Many of us working in the field of fraudulent insurance and legal claims have been wondering with trepidation what the future holds for the industry-accepted best practice of sharing information about suspected fraud in claims investigation. Provisions in the new Data Protection Bill 2017-19 making its way through parliament may be the first signs of reassurance that all may be well.
Data sharing in the investigation of suspected fraud is crucial, and it is no surprise that it featured prominently within the recommendations of the Insurance Fraud Taskforce. S29 of the Data Protection Act 1998 (DPA) provides a crime exemption to the non-disclosure provisions of the Act, available in circumstances where the public interest requires disclosure of personal data which may otherwise be in breach of the Act. Intel gathering is widely used by the insurance, legal and law enforcement industries for crime prevention and detection. There are significant tests and decisions to be made, and caution to be exercised, before any such disclosure should be made which could otherwise be in breach of the DPA. S29 is not an automatic exemption, but nevertheless it is an extremely useful legal provision in the fight against fraudulent claims. It is an important part of any investigation used to build the evidential picture surrounding claims of a suspicious nature. To underline the importance, to date, best practice has been adopted by all significant stakeholders to ensure a cross industry standard.
The General Data Protection Regulation (GDPR) is a new EU legal framework which will apply directly in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. It will replace the DPA with immediate effect. It does not include an exemption for the prevention of crime similar to s29 DPA. It does not apply to processing, covered by the Law Enforcement Directive, aimed at the processing of personal data by “competent authorities” for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Such “competent authorities” are public authorities like judicial, police or other law-enforcement authorities and do not appear to include insurers or lawyers investigating suspected fraudulent claims. Such processing would therefore be regulated by the GDPR.
National derogations, as exceptions to the GDPR are permitted in the UK, similar to exemptions from rights and duties in the DPA. The prevention, investigation, detection or prosecution of criminal offences is a permitted situation for derogation, amongst others, in a democratic society. In September, the UK published the Data Protection Bill 2017-19 which is making its way through parliament. It contains some exemptions pursuant to the permitted derogations, most notably Schedule 2 Part 1 of the Bill, contained almost at the end, on page 124 of the Bill as introduced. The Schedule is drafted to contain exemptions from the GDPR and Part 1 to contain the anticipated “crime and taxation: general” exemption. It uses familiar wording to those of us used to working with s29 of the DPA.
The Bill has much progress to make and things may change. Careful analysis will be needed and the Information Commissioner’s Office may well produce guidance or a code of practice that may be relevant. We say no more at this stage other than to say that this is a provision to watch with interest, and BLM will be doing so and sharing any developments with you in due course.