My Lords, I will speak also to Amendments 46A, 47A, 48A and 50A. We move to a series of probing amendments relating to insurance. I am concerned about many practical things in the Bill, and what I see as unnecessary and unwise obstacles for insurance in general, and for motor insurance and employer liability insurance in particular. I declare my interests as set out in the register of the House and, in particular, those in respect of the insurance industry.
I thank the noble Lord, Lord Clement-Jones, for his support for these amendments—indeed, he was emailing me late last night—and I thank the Minister for a generous slice of his time last week. I also thank the Association of British Insurers and the Lloyds
Market Association for their help in preparing my remarks. They, in turn, have had input from the four other major insurance market associations and other bodies.
The insurance industry delivers products in the public interest. Indeed, some of the major classes, such as motor insurance and employer liability insurance, are compulsory. It is greatly to society’s benefit that there is a wide choice of good products available at a reasonable price. It is less well understood in the wider world what an important part reinsurance plays in supporting insurers by protecting insurance companies from large unexpected losses and providing temporary extra capital when it is needed. In other words, insurers, too, need a wide choice of good products available at a reasonable price. It is a complex ecosystem, and unintended consequences tend almost invariably to hurt the man in the street.
The impact assessment called for the setting of new standards in accordance with the GDPR,
“whilst preserving the existing tailored exemptions from the Data Protection Act”.
Later on the same page of the impact assessment there is a call for,
“exercising the derogations in the best interest of the UK”.
In fact, the impact assessment has several references to business and insurance business which make it plain that the Government do not intend to place an undue extra burden on business. I am grateful to the Government and the Bill team for having gone some way to alleviating the problems—but I fear that we need to go a lot further.
Sensitive personal data under the current Data Protection Act 1998 has become special category personal data in the GDPR. The treatment of special category personal data looks similar under the GDPR and the DPA, with consent as the applicable legal ground under which data can be processed in most cases. However, what has changed is the definition of consent, with the threshold for valid consent under GDPR now being much higher.
For insurers and reinsurers, the two most common types of special category personal data are information relating to health and information relating to criminal convictions. Being able to consider health and criminal conviction data is hugely important for insurers uniformly and throughout the world. The ABI estimates that the ability to process these types of data helped in detecting around £1.3 billion in fraudulent claims in 2015 alone, and I fear that the Bill unamended would therefore potentially increase costs for millions of motor insurance policyholders. To get an idea of the size of the market where health data is required for underwriting and claims purposes, the LMA has advised me that it identifies annual Lloyd’s market premiums alone of at least £2.3 billion a year.
Processing special-category data, including health data, is fundamental to calculating levels of risk and underwriting the majority of retail insurance products. ICO draft guidance infer that consent as a precondition of accessing a service, as would be the case for a proposal for an insurance contract, would not be a legitimate basis for processing special-category personal data.
Let us take the example of a daily smoker who at retirement age tries to buy an annuity. They would be asked to provide their medical details. This health data would establish that the individual has a below-average life expectancy. The insurer is therefore able to offer an enhanced annuity that pays the individual a higher percentage of income every year.
Under the Bill and its associated draft ICO guidance, insurers would not be able to access the individual’s medical records as consent is a precondition of accessing the enhanced annuity market and therefore such consent cannot be freely given. Insurers would be unable to offer an enhanced annuity and the individual would be treated as a consumer with average life expectancy and receive a lower income from their annuity. This would be a highly undesirable state of affairs.
Take the situation where an insurer has a direct relationship with the insured—a personal motor policy, let us assume. It would seem relatively easy for them to obtain a consent for all processing. However, it is not. More than half the motor insurers in the UK make use of the Motor Insurance Bureau’s MyLicence anti-fraud facility. This third-party service, available to all insurers, allows them at the quote stage to understand a driver’s record using DVLA data. Express consent is not possible and nor, for the same ICO reasoning as my annuity example, would any consent anyway be valid. If the Bill is unamended, this would be bound to drive up premiums for motor insurers, as a principal defence against fraud would cease to exist.
3.15 pm
I am afraid it gets worse. Much more common in insurance is an indirect relationship with the data subject. The distribution of insurance products in the UK usually involves multiple data controllers, such as insurers, brokers, cover-holders and reinsurers. The claims settlement process may involve a number of other data controllers, for example loss adjusters, lawyers and doctors. Obtaining consent is problematic because each party in the product or claims chain who is not in direct contact with the data subject will be relying on another party to obtain consent on their behalf. Each GDPR data controller must be expressly named in consent documentation. That situation therefore would become horribly complex, and be inconsistent with the admirable aims of the impact assessment, without the derogations that I am asking for.
Giving an example of the future under an unamended Bill might help. One of the most popular small-farm insurances on the market in the UK is underwritten by an agency on behalf of 10 or more insurers. Farm policies contain several liability sections. If there is an injury on the farm, express consents on behalf of the injured party will have to be provided for the original broker, the underwriting agency, each of the insurers, the loss adjusters, and potentially all the reinsurers of the original insurers and the associated reinsurance brokers. Until that consent chain is in place, the claim cannot be fully processed. Does the Minister agree with me that this would be another highly unsatisfactory state of affairs?
Yet another unsatisfactory situation arises when a policy is bought by a third party. An example would be employer liability insurance—a compulsory class—
where employees’ personal data needs to be supplied to assess the risk; here, the relationship is between the insurer and the employer. In the case of a claim, how does the Bill’s consent chain work? Does the Minister agree with me that we can and must do better in this Bill?
Although it is practicable to obtain the consent of the data subject in many cases, often it is not. Aggrieved claimants, for example, may not provide their consent for the insurer processing their personal data, as they simply want the corporate insured to pay their loss. They do not care whether or not it is covered by insurance. How is the insurer meant to act in these circumstances, or rate for this? I fear it would be a recipe to reduce competition and drive up prices for employer liability insurance, which is a compulsory class. This would certainly not be in the best interests of any policyholders or data subjects. These are market-wide issues and are not specific to any one type of insurance over another.
I feel in general that trying to shoehorn insurance business into GDPR article 9(2)(a)—the consent bit—is far from being in the public interest and that the public would be best served using a derogation under article 9(2)(g): that the processing is necessary for reasons of substantial public interest.
The amendments set out two alternative ways in which the issues might be tackled, while at the same time being wholly consistent with the GDPR. Under Amendment 45B, the new insurance paragraph would continue to sit within the “Substantial public interest conditions” subheading in Schedule 1, Part 2, as do the present paragraphs (14) and (15). The language is modelled on paragraph 6 of Schedule 1: the derogation for,
“Parliamentary, statutory and government purposes”.
It is effective at curing the problems with obtaining consent that I have described—and, indeed, those of withdrawing consent. It is consistent with the impact assessment and article 9(2)(g) of the GDPR. It is clear that the special category “personal data” can be used only for a necessary purpose and not in, say, a marketing drive, and the ICO and the FCA will patrol matters with their usual thoroughness.
The other amendments, together, are an alternative. They would allow insurers to continue to access and use health and criminal conviction data in another way. Amendment 46A widens the definition of insurance to bring more classes of insurance under the regime of Schedule 1, including, for instance, motor insurance and household insurance. This not only replicates the status quo but is also consistent with article 9 of the GDPR, given the twin watchdogs that I referred to: the ICO and the FCA.
Amendment 47A removes a new provision that presents a potential administrative minefield, did not form part of the DPA and is not needed for the purposes of the GDPR. Amendment 48A is a further amendment along the same lines, which widens paragraph 14 of Schedule 1 so that it covers all insurance business and extends the scope to cover criminal convictions. Amendment 50A is, I fear, a rather hurried bit of drafting, but is intended to allow the processing
of third-party joint policyholders’ data. Properly drafted, this would allow consent to be given by one policyholder on behalf of another joint policyholder. In many cases, this is simply a pragmatic necessity and, again, I feel the amendment is consistent with not only the Government’s stated aims in the impact assessment but the GDPR. I beg to move.