On 30 May 2011 the Data Protection Commissioner published his annual report for 2010, including the outcome of a special investigation into use of the Insurance Link database by the insurance claims handling sector, prompted by concerns that there had been potential breaches of the Data Protection Acts 1998 and 2003.
The Office of the Data Protection Commissioner carried out an audit of Insurance Link and found that the striking outcome of its investigation was a lack of transparency and concluded that the existence of a database containing information on almost two and a half million claims needs to be clearly referenced and signposted by the insurance sector to allow members of the public to easily obtain more information on Insurance Link and its purposes. The Data Protection Commissioner expects the lack of transparency to be addressed immediately, and expressed concern that in the absence of such transparency the operation of the database does not comply with the Data Protection Acts. In particular, the Data Protection Commissioner expressed concern in relation to the indefinite retention of records, the practice of uploading “pre-claims” data, access levels within member organisations and evidence that member organisations were sharing information about claims without the knowledge or consent of the data subject.
The Data Protection Commissioner made the following recommendations aimed at making the operation of the database more transparent:
- the practice of uploading pre-claims data should cease immediately and all pre-claims data previously uploaded must be removed within an agreed timeframe. Furthermore, the practice of conducting checks based on pre-claims data without adequate justification must cease
- Insurance Link must be directly referenced on relevant documentation used by insurance companies and self-insured. It should be clear to the claimant that their claim will be placed on Insurance Link
- The existence of Insurance Link should be explicitly highlighted on a dedicated website and should be directly reference on the Irish Insurance Federation website
- It is not legitimate to use Insurance Link at policy quotation stage to examine personal data
- Claims files should only be released to another insurance entity on foot of a court order or the explicit consent of the data subject
- Members of Insurance Link need to instigate a programme of pro-active monitoring of access to the database and the extent of users’ access should be reviewed regularly
- Actual amounts paid in claims should not be uploaded and any such data already entered should be deleted
- All personal data over ten years old on Insurance Link should be removed other than in exceptional circumstances
- Members of the public must be made aware of their right to obtain a copy of any data held about them on Insurance Link
- Training in relation to data protection legislation should be in place for all employees and internal guidance/procedures clearly setting out the appropriate use and purpose of Insurance Link should be put in place in each organisation.
The Insurance Industry Federation has indicated that its members have taken corrective action where possible and that it is continuing to work with the Office of the Data Protection Commissioner to resolve any outstanding issues. Where Insurance Link members have not yet taken steps to ensure compliance with the Data Protection Commissioner’s recommendations, immediate action should be taken.