The Code is the latest stage in the response of the Office to those issues and follows the launch last year of a data protection code of practice for An Garda Síochána - http://www.garda.ie/faq.html#C3 and the publication in recent weeks of an extensive data protection audit conducted in the Department of Social & Family Affairs in January of this year - http://www.welfare.ie/press/pr08/pr310708.html

The Code was the subject of extensive discussion with the Irish Insurance Federation and individual insurance companies.  The Code provides a clear framework for insurance companies to process their customer data in accordance with the Data Protection Acts and will also act as an assessment tool for the examination of any complaints received by the Data Protection Commissioner in relation to the handling of personal data within the insurance sector.

Deputy Data Protection Commissioner, Gary Davis indicated that, "We have made it a priority to bring this Code to a conclusion.  The insurance sector holds extensive personal data, some of it extremely sensitive, on a large part of the population.  I hope and expect that the publication of the Code will bring about improvements in data protection compliance in the insurance sector that benefits both the sector and the consumer.  The Code clarifies how data protection rules apply specifically in the insurance sector making it simpler for the sector to meet its obligations in relation to its handing of personal information."

He added, "I expect that the Code will help consumers by removing some of the mystery of how their personal data is used in the insurance sector and thereby better informing them of what standards they should expect in this respect".


Contact: Lisa McGann  057 868 4800
Email: lmcgann@dataprotection.ie

Notes for Editors
The Data Protection Acts provide for the preparation of sector-specific codes of practice to allow for a better understanding of the requirements of the Acts.  This is a realisation that in some instances the basic statutory data protection requirements as they are applied within particular sectors can benefit from more detail.  The provisions of the Data Protection Acts allow for sectors themselves to bring forward codes, for the Data Protection Commissioner to propose a code and even, should the circumstances warrant it, for the imposition of a code with statutory effect on a particular sector, following approval of it by the Oireachtas.  Equally it is open for any code agreed in a consensus fashion with a particular sector to be given a statutory basis should that be deemed appropriate.
This Code provides, inter alia, for:

  • improvements in information and options available to customers on the use of their personal data
  • the use by insurers of only licensed private investigators and that they contractually engage the private investigator on the basis that the private investigator will comply with applicable Data Protection legislation
  • specific periods for which customer data may be held and used
  • the circumstances in which personal data may be shared with other bodies
  • procedures for keeping data secure
  • ensuring that only necessary information is sought by insurance companies