BIBA response to the Consultation paper on the use and sharing of personal information in the public and private sectors

15th February 2008

The British Insurance Brokers’ Association (BIBA) is the UK’s leading general insurance intermediary organisation. We represent the interests of insurance brokers, intermediaries and their customers.


 


BIBA represents over 2,300 insurance intermediaries including 98 of the UK’s top 100 firms. Our members handle about half the value of all UK home, contents, motor, travel, commercial and industrial insurance policies. Independent insurance intermediaries distribute nearly two-thirds of all UK general insurance, of which BIBA members account for more than 80%. They also introduce £22 billion of premium income into London’s insurance market each year.


 


BIBA is pleased to have the opportunity to respond to the consultation paper on the use and sharing of personal information in the public and private sectors on behalf of its collective membership.


 


Our responses to the 28 questions set out are as follows:


 


Section 1: Background


 



  1. Please explain what your interest in information sharing is. If you have an active involvement in personal information sharing, we would be grateful for the following information:

 




    • What kinds of personal information do you collect, hold and share?

BIBA members collect, hold and share a wide variety of their clients’ personal information, for example details of name, date of birth, health issues and bank account information.


 




    • How do you collect, hold and share such personal information?

The information is collected in a variety of ways both physical and electronic from face to face meetings, the telephone, by internet or email and through completion of questionnaires / forms. It is shared with the insurance companies that the broker seeks to place the risk with, while looking for the best deal while performing their duties as agent of the client. When the client agrees to go on risk with a particular insurer the broker will share all information with that insurer along with other providers, for example premium finance companies and claims management companies.


 




    • For what purpose do you collect, hold and share such personal information?

For arranging and advising on a contract of insurance and for financial promotions for that client.


 


 


Section 2: Scope of personal information sharing, including benefits, barriers and risks of data sharing and data protection


 



  1. What in your view are the key benefits of sharing personal information to a) individuals and b) society? Please provide examples.

Brokers find there are no benefits to society of sharing personal information. There may be benefits to individuals during a claim where information is passed to a claims management company who will assist with client support. In these scenarios data protection requirements would be addressed in the contract between the broker and the brokers’ partner providing specific support.


 



  1. What in your view are the key risks of sharing personal information to a) individuals and b) society? Please provide examples.

The risks of sharing personal information include fraud, identity theft and damage to an individual’s reputation or feelings.


 



  1. As mentioned in the introduction, there are wide variations in the scope and methods of personal information sharing. What scope and what methods, in your view, pose the greatest opportunities or risks? Please explain the reasoning behind your response.

In accordance with the data protection principals we believe that the times when personal information sharing poses the greatest opportunity for risk is if this data were to be passed outside the European Economic Area, where data is kept longer than is necessary and when data is not kept up to date or kept within a secure environment. Rather than data being loaded onto laptops and removed from the secure premises, staff should instead log on remotely using a password to the server.


 



  1. Please provide examples of where, in your view, the public authorities hold too much data or not enough personal information, and the reasoning behind your response.

BIBA feels it inappropriate to comment.


 



  1. Please provide examples of where, in your view, private sector organisations hold too much data or not enough personal information, and the reasoning behind your response.

The level of data is not important but what is important is what they do with it and how they secure such data.


 



  1. Please provide examples of cases where you believe the sharing of personal information between two or more bodies would be beneficial, but where it is not currently taking place. Please explain as fully as possible why information is not being shared, detailing what barriers to the sharing of personal information are – e.g. legal, cultural, financial, institutional – and how these barriers can be overcome.

For an insurance broker to perform his job as agent of the client and seek the best deal for his client every year, he is reliant on cooperation from the insurer to advise the broker of details of claims occurring during the insurance year. However some medical insurers are refusing to pass on details of claims caused by medical conditions to the broker sighting the data protection act as preventing them form doing this.


 


BIBA believe that as agent of the client the insurer should fully cooperate with the holding broker at all times. 


 


BIBA is concerned that certain insurers are withholding information in order to prevent the broker from re-broking the risk at renewal. This is not in the best interest of the client and BIBA would like to see this point resolved following this review.


 


The transfer of no claims bonus from one motor insurer to another is only allowed with the customers consent. This causes delay to the industry and should be reviewed.


 



  1. Please provide examples of cases where you believe that personal information is being shared between two or more bodies, but where this should not be taking place. Please describe the information-sharing concerned and why you believe it should not be taking place, including the risks involved in such information-sharing.

BIBA feels it inappropriate to comment.


 


 


Section 3: The legal framework


 



  1. In your view, how well does the DPA work? Please outline the DPA’s main strengths and weaknesses and any proposals for change you would like to see made, including suggestions for their implementation.

The Act works reasonably well for our purposes but it is the misinterpretation of the Act by certain parties that causes the problems highlighted in question 7.


 



  1. In your view, how well do public authorities and private organisations adhere to the second principle of the DPA? How valuable do you believe the second principal is? Please provide examples and the reasoning behind your response.

BIBA feels it inappropriate to comment.


 



  1. What technical, institutional or societal barriers stand in the way of the effectiveness of the DPA? Please provide examples.

BIBA feels it inappropriate to comment.


 



  1. What further powers, safeguards, sanctions or provisions do you believe should be included in the DPA.

Please refer to question 7.


 



  1. Are there any other aspects of UK or EU law (such as EU Directive 95/46/EC) that impact positively or negatively on data sharing or data protection? Please provide examples.

BIBA feels it inappropriate to comment.


 


 


 



  1. Are there any statutory powers unavailable that would enable better and more secure sharing of personal information – for example for identity authentication purposes – between a) public authorities and b) public authorities and private organisations? If so what are they? Please provide examples and any steps you believe could be taken to improve matters.

BIBA feels it inappropriate to comment.


 



  1. Are there any parts of the legal framework that place unreasonable burden on business? Please provide examples. Please outline your proposals for streamlining the legislation to ensure that such burdens are minimised.

BIBA feels it inappropriate to comment.


 



  1. Is it clear whether and when you need individuals’ consent to share information about them? Are you clear about the form that consent should take? Please provide examples. Please provide details of any initiative you have been involved in that has been based on content.

BIBA feels it inappropriate to comment.


 



  1. What, if any, barriers would a requirement for gaining consent create to the sharing of personal information? Please explain your reasoning.

BIBA feels it inappropriate to comment.


 



  1. Do you have any suggestions on how to make the sharing of information more transparent? For example, should individuals be given strengthened access rights? And if so, how? Should organisations be expected to do more to explain their use and sharing of personal information to the public? And if so, how?

The individual should have the right of access to their data for no charge at any time. If databases of personal information are being traded there should be a requirement that the information is still accurate before it is sold, moreover prior to use the purchaser should seek the approval of the individual and explain why they have purchased the data.


 



  1. How can we best insure that information sharing policy is developed in a way that ensures proper transparency, scrutiny and accountability? For example: In your view, how valuable is the Information Commissioner’s recently published Framework code of practice for sharing personal information? In your view, how valuable are privacy impact assessments along the lines announced by the Information Commissioner on 11 December?

Please see our comments below on the Information Commissioner’s Framework code of practice for sharing personal information:


 


On page 7, Code of practice recommended content: point 1. Deciding to share personal information, it is stated that ‘any information shared must be relevant and not excessive’. BIBA would query whether this is a commercial activity or not, as different pressures would come into play in each.


 


On page 7, under points to remember point 1, it is stated that ‘Before you start sharing information you should decide and document the objective that it is meant to achieve’. BIBA believe that this should be relayed to the customer.


 


 


On page 8, point 7. It is stated that ‘Sometimes data protection law only requires that the individual knows about the sharing of information, it is not always necessary to obtain his or her consent for this’. BIBA would query whether this is right and why?


 


On page 9, Fairness and transparency under points to remember, point 1. it is stated that ‘Fair processing notices, or ‘privacy policies’ as they are sometimes known, are intended to inform the people the information is about how it will be shared and what it will be used for’. BIBA would query whether this is applicable to the initial collator of data or the purchaser or second purchaser etc.?


 


On page 10, point 4 states that ‘Sometimes people will have questions about how information about them is being shared, or may object to this. It is good practice for organisations to have systems in place for dealing with enquiries about information sharing in a timely manner’. BIBA would question whether this should take place before, during or after sharing? What depth of information is being held by each?


 


BIBA agrees with point 5. which states that ‘There are cases where it is legitimate to share information without a person’s knowledge or consent. This might be the case where failure to share information about a parents lifestyle would put a child at risk’. Computation of data must be relevant as per the 8 principals of data protection.


 


On page 11, Information standards under point 1, it is stated that ‘In general, any plan to share information should trigger action to make sure that inaccurate records are corrected, irrelevant ones weeded out, out-of-date ones updated and so on’.  If the information is outdated why is it being held? Remember the 8 principals of data protection.


 


Point one of this section also states that’ It can be very difficult to make sure that an organisation’s collection of paper records is corrected once an inaccuracy is detected’. BIBA would question storage and disposal of such medium.


 


Page 13, Retention of shared information, under points to remember, point 2 BIBA agree with the statement that ‘If records that are being retained are not being used, this would call into question the need to retain them.’


 


On page 14, under point 4. it stated that ‘There is a significant difference between permanently, irreversibly deleting a record and merely archiving it. If you merely archive a record or store it ‘off-line’ it must still be necessary to hold it and you must be prepared to give subject access to it and comply with the data protection principals’. BIBA thinks that this conflicts with point 2 if the same section.


 


In reference to page 15, Security of shared information, BIBA would query whether there should not be a duty on the seller to ensure the buyer has a comprobable security?


 


On page 16, Access to personal information, point 2. under points to remember it is stated that ‘For most records, you can charge a fee of £10 and you must give access within 40 calendar days. BIBA would question this as if we are charged a fee for data, should we not be paid for providing it?


 


 



  1. What impact in your view have technological advances had on the sharing and protection of personal information? Please provide examples.

There are many problems with spam emails and data capture taking place without the permission or knowledge of the individual. In many cases the client is unable to identify who sold his data to another firm. Spyware is also a concern.


 



  1. Should the law mandate specific technical safeguards for protecting personal information? For example, should there be an explicit requirement that all personal information held on portable devices be encrypted to a particular standard?

Yes, we first must understand why personal data is on portable equipment but we do believe that these portable devices should be encrypted to a particular standard however trying to agree on a standard that will stand the course of time is challenging and therefore an over-arching principal saying ‘up to date effective encryption system’ would be an easier solution.


 



  1. How, in your view, could ‘privacy enhancing techniques’, such as the anonymisation or pseudonymisation of personal information, help safeguard personal privacy, whilst facilitating activities such as performing medical research? Is there sufficient advice about the deployment of such techniques available? Are you confident about using them? What are the barriers to using them?

BIBA feels it inappropriate to comment.


 


 


Section 6: International comparisons


 



  1. Are you aware of any jurisdictions whose legal framework for sharing and protecting personal information contains features that could be useful in a UK context? Please provide examples.

BIBA feels it inappropriate to comment.


 



  1. Do you have any international examples of good practice in the sharing of personal information that could or should be adopted by the UK?

BIBA feels it inappropriate to comment.


 



  1. Do you have any knowledge of jurisdictions that have adopted a particularly permissive or restrictive approach to sharing personal information? What have the consequences of this been?

BIBA feels it inappropriate to comment.


 



  1. Are you aware of significant differences in public attitudes to the sharing of personal information in other countries? Please provide examples and an explanation for why you believe this to be the case.

BIBA feels it inappropriate to comment.


 


 


Section 7: Additional questions


 



  1. Are there any additional issues on the sharing of personal information and protection of personal information that this review should be considering? Do any of these issues apply specifically to your sector?

Please see our earlier answer to question 7.


 



  1. Please set out any additional suggestions or observations you have that you believe will be of assistance to the review.

Information is also passed on to insurance industry anti-fraud databases like the CUE (Claims Underwriting Exchange) and MIAFTR (Motor Insurance Anti Fraud and Theft Register). Information is also passed on to the MID (Motor Insurance Database). Although these databases are compliant with DPA and we have no concerns.


 


Thank you for taking the time to consider our response. If you have any further queries please contact BIBA’s Head of Technical Services Peter Staddon on 02073970204 or staddonp@biba.org.uk, or BIBA’s Technical and Corporate Affairs Executive Graeme Trudgill on 02073970218 or trudgillg@biba.org.uk for further information.


 


Yours sincerely


 


 


Eric Galbraith


Chief Executive


Direct Tel:  020 7397 0201


Direct Fax: 020 7626 9676


Email: galbraithe@:biba.org.uk