LMA GUIDANCE: GDPR CORE USES INFORMATION NOTICE

Transcription

1 LMA GUIDANCE: GDPR CORE USES INFORMATION NOTICE FEBRUARY 2018

2 NOTE: This guidance and the Lndn Market Cre Uses Infrmatin Ntice will be updated when the UK Data Prtectin Bill is enacted the Bill currently cntains a new prcessing grund fr special categry persnal data see LMA bulletin dated 22 January 2018 fr details. INTRODUCTION The EU General Data Prtectin Regulatin ( GDPR ) will replace the UK Data Prtectin Act 1998 and brings with it new requirements. All data cntrllers (see data cntrller and data prcessrs sectin belw) are required t explain t cnsumers in an infrmatin ntice what persnal data they cllect, what it is used fr, and the legal grunds fr prcessing such data, which in sme circumstances may be the grund f explicit cnsent f the cnsumer r ther data subject. This creates specific prblems fr the insurance industry and, in particular, the Llyd s and Lndn Market ( the Market ), where there can be ften multiple data cntrllers wh pass persnal data between each ther. The full list f requirements fr an infrmatin ntice can be fund at The Cre Uses Infrmatin Ntice is designed t explain t cnsumers the cmplexities f the Market and hw persnal data may be prcessed by the varius data cntrllers. Fr the purpses f the GDPR, cnsumers are referred t as data subjects, and include plicyhlders, beneficiaries, claimants r witnesses. Prcessing includes the gathering, recrding, string, use and erasure f persnal data. This guidance sets ut the backgrund t the Cre Uses Infrmatin Ntice and hw it shuld be used by insurance market participants. The Cre Uses Infrmatin Ntice has been develped by the crss-market GDPR Fcus Grup led by the Llyd s Market Assciatin ( LMA ), and will be reviewed quarterly. This guidance has been develped by the LMA and Nrtn Rse Fulbright. DATA CONTROLLERS AND DATA PROCESSORS The legal requirement t give an infrmatin ntice/btain cnsent under the GDPR applies t data cntrllers. Where an insurance market participant is acting as a data prcessr f a data cntrller, n such requirement applies, althugh the data cntrller can agree with the data prcessr that the data prcessr will give ntice/btain cnsent n its behalf (particularly if the data prcessr has an interface with the data subject and the data cntrller des nt). The Infrmatin Cmmissiner s Office ( ICO ) current guidance n whether an rganisatin is acting as a data cntrller r data prcessr in a particular cntext can be fund at The table belw sets ut a summary f the key factrs relevant t the classificatin and sme examples f the likely characterisatin f insurance market participants in different cntexts. Please nte that the determinatin is always a questin f fact and the examples cited belw may differ depending n cntext. 1

3 Classificatin / GDPR Definitin Data Cntrller determines the purpses and means f the prcessing f persnal data Factrs Relevant t Classificatin Determines the purpses fr which and the manner in which persnal data is prcessed Exercises verall cntrl ver the why and the hw f persnal data prcessing activity Is the party that decides: t cllect the persnal data in the first place which individuals persnal data t cllect the categries f persnal data t cllect the purpse fr which the data is used whether and t whm t disclse the data hw lng t retain the data r whether t make nn-rutine amendments t the data Where legal bligatins, regulatins r market practices require a party t make the abve determinatins this may tip the balance twards them being cnsidered t be a data cntrller (e.g. if an insurance market participant is expected t retain data and prvide it if there is a dispute between parties) Insurance Market Participant Examples An insurer under an Insurance Agreement Bth insurer and insurance brker under a Terms f Business Agreement (TOBA) Bth insurer and cverhlder under a Binding Authrity Agreement Bth reinsurer and reinsurance brker under a Reinsurance Agreement Jint- Cntrller tw r mre data cntrllers that jintly determine the purpses and means f the prcessing f persnal data Data Prcessr prcesses persnal data n behalf f the data cntrller Wrks with anther jint-cntrller tward an verarching unified purpse (even if each jintcntrller has different discrete data prcessing tasks) Jintly determines with anther data cntrller, the purpses fr which, and the manner in which, persnal data is prcessed (i.e. makes the same data cntrller decisins listed abve, but jintly with anther data cntrller) Prcesses persnal data n behalf f, and as directed by, anther rganisatin fr purpses determined by that ther rganisatin May retain sme discretin as t the perfrmance f its tasks, subject t the terms f its cntract with the data cntrller (e.g. chsing I.T systems used fr prcessing data, hw t stre data, which analytical methds t use, what infrmatin security cntrls t apply), withut exercising verall cntrl f the persnal data r the purpses fr which it is prcessed Third Party Administratr (prcessr) n behalf f an insurer (cntrller) under a Third Party Administratr Agreement (TPA) 2

4 THE CORE USES INFORMATION NOTICE AS PART OF A LAYERED APPROACH The Cre Uses Infrmatin Ntice cvers the cre uses f persnal data required t allw the insurance market t perate efficiently. These cre uses are uses and disclsures that, withut which, risks culd nt be underwritten, checked fr fraud r paid ut n. Hwever, the Cre Uses Infrmatin Ntice des nt prvide a cmplete slutin because: a) the cre uses d nt include less fundamental uses such as marketing; and b) the Cre Uses Infrmatin Ntice itself des nt cntain details f the individual insurance market participant s data prtectin cntact (see link t ICO website in the intrductin sectin fr details f this requirement). Therefre, the Cre Uses Infrmatin Ntice can be thught f as the third layer in a three layer apprach t infrmatin ntices. Layered apprach Layer Ntice type Links Layer 1 Layer 2 Shrt Frm Ntice Insurance Market Participant s wn Lng Frm Infrmatin Ntice/ Privacy Plicy (which wuld nrmally reside n their website) links t Layer 2 and ptentially Layer 3 links t Layer 3 Layer 3 Cre Uses Infrmatin Ntice Layer 1 The first layer is a Shrt Frm Ntice which wuld typically be prvided in prpsal frms, plicy wrdings and agreements with cnsumers r clients. The Shrt Frm Ntice shuld als allw insurance market participants t btain cnsent where necessary (see Meeting GDPR Infrmatin Ntice and Cnsent Requirements belw). The Shrt Frm Ntice wuld prvide key basic data prtectin infrmatin and direct cnsumers t ther surces fr further infrmatin. One such surce will be the Cre Uses Infrmatin Ntice. The LMA will be publishing mdel wrdings relevant t Layer 1 during March. Layer 2 The Cre Uses Infrmatin Ntice des nt cntain details f the insurance market participant s data prtectin cntact r any nn-cre uses f persnal data, s the insurance market participant will need t prvide a secnd layer by giving its wn specific infrmatin ntice/privacy plicy prviding thse cntact details and explaining thse uses. That secnd layer may repeat sectins f the Cre Uses Infrmatin Ntice and shuld clearly signpst the Cre Uses Infrmatin Ntice using wrding such as 3

5 the fllwing: Insurance invlves the use and disclsure f yur persnal data by varius insurance market participants such as intermediaries, insurers and reinsurers. The Lndn Insurance Market Cre Uses Infrmatin Ntice [insert link t the Cre Uses Infrmatin Ntice] sets ut thse cre necessary persnal data uses and disclsures. Our cre uses and disclsures are cnsistent with the Lndn Market Cre Uses Infrmatin Ntice. We recmmend yu review this ntice. This means the Cre Uses Infrmatin Ntice will generally be linked frm the insurance market participant s wn infrmatin ntice r privacy plicy. Layer 3 This is the Cre Uses Infrmatin Ntice which is currently published n the LMA s GDPR webpage. It is a wrking draft and will be updated quarterly as final rules and guidance becme clear. Later in 2018, the Cre Uses Infrmatin Ntice will be hsted n the Lndn Market Grup s website as a dynamic and interactive GDPR webpage. MEETING GDPR INFORMATION NOTICE AND CONSENT REQUIREMENTS The GDPR requires data cntrllers t prvide detailed infrmatin ntices which describe the uses and grunds relied n fr prcessing persnal data. Sme f the persnal data prcessed fr the cre purpses culd be special categry persnal data, such as health infrmatin r infrmatin relating t criminal cnvictins, and fr sme purpses, that special categry persnal data can nly be prcessed with the explicit cnsent f the related data subject, because there is n ther apprpriate legal grund t rely n. Data subjects may withdraw their cnsent and the insurance cntract r insurance related services may have t cease if they d s 1. Given the way the insurance market wrks, with reinsurance ften taking place after the initial plicy has been underwritten, and the pssibility f claims payments, it is nt pssible t identify which insurance market participant will receive the data when the data is initially cllected r wh will be invlved at claims stages. Therefre a cascade-type mechanism is used whereby the insurance market participant that initially cllects the data subject s persnal data must tell him/her which ther cntrllers it has disclsed any f that persnal data t; and if that disclsee has further disclsed it, the disclsee must tell the data subject n request wh it has disclsed it t. The Cre Uses Infrmatin Ntice therefre wrks n the basis that data subjects will be able t identify data cntrllers at apprpriate times by making enquiries thrugh Layer 1 and/r 2, even where all relevant cntrllers culd nt be named at the utset. T make the system wrk, all insurance market participants using the Cre Uses Infrmatin Ntice must cmply with this mechanism (sectin 4 f the ntice). The cnsent wrding in the Cre Uses Infrmatin Ntice (sectin 6 f the Ntice) cvers nt just the insurance market participant with the interface with the data subject but the prcessing f ther insurance market participants dwn the chain n an unnamed basis, until the data subject requests the identity f the ther data cntrllers. 1 See LMA bulletin f 22 January 2018 relating t the prpsed UK Data Prtectin Bill insurance prcessing grund this guidance will be updated when the Bill is enacted. 4

6 The Cre Uses Infrmatin Ntice n its wn, r a link t the Cre Uses Infrmatin Ntice in a dcument, des nt btain GDPR cnsent. Where cnsent is required, prminent and cmpact cnsent wrding needs t be built int dcumentatin prvided t the data subject s that there is n dubt he/she has seen it and cnsented t it t meet the GDPR cnsent standard. This will be facilitated by apprpriate use f the first layer described abve, ensuring the first layer ntice refers nt just t the specific insurance market participant with the interface but als ther insurance market participants cre uses in general terms. OTHER CONSIDERATIONS Given that insurance market participants may nt have had an interface with claimants, witnesses, r ther third party data subjects until a claim ccurs, and that, in sme cases, grup plicyhlders may have neglected t meet the crrect ntice and cnsent requirements in respect f thse data subjects, all insurance market participants shuld include the shrt frm wrding in all claims frms as well as prpsal frms r ther frms thrugh which persnal data is cllected. Insurance market participants shuld cnsider including links t their wn privacy ntices in fters. In rder t reduce bth the regulatry burden and the severity f any data lss, all insurance market participants shuld limit the amunt f persnal data they disclse t ther market participants t the minimum necessary t achieve the stated purpse in the Cre Uses Infrmatin Ntice. The Cre Uses Infrmatin Ntice cntains a general descriptin f prfiling and autmated decisin making (sectin 7), retentin perids (sectin 8) and internatinal transfers (sectin 9) that might be undertaken by insurance market participants. Insurance market participants may include mre specific details n these tpics in their wn ntice. CONTACT US Steve Mrrell Head f Regulatry Affairs Cmpany Secretary Tel: +44 (0) steve.mrrell@lmallyds.cm Manreet Sher Senir Executive Legal & Cmpliance Tel: +44 (0) manreet.sher@lmallyds.cm 5