The General Data Protection Regulation (GDPR) will come into effect in the UK on 25 May 2018. A new Data Protection Bill currently progressing through Parliament will repeal and replace the current Data Protection Act, apply and supplement the GDPR and ensure that on leaving the EU the UK has an “adequate” data protection regime so that personal data transfers from the EU to the UK can continue. Insurers have long been concerned about the impact of the legislation on their business but a new amendment will go some way to relieving those concerns.
Under the GDPR certain special categories of personal data (including health) and criminal convictions can only be processed on very narrow grounds, including, most relevantly for insurers, explicit consent. Explicit consent as a ground for processing can, however, be problematic as it involves clear and unambiguous consent to all uses to which the data could be put and to all third parties to whom it may be passed. Further, the data subject must be able to withdraw such consent without detriment. This could present challenges in the insurance context for example, in relation to the processing of information when policies renew automatically, when passing information to third parties such as loss adjusters whose involvement may not have been foreseen when consent was obtained and in dealing with claims where consent to processing is withdrawn.
The GDPR permits EU member states to make further provisions in national law in relation to certain areas and, following representations from the insurance industry, an amendment has been introduced to the Data Protection Bill by the House of Lords to deal with processing. The amendment adds a new basis for processing certain special categories of personal data (namely data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health) “if the processing is necessary for an insurance purpose”. “Insurance purpose” is defined to include advising, arranging, underwriting, administering, administering a claim under, exercising a right or complying with an obligation under, an insurance contract. “Insurance” will include “reinsurance”.
In addition, to process special category personal data, the processing must be “necessary for reasons of substantial public interest”. The Information Commissioners Office has indicated that a controller will not need to show that each specific occurrence of processing/piece of personal data is in the substantial public interest but must identify an overarching substantial public interest purpose (e.g. the provision of insurance, detection of fraud and payment of claims) and be able to show that the specific processing is necessary and proportionate for that purpose.
There is also an existing requirement in the Bill that data controllers relying on the schedule that includes this new insurance condition will be required to have an appropriate policy document in place.
This amendment represents an important concession to insurers and will become law if the Bill, as amended, is passed in the House of Commons and gains Royal Assent.