Under the Data Protection Act 1998 (DPA), non-sensitive personal data (such as a living individual’s date of birth, postal address, telephone number, photo and video footage) must be processed in a way that complies with the eight data protection principles.
There are additional requirements if the data being processed is of a sensitive personal nature (ie, data relating to the subject’s racial or ethnic origin; political opinions; religious or similar beliefs; trade union membership; physical or mental health or condition; sexual life; offences or proceedings for any offence committed or alleged to have been committed and the disposal of proceedings or sentence passed).
Sensitive personal data is very often the root cause of privacy issues but do data controllers engaged in the investigation of suspicious and fraudulent insurance claims really understand what all of this means?
There is no doubt (in a world where requests for information made in accordance with section 29(3) DPA are as commonplace as confetti at a wedding) that the vast majority of insurers, personal injury lawyers and second tier suppliers such as investigators are aware of section 29(3) of the Act; but ask most (especially those working in predominantly process driven claims environments) about the eight data protection principles and you are likely to draw a blank.
The Act is notoriously complex. The question is, do they really understand how and why it provides them with the gateway to information that they may not otherwise be entitled to? If not, will this lack of understanding result in requests for information that fall foul of the law and constitute no more than a fishing expedition?
The eight data protection principles are set out below:
Principle 1: Data must be processed “fairly and legally”.
Principle 2: Data must be processed for limited purposes and in an appropriate way
Principle 3: The processing must be relevant and sufficient for the purpose
Principle 4: The data being processed must be accurate
Principle 5: Data must not be kept for any longer than is necessary
Principle 6: Data must be processed in line with an individual’s rights
Principle 7: The processing must be done in a way that is secure
Principle 8: Data must only be transferred to countries that have suitable data protection controls.
Principle 1 is by far the most important principle and although there is very little case law on data protection, that which exists focuses primarily on principle 1. However, rather than telling us what is meant by “fair and legal”, it focuses instead on what is not “fair” and what is not “legal”.
This being so, if an insurer is able to rely on one of the exemptions contained within section 29(3) of the Act then the processing of non-sensitive personal data does not need to comply with principle 1.
Section 29(3) states that data processed for: (a) the prevention and detection of a crime; (b) the apprehension or prosecution of offenders; or (c) the assessment or collection of any tax or duty or of any imposition of a similar nature is exempt from the 1st data principle but only to the extent that it causes prejudice.
Clearly therefore, if the information that you (as data controller) wish to process relates to the investigation of an insurance fraud you will not be wanting to seek the data subject’s consent because that is likely to tip him off and prejudice the investigation. It could lead to key evidence being lost and the dissipation of funds. But can it be argued that an insurance fraud is a crime? Yes it can.
Defrauding an insurance company will usually involve an element of dishonesty and wherever there is dishonesty, there is usually an associated crime. Examples include: fraud by false representation (section 2 Fraud Act 2006); fraud by failure to disclose information where there is a legal duty to do so (section 3 Fraud Act 2006); fraud by abuse of position (section 4 Fraud Act 2006); obtaining services by deception (section 11 Fraud Act 2006) or you may even be dealing with a simple Theft Act offence.
However, what about those cases that start out as an investigation into a potential insurance fraud but stop short of discovery of a criminal act? Would a data controller be exempt from principle 1 in that sort of scenario? There is a strong argument to say that investigating honestly made claims which bear all the hall marks of a fraud (but ultimately turn out not to be a fraud) is also investigation of a criminal activity.
However, fishing expeditions (which seem to have become the norm these days) do not fall within the exemptions contained in section 29(3) and anyone that engages in that sort of practice could be found to be in breach.
Being a data controller carries with it serious legal responsibilities including ensuring compliance and the key to getting it right is to ensure that privacy and data compliance is designed into your information holding systems, coupled with training your staff in the relevant areas.