'Unprecedented' number of data protection breaches by insurers

STAFF AT insurance companies inappropriately accessed data to examine the claims history of family, friends and of a number of celebrities, a major investigation into data protection in the industry has found. The inquiry identified an “unprecedented” number of data protection law breaches.

As well as inappropriately sharing data, insurance companies were found to be using “pre-claim” information when calculating insurance quotes.

“Pre-claims” are initial inquiries by customers who often do not proceed with a claim.

The investigation by the Office of the Data Protection Commissioner is one of the largest and most comprehensive undertaken by the agency. Its findings will be published as part of the office’s annual report later this year.

At least one of the celebrities whose claims history was inappropriately accessed is a high-profile sportsperson, while another works in broadcasting. The checks in relation to them were not linked to any insurance claim.

It is understood disciplinary action was taken by the insurance companies against the employees involved.

Following the investigation, insurers have been ordered to remove some data held on Insurance Link, a shared claims database holding details of 2.4 million cases.

This database can be accessed by all insurers and is used to guard against fraudulent claims. The data commissioner’s office threatened legal action if insurers failed to remove the data and it is understood they have agreed to do so.

Insurers have also been ordered to immediately cease the routine uploading of pre-claims data, an industry term referring to the notification of an incident such as a crash to an insurer in advance of a claim.

In many cases a pre-claim is an inquiry regarding the implications for a policy if a claim is made and the customer does not proceed. However, the report found examples of pre-claims being recorded on Insurance Link as if they were a claim.

Should a customer go on to make a legitimate claim on a separate matter, the pre-claim would be listed and this customer may be considered to have withheld information that affects the validity of the policy. The commissioner found this practice was prevalent throughout the sector and in breach of the Data Protection Acts.

The report found one company had uploaded more than 30,000 preclaim files with no valid basis.

The report suggests many of the breaches may have arisen due to confusion among claims handlers about whether such disclosure is legal. It found no evidence of an insurer deliberately seeking to breach data protection legislation.

Insurance Link was found to hold data going back to its establishment in 1987. The commissioner says it is illegitimate to hold data on a “just in case basis” and ordered that all data older than 10 years, and all files with no activity over the past five years, be deleted.