In this article we examine some of the duties on insurers under the General Data Protection Regulation and Data Protection Act 2018 in the context of pre-action personal injury claims.
Insurers must be careful to meet their duties under the GDPR/DPA. There are different duties depending on whether the insurer is considered a controller or processor with a controller being subject to the most onerous level of compliance responsibility.
"Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
The GDPR and DPA require personal data to be processed, lawfully, fairly in a transparent manner and on the basis of the data subject's consent or another specified basis. The term ‘processing’ includes sharing the data with independent legal advisors/loss adjustors or disclosure in a proposed civil claim.
Insurers must identify and keep a written record of the lawful basis which is relied upon before that data is processed. The processing of data must be in a targeted and proportionate manner to achieve the purpose.