Data Protection Bill

Written evidence submitted by the Association of British Insurers (ABI) (DPB28)


1. The ABI and its members support the overall objective of this Bill to implement the EU General Data Protection Regulation (GDPR) ahead of its enforcement from 25 May 2018.

2. We welcome the substantial debate around key issues within the Bill to date and, in particular, welcome the amendments introduced to the Bill to Schedule 1 pertaining to insurance contracts. Lord Ashton, in presenting the amendments to the House of Lords recognised that, "the availability of ensuring products at a reasonable cost to members of the public through risk-based pricing, the detection of fraudulent activity and the effective and administration and payment of claims are matters in the substantial public interest."

Using data to underwrite risk:

3. Insurers process health data to assess risk, set the prices and terms and handle claims for mainstream products such as motor, health and travel insurance, as well as products with more niche benefits, such as enhanced annuities, which provide a higher level of guaranteed income for those in poor health.

4. Insurers also need to process criminal conviction data for the purposes of underwriting insurance. As an example, for motor insurance, people are asked whether they have any motoring convictions, to ensure that the policy is properly priced for the level of risk.

Processing necessary for an insurance purpose:

5. As it presently stands Schedule 1, Part 2, Clause 15, allows for the processing of data for the purposes of insurance contracts and the uninterrupted provision of insurance products to UK consumer, as within the substantial public interest. The insurance industry, including the ABI and the Lloyd’s Market Association are supportive of this element of the Bill as amended in the House of Lords as it allows for the necessary processing of data in the interests of customers and businesses.

6. The Information Commissioner’s Office (ICO) have also supported this view, and the Bill sets out a number of safeguards through which to protect consumers. Key amongst these is that the processing must be "necessary" for the insurance process and when not directly related to the policy-holder, the insurer must prove that they cannot reasonably be expected to obtain consent or that they are not aware that consent has been withheld.

7. The insurance industry also welcomes the amendments to Schedule 1, Part 2 of the Bill (in particular Amendments 79-81, and 87) which clarify a number of conditions for the processing of special category date in the prevention of fraud and unlawful activity and consent requirements.

8. There do however remain some concerns over clarity for the Motor Insurance Bureau, which handles claims when a party is uninsured, to process special category data within the provisions of the Bill and we urge government clarify its intentions in this regard.

9. These provisions as drafted within the Bill, both simplify and ease the customer journey when purchasing insurance, particularly when purchasing packaged products, or for jointly-held policies and third-party liability cover. It also takes into account the need for data to be handled at the various stages of a policy life-cycle such as underwriting, claims handling and reinsurance, whilst providing necessary safeguards for consumers regarding the use of their data.

Records relating to health data (Clause 181 &182)

10. The Insurance industry remains concerned about sections 181 and 182 of the Bill, which as presently drafted would make it an offence to require a person to produce a health record, through what is known as a Subject Access Request, as a condition of providing a service.

11. The ABI therefore strongly supports the inclusion of amendments 127 and 128 to Schedule 17 which seeks to clarify the definition of health records to "those obtained by a data subject in the exercise of a data subject access right’.

12. As part of providing insurance services, insurers will often require health information on the insured or a claimant under a policy to either assess the risk when underwriting or to validate and process a claim.

13. The Bill must provide any certainty for insurers that a consent-based request to obtain specific targeted health information required for underwriting a policy and/or processing a claim would not be considered a Subject Access Request.

14. If all requests for targeted health information were deemed to be a Subject Access Request it would have serious implications for insurers and consumers in the processing of health records for the purposes of a policy or processing a claim. Furthermore, this may cause unnecessary delays for consumers in the authorisation and processing of claims.

15. Within Schedule 1 of the Bill as amended by the House of Lords, such processing, of limited and necessary health data would be deemed to be within the substantial public interest and necessary for the purposes of the contract.

16. In addition, the consumer would be protected by the same safeguards as outlined within this Schedule requiring that insurers assess the necessity of information required for processing.

Ensuring data continuity after Brexit

17. With the concurrent passage of the European Union (Withdrawal) Bill and Data Protection Bill, we support the overall objective of ensuring continuity of the UK legal framework upon leaving the European Union. There are however, a number of key issues arising from Brexit that should be considered for the long-term implementation and enforcement of GDPR.

18. Currently, UK companies are free to transfer personal data across borders under the terms of the EU membership. Once the UK leaves the EU, the UK would be considered a third country using the Binding Corporate Rules as stated in Chapter 5 of GDPR. The Binding Corporate Rules were developed by the EU to allow multi-national corporations and company groups, outside of the EU, make intra-organisational transfers of personal data across borders in compliance with EU data protection law.

19. Post-Brexit, individual companies in the UK will need seek authorisation from an EU ICO to transfer data across borders. This process takes time and could result in long queues as companies rush to apply for authorisation within a narrow time frame.

20. The continued ability to transfer data between firms in different jurisdictions post-Brexit is of particular importance to insurance and long-term savings providers who rely on data to provide their customers with the best insurance product at the best price. If insurers are unable to transfer data into or outside of the UK, then insurers will be unable to handle claims and meet existing contractual legal obligations

21. It is vital that the UK receives adequacy from the EU for GDPR to function as intended. An agreement with the EU must be reached for the duration of the transition period and for cross border data flows in any UK-EU FTA after the transition period.

About the ABI

The Association of British Insurers (ABI) is the voice of the UK’s world leading insurance and long-term savings industry. A productive, inclusive and thriving sector, we are an industry that provides peace of mind to households and businesses across the UK and powers the growth of local and regional economies by enabling trade, risk taking, investment and innovation.

March 2018


Prepared 13th March 2018