Data Protection Bill - House of Lords Third Reading
New basis to process selected Special Category Personal Data for insurance purposes
At the Third Reading on 17 January 2018, the House of Lords passed a Government-tabled amendment to Schedule 1 of the Data Protection Bill, which provides insurers with a new ground to process selected types of Special Category Personal Data, including health and criminal conviction data.
The General Data Protection Regulation (GDPR) does not provide a satisfactory basis for processing special category personal data (including health) and criminal conviction data for the insurance industry. The GDPR processing ground of “explicit consent” is problematic; and the other available ground for insurance business, relating to processing of “legal claims”, is useful but narrow. However, EU member states have the ability to make further provisions in national law in certain areas and the House of Lords has now done so under GDPR Article 9(2)(g). This new ground will be enacted if the Bill, as amended, is passed in the House of Commons and gains Royal Assent.
The initial version of the Data Protection Bill published last year did not make any further insurance-specific provisions save for limited exceptions (in what were paragraphs 14 and 15 of Schedule 1 Part 2) for processing health data of immediate family members of the insured and for beneficiaries of group policies. This left unresolved the industry-wide problem of “explicit consent” being effectively the only available processing ground. Under GDPR, this requires an act of specific affirmation by the data subject; that controllers individually specify and obtain consent for all uses to which the data would be put and third parties to whom it would be passed; and that consent must be capable of being withdrawn without detriment to the data subject.
The consent regime therefore presents enormous challenges for the insurance industry and these points were discussed in detail with the Department for Digital, Culture, Media and Sport (DCMS) and interested Peers, including:
- the resource and logistical demands of a new GDPR-compliant consent process
- the need to obtain new, GDPR-compliant, consent for auto-renewing policies
- the inability to pass special category and criminal conviction data to third parties in supply chains (such as reinsurers or loss adjusters) who were unknown when consent was obtained
- the impossibility of validating claims if consent was withdrawn
- one co-insured being unable to provide consent to process personal data of another co-insured
- family members being limited too narrowly both by relationship and only for certain products in the initial Data Protection Bill derogation.
The problems relating to the processing of special category personal data, and to “explicit consent” as a processing ground in particular, were recognised by a number of Peers and amendments were put down at various stages of the Data Protection Bill in the House of Lords. The government also recognised the problem and the DCMS Bill team then worked with the LMA and ABI on an amendment to address this.
That amendment as finally drafted was passed at Third Reading and introduces a new paragraph 15 to Schedule 1, Part 2 as well as a new paragraph 32 to Schedule 1 Part 3 (paragraphs 14 and 15 of Schedule 1 of the original Bill are replaced). These provide a new condition for processing certain special category personal data (including health data) and criminal conviction data “if the processing is necessary for an insurance purpose”.
A link to the Bill (as passed by the House of Lords) is provided here.
The new paragraphs are at pages 126 and 133 and are also set out in the appendix (linked here and below).
“Insurance purpose” is defined to include advising, arranging, underwriting, administering, administering a claim under, exercising a right or complying with an obligation under, an insurance contract. The government has confirmed that “insurance” includes “reinsurance”.
There are a number of safeguards. The most important is that the processing must be “necessary” for the insurance process.
In addition, to process special category personal data, the condition is only met if the processing “is necessary for reasons of substantial public interest”. This is discussed below.
Substantial Public Interest
We expressed concerns to DCMS about the interpretation of a requirement that the processing must be necessary in the substantial public interest. This term, borrowed from GDPR, would not sit comfortably with the processing of an individual transaction for insurance purposes, e.g. the processing of a particular proposal form or claim. This matter has been resolved in two ways:
- During the Third Reading, Lord Ashton, the Minister responsible, recognised the fundamental importance of insurance products; that they are vital to the public at large, which relies on them for protection; and that “ensuring the availability of insurance at a reasonable cost to members of the public through risk-based pricing, the ability to detect and investigate fraudulent claims and the efficient administration and payment of insurance claims are matters of substantial public interest”. He noted that this is counter-balanced by the requirement that the data controller considers whether, in respect of a particular processing activity, the processing is necessary for a purpose that is in the public interest – e.g. the provision of insurance, detection of fraud and payment of claims.
- The ICO has confirmed as follows: “Our approach would be that it is the overall purpose for the processing that must be in the substantial public interest rather than the specific personal data or isolated processing activity... This broadly means it must be a reasonable and targeted way to help achieve that purpose, and there is no other reasonable and less intrusive means of achieving the purpose. In other words, a controller does not need to show that each specific occurrence of processing/piece of personal data is ‘in the substantial public interest’ in isolation. However, they must identify an overarching substantial public interest purpose, and be able to show that each processing activity/specific personal data is necessary and proportionate for that purpose.”
Data Protection Policy and other safeguards
At Third Reading, the Minister outlined other safeguards set out within the amendment: for example, where a data subject does not have rights or obligations in respect of the insurance contract, for example a witness to an event giving rise to a claim, processing of special category data is only permitted if the controller cannot reasonably be expected to obtain the consent of this data subject and is not aware of the data subject withholding consent. The reasoning is that such a person has no ability, or restricted ability, to stop the processing, for example by cancelling a policy.
Importantly, the Minister drew attention to the existing requirement in the Bill (Schedule 1, Part 2 paragraph 5 and Schedule 1, Part 4) that data controllers relying on Schedule 1, Part 2 conditions, and hence this new insurance condition, will be required to have an appropriate policy document in place. This will be the subject of further consideration by the LMA and member communication.
Please note: we do not plan to amend the London Market Core Uses Information Notice (which is a working draft) in relation to this new processing ground until the Data Protection Bill is enacted (expected to be in March 2018).
We are grateful to Peers who have proposed the insurance amendments, to DCMS and the Bill team, and to DAC Beachcroft which has worked with the LMA and ABI on this matter.
Any queries regarding this bulletin should be addressed to Kees van der Klugt: email@example.com.
Kees van der Klugt
Legal & Compliance Director