In order to provide our services, we will collect and use data about individuals. This means that we are a 'data controller' and we are responsible for complying with data protection laws.
We have appointed a data protection officer to oversee our handling of personal information. If you have any questions about how we collect, store or use your personal information, you may contact our Data Protection Officer by emailing us at firstname.lastname@example.org.
About the insurance market
The personal information that we collect and process will be shared with other participants in the insurance market, some of which you will not have direct contact with. You can identify relevant data controllers through the insurance market in the following ways:
Where you took out the insurance policy yourself: Peliwica will be the initial data controller, our insurers will also be a data controller, our Data Protection Officer can advise you of the identities of other insurance market participants that have been provided with your personal data.
Where another organisation took out the policy for your benefit: You will need to contact the organisation that took out the policy who should provide you with details of intermediaries such as Peliwica that they provided your personal data to. Peliwica's Data Protection Officer can advise you of the identities of other insurance market participants that have been provided with your personal data.
Where you are not a policyholder or an insured party: you should contact the organisation that collected your personal data who should provide you with details of the relevant data protection contact.
The company is registered under local data protection legislation and are listed on the Data Protection Register
The company are committed to meeting their obligations under the applicable local privacy legislation. The company will observe the law in all collection and processing of data and will meet any subject data access request in compliance with the law. In particular the General Data Protection Regulations (“GDPR”) and the Data Protection Bill (2017), the (“Act”) Data will only be used for the purposes stated in the company’s literature or purposes relevant to carrying out the company’s responsibilities under the insurance and/or reinsurance contract and, where required, other overriding requirements such as criminal investigations.
All necessary steps will be taken in the collection and storage of any sensitive data to ensure that the data is secure and all staff will do their utmost to keep all data accurate, up-to-date and secure. The company are committed to making staff aware of the requirements under relevant privacy legislation. All staff are aware that personal or sensitive data can only be disclosed in limited circumstances.
The GDPR and the Act protect individuals with regard to the processing of personal data, in particular by: (a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis, (b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and (c) conferring functions on the Information Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions. When carrying out functions under the GDPR and the Act, the Information Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.
Application of GDPR
The GDPR applies to ‘controllers’ and ‘processors’
• A controller determines the purposes and means of processing personal data.
• A processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities.
You will have legal liability if you are responsible for a breach.Compliance Handbook December 2019 133 However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. 4.2. DATA TYPES Personal data The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Sensitive personal data The GDPR refers to sensitive personal data as “special categories of personal data” The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. For example, information about an individual’s: • race; • ethnic origin; • politics; • religion; • trade union membership; • genetics; • biometrics (where used for ID purposes); • health; • sex life; or • sexual orientation. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing below. 5. THE 6 PRINCIPLES OF DATA PROTECTION Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:Compliance Handbook December 2019 134 a) processed lawfully, fairly and in a transparent manner in relation to individuals; b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 6. LAWFUL BASIS FOR PROCESSING The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Compliance Handbook December 2019 135 6.1 DOCUMENTING LAWFUL BASIS The principle of accountability requires you to be able to demonstrate that you are complying with the GDPR, and have appropriate policies and processes. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision. You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements. You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply with accountability obligations, and will also help you when writing your privacy notices. It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose. 6.2 LAWFUL BASIS DISCLOSURE You need to include information about your lawful basis (or bases, if more than one applies) in your privacy notice. Under the transparency provisions of the GDPR, the information you need to give people includes: • your intended purposes for processing the personal data; and • the lawful basis for the processing. This applies whether you collect the personal data directly from the individual or you collect their data from another source.Compliance Handbook December 2019 136 7. SENSITIVE PERSONAL DATA / CRIMINAL OFFENCE DATA If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability. 7.1 RELEVANT CONDITIONS FOR PROCESSING • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes; • processing relates to personal data which are manifestly made public by the data subject; • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; Important Note – an additional condition for processing in relation to insurance is being passed as an amendment to the Data Protection Bill. 8. INDIVIDUAL RIGHTS The GDPR provides the following rights for individuals: • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automated decision making and profiling. 8.1 RIGHT TO BE INFORMED The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing people with clear and concise information about what you do with their personal data. • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. • You must provide privacy information to individuals at the time you collect their personal data from them. • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.Compliance Handbook December 2019 137 8.2 RIGHT OF ACCESS (SUBJECT ACCESS REQUESTS) Under the GDPR, individuals will have the right to obtain: • confirmation that their data is being processed; • access to their personal data; and • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice Upon receipt, requests by an individual for a copy of any/all personal information held by the firm (Subject Access Requests) should be referred to the Data Protection Officer. A copy of the information should be provided to the individual free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information. Information must be provided without delay and at the latest, within one month of receipt. You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary. 8.3 RIGHT OF RECTIFICATION The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. • An individual can make a request for rectification verbally or in writing. • You have one calendar month to respond to a request. • In certain circumstances you can refuse a request for rectification. 8.4 RIGHT TO ERASURE Individuals have the right to have their personal data erased if: • the personal data is no longer necessary for the purpose which you originally collected or processed it for; • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent; • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; • you are processing the personal data for direct marketing purposes and the individual objects to that processing; • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle); • you have to do it to comply with a legal obligation; or • you have processed the personal data to offer information society services to a child.Compliance Handbook December 2019 138 Upon receipt, requests by an individual for the erasure of their data should be referred to the Data Protection Officer in the first instance for consideration of the above factors. If the request is deemed to be actionable, it will be referred internally (as appropriate) for electronic erasure and the destruction of hard copies (if any). 8.5 RIGHT TO RESTRICT PROCESSING Individuals have the right to request you restrict the processing of their personal data in the following circumstances: • the individual contests the accuracy of their personal data and you are verifying the accuracy of the data; • the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead; • you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or • the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual. Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing: • if an individual has challenged the accuracy of their data and asked for you to rectify it (Article 16), they also have a right to request you restrict processing while you consider their rectification request; or • if an individual exercises their right to object under Article 21(1), they also have a right to request you restrict processing while you consider their objection request. Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question. 8.6 RIGHT TO DATA PORTABILITY The right to data portability only applies: • to personal data an individual has provided to a controller; • where the processing is based on the individual’s consent or for the performance of a contract; and • when processing is carried out by automated means. 8.7 RIGHT TO OBJECT Individuals have the right to object to: • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); • the transferrance of their data to certain countries; • direct marketing (including profiling); and • processing for purposes of scientific/historical research and statistics. Individuals must have an objection on “grounds relating to his or her particular situation”.Compliance Handbook December 2019 139 You must stop processing/transferring the personal data unless: • you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or • the processing is for the establishment, exercise or defence of legal claims. You must inform individuals of their right to object “at the point of first communication” and in your privacy notice. 8.8 RIGHTS RELATED TO AUTOMATED DECISION MAKING INCLUDING PROFILING Automated individual decision-making is a decision made by automated means without any human involvement. Examples of this include: • an online decision to award a loan; and • a recruitment aptitude test which uses pre-programmed algorithms and criteria. Automated individual decision-making does not have to involve profiling, although it often will do. The GDPR says that profiling is: “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” The GDPR has provisions on: • automated individual decision-making (making a decision solely by automated means without any human involvement); and • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. You can only carry out this type of decision-making where the decision is: • necessary for the entry into or performance of a contract; or • authorised by Union or Member state law applicable to the controller; or • based on the individual’s explicit consent. You must identify whether any of your processing falls under Article 22 and, if so, make sure that you: 1 give individuals information about the processing; 2 introduce simple ways for them to request human intervention or challenge a decision; 3 carry out regular checks to make sure that your systems are working as intended. 9. ACCOUNTABILITY AND GOVERNANCE The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.Compliance Handbook December 2019 140 You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place. You must: • implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies; • maintain relevant documentation on processing activities; • where appropriate, appoint a data protection officer; • implement measures that meet the principles of data protection by design and data protection by default. Measures could include: o data minimisation; o pseudonymisation; o transparency; o allowing individuals to monitor processing; and o creating and improving security features on an ongoing basis. • use data protection impact assessments where appropriate. 10. SECURITY Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be: 'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures' This means that you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures. ‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ The security principle goes beyond the way you store or transmit information. Every aspect of your processing of personal data is covered, not just cybersecurity. This means the security measures you put in place should seek to ensure that:Compliance Handbook December 2019 141 • the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them); • the data you hold is accurate and complete in relation to why you are processing it; and • the data remains accessible and usable, ie, if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned. These are known as ‘confidentiality, integrity and availability’ and under the GDPR, they form part of your obligations. The GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing. This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation. So, before deciding what measures are appropriate, you need to assess your information risk. You should review the personal data you hold and the way you use it in order to assess how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised. You should also take account of factors such as: • the nature and extent of your organisation’s premises and computer systems; • the number of staff you have and the extent of their access to personal data; and • any personal data held or used by a data processor acting on your behalf. Technical measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT security. When considering physical security, you should look at factors such as: • the quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV; • how you control access to your premises, and how visitors are supervised; • how you dispose of any paper and electronic waste; and • how you keep IT equipment, particularly mobile devices, secure. In the IT context, technical measures may sometimes be referred to as ‘cybersecurity’. This is a complex technical area that is constantly evolving, with new threats and vulnerabilities always emerging. It may therefore be sensible to assume that your systems are vulnerable and take steps to protect them. • When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including those which process personal data;Compliance Handbook December 2019 142 • data security – the security of the data you hold within your systems, eg ensuring appropriate access controls are in place and that data is held securely; • online security – eg the security of your website and any other online service or application that you use; and • device security – including policies on Bring-your-own-Device (BYOD) if you offer it. 10.1 PROCEDURAL GUIDANCE Refer to the External Communications Policy for a sample Privacy Notice. The following policies contain further procedural guidance in relation to compliance with the GDPR: • the IT Security Guidance Policy; • the Cyber Resilience Policy; and • the Information Security Incident Response Plan. 10.2 CUSTOMER INFORMATION Where GDPR is applicable, is there a privacy notice issued to all policyholders explaining what data is held on the individual, what is done with it, who it is shared with, where it might be transferred to, and how long it will be retained for.