Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Data protection

  • 26-04-2017 9:27am
    #1
    GBX
    Registered Users, Registered Users 2 Posts: 12,133 ✭✭✭✭


    I have received notice from my insurer that they are no longer offering new policies or renewing any from a certain date.
    That's fine but they have stated that they will be passing details to another insurance company and unless I don't wish for my details to be passed, it is up to me to state this.

    Surely the onus should be on my current insurers to get my permission to pass this info on rather than put it back on me?
    Where does this fit within data protection standards or would the fact they may be using the same underwriters (*this part I am unsure of) give them the option to disclose information among the 2 companies?

    I have nothing to hide - never had any penalty points or fines etc so its something i'm curious about more than anything.


Comments

  • #2
    gizmo555
    Closed Accounts Posts: 2,948 ✭✭✭gizmo555


    Since your present insurer is offering you the option to refuse to have your data shared with the other company, this would seem to imply their assumed basis for the proposed data transfer is your consent.

    Then the question is, would silence or a failure by you to reply to their notice constitute consent to the disclosure of your data? The answer is no. Furthermore, the other insurer would not have a proper basis to receive it and further process it in any way. The possibility that they might use the same underwriter which would separately have data relating to you is irrelevant.


  • #3
    GBX
    Registered Users, Registered Users 2 Posts: 12,133 ✭✭✭✭GBX


    So this is the reply I got from the Data Protection Commissioner:

    Dear

    I acknowledge receipt of your email dated the 25th of April, 2017 in
    relation to X Insurance Services ("X").

    Please note that, under the Data Protection Acts 1988 & 2003 ("the Acts"),
    a data controller (ie. an entity that keeps, and controls the contents and
    use of, personal data - X, in this instance) is under a number of
    obligations in respect of the personal data it controls. In particular,
    under section 2(1)(a) of the Acts, a data controller is obliged to process
    personal data fairly. The term "processing" is defined in the Acts as the
    performance of any operation or set of operations upon the data, and would
    include "disclosing the data by transmitting, disseminating or otherwise
    making it available" (as per section 1 of the Acts). The requirement that
    any such processing be carried out "fairly" would, generally speaking,
    ordinarily entail some element of consent on the part of the data subject
    (ie. the individual whose personal data is being processed).

    However, it should be noted that data subject consent is not the only basis
    on which personal data may be processed under the Acts, and the Acts
    specifically provide for a number of scenarios in which personal data may
    be processed without the consent of the data subject. For example, under
    section 2A(1)(d) of the Acts, personal data may be processed (including
    being disclosed) where the processing is "...necessary for the purposes of
    the legitimate interests pursued by the data controller or by a third party
    or parties to whom the data are disclosed, except where the processing is
    unwarranted in any particular case by reason of prejudice to the
    fundamental rights and freedoms or legitimate interests of the data
    subject". It may be the case that X has formed the view that it
    has a legitimate basis for the processing of your personal data at issue in
    this instance under the foregoing (or another) provision of the Acts.

    If you are concerned in relation to the manner in which your personal data
    is being processed by a data controller, in the first instance you should
    afford the data controller an opportunity to address those concerns
    directly. Accordingly you may wish to contact X and request that
    it specify in writing the basis (eg. legal, statutory, etc) on which it
    proposes to process your personal data in the manner which is causing you
    concern. If you are dissatisfied with any response you receive, you may
    revert to this Office and provide us with copies of any relevant
    correspondence exchanged with the data controller in this regard, at which
    point we will be in a position to assess the matter further. If you do have
    cause to revert to us, we would also be obliged to receive a copy of the
    original correspondence from X in this regard, an extract from
    which you have reproduced in your email to us.

    Notwithstanding the above, I note that X has offered you the
    opportunity to withhold your consent to the processing of your personal
    data in this instance. Needless to say if you do not wish X to
    share your personal data with AB, you should inform it
    accordingly.

    Please note that for this Office to fully assess any complaint of this
    nature that we receive, we require the following information:

    documentary evidence to support the allegation being made
    copy of relevant correspondence exchanged with the data controller on
    the matter
    I hope this is of some assistance.

    Yours sincerely,

    YZ
    Information and Assessment Unit


    I'm still confused :confused: - They can share data but I must request they dont?


  • #4
    Pat Mustard
    Registered Users, Registered Users 2 Posts: 9,554 ✭✭✭Pat Mustard


    Mod note:

    We might keep names of parties out of the discussion, please.


  • #5
    gizmo555
    Closed Accounts Posts: 2,948 ✭✭✭gizmo555


    GBX wrote: »
    I'm still confused :confused: - They can share data but I must request they dont?

    In essence, they're saying your broker may be able to share your data without your prior consent, provided it's in the broker's legitimate interests and the disclosure doesn't unduly prejudice your own rights, freedoms and legitimate interests. If you want to challenge it, they're saying you should query what are the broker's legitimate interests which apply in these circumstances.

    This is typical of the way the Office of the Data Protection Commissioner works - they try to push back responsibility for challenging data controller's behaviour to the members of the public who contact them. Only about 10% of inquiries from the public end up being formally investigated by the DPC as complaints. However you are entitled under section 10 of the Data Protection Acts to make a complaint to the DPC, which she is in turn required to investigate and give a decision on.

    Also, the "legitimate interest" basis for sharing personal data doesn't apply to sensitive personal data. Sensitive personal data which a motor insurance broker might well have about policyholders could include health-related data or data about the commission or alleged commission of any offence (which would include penalty point information) and/or prosecutions (whether or not the accused was acquitted or convicted).


Advertisement