London Market Core Uses Information Notice
The LMA, with the IUA, LIIBA and BIBA, has published a London Insurance Market Core Uses Information Notice:
This Core Uses Information Notice is designed to help data subjects understand how various insurance market participants process their personal data in respect of core activities through the insurance lifecycle.
The notice is not designed to cover all processing activities of a market participant (e.g. it does not cover marketing activities) and therefore should not be used as a template. Market participants may still need to draft their own information notice in order to describe their processing activities and obtain any necessary consents.
The Core Uses Information Notice has two principal purposes:
- First, it is designed to assist the market participant, or its client with the interface with the data subject, to describe how the data subject’s personal data may be disclosed and used by other market participants for core activities during the insurance lifecycle. It is envisaged that market participants link to the Core Uses Information Notice from their own information notices. We are discussing with LMG the hosting of the Notice on their website with further guidance on its use.
- Secondly, it may be cross-referred in contractual documentation governing the receipt of such personal data when one market participant is relying on other market participants to provide notice or obtain consent on their behalf, for example in a TOBA or binding authority agreement. Market model agreements are under review.
The Notice includes a statement that it is necessary for the data subject to consent to certain processing of Special Category Personal Data (e.g. processing of health data where relevant) in order for the insurance market to function effectively. Despite potential difficulties with reliance on consent, it has been included in this Core Uses Information Notice as consent is, currently, the only ground that can be relied on for the processing of most Special Category Personal Data and criminal convictions data.
The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the Data Protection Act (1998) and place an emphasis on making information notices understandable and accessible.
The Information Commissioner’s Office (ICO) has published a revised Code of Practice on Privacy Notices, transparency and control (CoP) together with a checklist for privacy notices to help organisations to comply with the forthcoming UK Data Protection Act (the Bill is now in Parliament) and the requirements under the GDPR. The ICO recommends adopting a blended approach, using a number of different techniques in order to present information in a fair and transparent way, taking into account the audience, the available methods of communication and the complexity of the data processing.
The Core Uses Information Notice has taken into account the complexities of the insurance market, the GDPR requirements and the current guidance. It includes a ‘Data uses table’ at Appendix 1 to provide data subjects with transparency as to how their data may be used for core activities by each of the market participants in the insurance lifecycle. It should be noted that in order to be consumer friendly, it does not seek to explain all of the complex relationships in the Lloyd’s or London markets – rather it groups market participants into the broad categories of intermediaries, insurers and reinsurers.
The Core Uses Information Notice is a live working draft and will be reviewed at least quarterly. The UK Data Protection Bill, when enacted, may lead to changes in the Notice, as will further guidance from the ICO; we expect it to be further refined through market feedback and possibly through a consumer readability review.
As stated above, simply cross-referring to the Core Uses Information Notice may not guarantee GDPR compliance in relation to the matters covered in it; but widespread use will greatly assist in educating consumers consistently on how their personal data is used throughout the insurance lifecycle and thereby support each market participant’s own efforts to meet its obligations.
This Core Uses Information Notice is the result of significant work of the market associations and members participating on the LMA GDPR Focus Group; and also input from our panel of law firms: Clyde & Co, Norton Rose Fulbright and DAC Beachcroft.
Senior Executive, Legal & Compliance