Insurers breached data rules

Staff at insurance companies inappropriately accessed data to examine the claims history of family, friends and of a number of celebrities, a major investigation into data protection in the industry has found. The inquiry identified an “unprecedented” number of data protection law breaches.

As well as inappropriately sharing data, some insurance companies were found to be accessing an industry-wide insurance claims database prior to making a policy quote.

The commissioner considers all such background checks at policy proposal stage a breach of data protection legislation and has ordered insurers to cease this practice.

The investigation by the Office of the Data Protection Commissioner is one of the largest and most comprehensive undertaken by the agency. Its findings will be published as part of the office’s annual report later this year.

At least one of the celebrities whose claims history was inappropriately accessed is a high-profile sportsperson, while another works in broadcasting. The checks in relation to them were not linked to any insurance claim.

It is understood disciplinary action was taken by the insurance companies against the employees involved.

Following the investigation, insurers have been ordered to remove some data held on Insurance Link, a shared claims database holding details of 2.4 million cases.

This database can be accessed by all insurers and is used to guard against fraudulent claims. The data commissioner’s office threatened legal action if insurers failed to remove the data and it is understood they have agreed to do so.

“Pre-claims” are initial inquiries by customers who often do not proceed with a claim.

Insurers have also been ordered to immediately cease the routine uploading of pre-claims data, an industry term referring to the notification of an incident such as a crash to an insurer in advance of a claim.

In many cases a pre-claim is an inquiry regarding the implications for a policy if a claim is made and the customer does not proceed. However, the report found examples of pre-claims being recorded on Insurance Link as if they were a claim.

Should a customer go on to make a legitimate claim on a separate matter, the pre-claim would be listed and this customer may be considered to have withheld information that affects the validity of the policy.

The commissioner found this practice was prevalent throughout the sector and in breach of the Data Protection Acts. It has ordered all pre-claim files to be removed from Insurance Link.

The draft report found one company had uploaded more than 30,000 pre-claim files with no valid basis.

The report suggests many of the breaches may have arisen due to confusion among claims handlers about whether such disclosure is legal. It found no evidence of an insurer deliberately seeking to breach data protection legislation.

Insurance Link was found to hold data going back to its establishment in 1987. The commissioner says it is illegitimate to hold data on a “just in case basis” and ordered that all data older than 10 years, and all files with no activity over the past five years, be deleted.

It also found the database was being used for purposes “beyond the consent originally obtained from individuals” and that some insurers were using it prior to a policy quotation.

The report found no evidence consent had been secured from individuals for their claims history to be examined on Insurance Link before a policy proposal, or for their files to be disclosed to third parties.

The Insurance Link data can be accessed by insurers and also a number of self-insured agencies including CIE; Eircom, ESB, Dunnes Stores, Irish Public Bodies Taskforce, An Post, Cork City Council and South Dublin County Council.

The report says one of the above organisations initially refused to co-operate with the commissioner’s report, claiming that data protection law did not apply to it. The commissioner may decide to name this company in its annual report.

The ODPC also criticised insurers for allowing a high proportion of staff login access to the database, saying in many cases this was not required for their work.

The commissioner noted the striking lack of transparency and public knowledge about Insurance Link and the data it holds and called on insurers to address this.