Insurers developing data sharing protocols after industry body raises data protection concerns

Out-Law News | 07 Aug 2013 | 11:13 am | 1 min. read

New protocols for sharing insurance policy holders' personal information with rival companies are being developed by an insurance industry body.

The Chartered Insurance Institute (CII) said that the protocols were in development to counter concerns about current data sharing practices in the industry. It said some companies' requests for access to personal data held by rivals may not be compliant with data protection laws and that, additionally, the volume of data sharing is currently "unmanageable" and actually hindering investigations into alleged insurance fraud for which the data is sought.

Under Section 29 of the Data Protection Act (DPA) organisations are generally freed from conditions placed on the legitimate processing of personal data, such as the need to obtain individuals' consent for such processing, where the processing takes place for the purpose of preventing or detecting crime.

The Act permits companies to share personal information they hold with others for the purpose of preventing or detecting crime without informing individuals concerned if doing so would be likely to prejudice such investigations.

The CII's New Generation Claims Group has conducted a six month study into insurance industry data sharing practices. It found some problems with existing practices, including that inter-company data requests were high in volume but poor in quality. It said there was a lack of industry consistency over the way requests are presented and confusion over what makes data requests compliant with the DPA.

In addition, the Group said that other principal problems it identified were the poor or non-existent responses to data requests within the industry and that there is a "lack of centralised management information" about the data sharing provisions of the DPA.

"Our stakeholder questionnaire told us that there were over 21,000 requests going out per year and that was across just 10 of the organisations who responded," Jenny Neale, risk manager at Ecclesiastical and spokesperson for the CII's New Generation Claims Group, said in a statement. "A large number of these requests just aren't dealt with and even when they are the response time to these requests varied anywhere from a week to 12 weeks."

"The group is now focusing on identifying a solution to the problem which is likely to comprise an industry protocol setting out how Section 29(3) should be used, complete with templates for data sharing and specified timeframes in which to respond," Ant Gould, director of faculties at the CII, added. "The protocol is currently in development with supervision from the CII's Claims Faculty board and is scheduled for launch in autumn 2013."