Steve Morrell of the LMA said: “The insurance industry takes the protection of personal data very seriously and we welcome the strengthening of consumers’ rights to manage their data. We don’t think it is the intention of the ICO to prejudice the provision of valuable and necessary products and services to consumers. However, the current drafting of the ICO guidance could make that an unfortunate unintended consequence.”
The Lloyd’s Market Association has coordinated an industry response to the Information Commissioner’s Office (ICO) on its guidance on how firms should obtain explicit consent from policyholders and beneficiaries of insurance cover for the processing of sensitive personal data. This is a vital legal ground for the processing of such data under the GDPR and clarity is essential.
There are many insurance products which rely on the provision of personal data for arranging and underwriting purposes and when claims arise. When this involves for example health or travel insurance, some of this data is inevitably sensitive (Special Category data under the GDPR). If a policyholder wants insurance protection, then clearly this goes hand-in-hand with the provision of necessary data – and the same when they want a claim paid (i.e. consent is a pre-condition to the insurance cover). This needs to be recognised by the ICO.
Unlike the healthcare sector, which has a specific ground under the GDPR for processing sensitive personal data, the insurance industry has no such ground. Either the ICO’s guidance must clearly acknowledge and allow consent to go hand-in-hand with the provision of the service, or we need a dedicated legal ground for processing such data.
To this end, the LMA, ABI, IUA, BIBA, LIIBA and BIPAR have made a joint representation to the ICO and have also asked the Department of Culture Media and Sport (DCMS) to consider a new dedicated processing ground, which it has power to make.
The associations have worked with DAC Beachcroft, Norton Rose Fulbright and Clyde & Co in putting together these submissions.
Helen Baker, partner at Sackers, explains that now is the time for pension schemes to start preparing to comply with the looming regulation:
“The GDPR tightens the requirements which impact how pension schemes obtain member consent for the data they hold and process. Under GDPR, consent must be “freely given, specific and informed” and, once given, can be withdrawn at any time. Where consent is the legal basis for processing data, pension schemes, as holders of large amounts of member data, must check that the new requirements are met. Consent may need to be given again where the new requirements were not met and the data is still required to provide benefits.
“Schemes will need to provide more information to members about data. Members will need to be told about the purpose of processing, the legal basis for processing and who receives data. They should also be given information about transfers of data outside of the EU. How long data will be kept for will need to be explained, and so will the rights members will have under the GDPR.
“Trustees, employers and providers should kick-start their preparations for GDPR now to ensure that they are ready for the May 2018 implementation deadline. While guidance on some aspects of the GDPR is awaited from the ICO consultation, this will supplement the Regulation itself. There is currently enough detail in the Regulation for trustees to begin taking steps to comply with GPDR, by assessing the legal basis on which the data is held. This should include an audit of existing data to check what is being held, why, how long for and whether it is still needed.
“Trustees should also look at the circumstances in which data may be disclosed to external parties and seek advice on the changes needed to existing and new contracts, to ensure compliance and that terms relating to the allocation of risk and caps on risk are appropriate for data protection claims. UK schemes will not escape the Directive post-Brexit. It is expected that the UK will need something akin to GDPR in place to continue doing business in Europe.”
|