UBI service providers won’t be bullied by data privacy regulations

Date: Saturday February 28, 2015

personal dataMeeting the UK UBI sector earlier this month, there was a very interesting discussion on the requirements from the UBI service providers (“TSP”) towards requests for their telematics data. The issues debated circled around what sort of data is typically requested from the insurers or TSP and what insurers or TSP’s legal obligations are when providing that data?

The short answer was that legal obligations to supply personal data held on telematics devices are rare and exist only in very specific circumstances. In fact the defendant legal community anticipated a wave of claimant solicitors fishing for telematics data when determining whether or not to bring a claim, but this by in large has not happened.

The driver is the first on the list for such requests as we have, in Europe, a fundamental right to access our own data, known as the right of subject access. However, Insurers and TSP often struggle to comply with such requests since UBI cannot always ascertain the identity of the driver at the wheels. Individuals have a right to access their own personal data but not those of other people.

Police often make requests for telematics data when trying to pin down the precise location of a suspect at a particular time. However, there is no obligation to provide this to the police in the absence of a court order.

We also heard a lot about the draft of the European Data protection regulation introducing a right of “portability” for personal data. This reportedly was targeted at Social Media sites so that users could switch more easily. The potential effects of this on the other industries have however sunk in and the latest draft added the caveat “if technically possible” to the right, which does dramatically water it down. So, again, the UBI industry can breathe a sigh of relief … for the time being.

Can users now request we delete their telematics data?

Another sound bite coming from the European Data protection regulation that has now been in draft form and debated for over 3 years concerns the new “right to be forgotten”.

This right has been much debated recently due to the case against Google in the ECJ, where the ECJ ruled that Google should consider requests from individuals for certain links to their personal data not to appear through the Google search engine. Google need to consider in each case whether keeping the link to the offending webpage is in the public interest or not.

Although both the current draft of the regulation and this case against Google have raised awareness of an individual’s right to request that their data be deleted, the effects of this on many organisations (with the exception of Google) are minimal.

As the law stands currently, organisations should not be keeping data any longer than is necessary, for limited purposes and in certain limited circumstances should delete the data if the holding of that data is causing unwarranted damage and distress. As a general rule, if an insurance company has an FCA (Financial Conduct Authority) obligation to keep data for a certain period of time and it is reasonable to do so for business or regulatory reasons, then the individual has no right to request it to be deleted.

The draft regulation also increases the threshold for “consent” when it is require to process personal data. It is a common misconception that consent is always required to process personal data, but this is not the case. Although there are very few exemptions from having to give clear notices to individuals detailing what you are going to do with their personal data, consent to processing personal data is only required in certain circumstances.

There are many processing conditions under the Data Protection Act, consent is only one of them. Alternatives to consent are when personal data is necessary for the purposes of a contract, which would be the case for example, if an individual has knowingly chosen to take a UBI policy. Consent alone is rarely a useful processing condition as it can be withdrawn.

There is no doubt that evolutions and news stories have increased awareness and sensibilities towards personal data processing and it is good practice to implement disclosure policies and data retention and destruction policies and ensure they are known, understood and followed across various departments of your organisation.

This blog is based on a presentation from Rhiannon Davies from DAC Beachcroft LLP during a London conference on UBI in London in February