Insurance companies and a number of other bodies have been found to have committed major breaches of data protection laws in how they accessed and managed a system containing some 2.4 million claims records.
The details of the investigation by the Data Protection Commissioner are published today as an annex to the commissioner's annual report for 2010.
An extensive audit of the 'Insurance Link' system – which provides for sharing of personal date between multiple entities - found numerous breaches of data protection law.
They included inappropriate access by staff at insurance companies to the claims history of family, friends and of a number of celebrities and the collation of “pre-claims” data on the database.
Pre-claims are initial inquiries by customers who often do not proceed with a claim.
In some cases staff accessed data about houses and cars that they were considering purchasing.
Companies using the database include Axa, Allianz, Aviva, FBD, Royal & Sun Alliance, the ESB, Dunnes Stores, Dooley Car Rental, Quinn Insurance and several local authorities, including Fingal County Council, South Dublin County Council, Dublin City Council, Cork City Council and Limerick City Council.
In the report, Data Protection Commissioner Billy Hawkes said many users of the Insurance Link system seem to have viewed their access to this “massive holding of personal data” as “a right without corresponding responsibilities”.
The report says that while some firms were better than others, “in most cases no evidence was found of anything beyond lip service to data protection requirements”.
It makes a number of recommendations, including that all personal data on Insurance Link which is over 10 years old should be removed, other than in exceptional circumstances such as where there are ongoing claims or litigation. Reports should also be run on a quarterly basis to identify all users who have accessed the service.
Deputy data protection commissioner Gary Davis said in many cases, insurers were not making a distinction between an actual insurance claim and an inquiry about a possible claim.
This had potentially led to policies being loaded, he said. The companies had recognised that this was an issue they had to address and had committed to working taking steps to address it.
He said one company had uploaded some 30,000 such pre-claims on its database, which was a “massive number”.
Mr Davis noted there were some 27,000 instances of access to the Insurance Link system in one month last year, and, while many related to claims, some details were merely accessed out of "prurience or curiosity" by people working in the insurance sector.
Data Protection Commissioner Billy Hawkes said: “We have succeeded in bringing about significant change, but we are continuing our work with the insurance industry this year, and we have also brought our report to the attention of the Central Bank.”
“What it did illustrate, in a more general sense for us, is the danger that when you have a mechanism like this put in place which allows data-sharing for a particular reason, that a lack of discipline can develop in terms of the trust that has been placed in the people that are doing the sharing.”
