My Lords, I am very grateful to the Minister for that news on those government amendments. It is very helpful and will prevent a lot of insurers having to redo their administrative systems. I shall speak to Amendments 25 and 26, which are another pair of insurance amendments. I declare my interests as set out in the register of the House, particular those in respect of the insurance industry.
I thank the noble Lord, Lord Clement-Jones, who has been very helpful. He brings great clarity at all times of day to our discussions. Although he is the chairman of the Artificial Intelligence Select Committee, his intelligence is far from artificial and is most helpful. Also, I see the Bill team over there. They have been excellent. Given the amount of fire coming in they are very calm, collected and user-friendly. I thank them for everything they have done so far on the Bill.
The Lloyd’s Market Association, the British Insurance Brokers’ Association and the Association of British Insurers, among other insurance associations, have helped in the preparations of some of these remarks. The insurance industry is trying to deliver products in the public interest. Indeed, some major classes of insurance, such as motor insurance and employers’ liability insurance, are compulsory. There is a long list of other insurances that are quasi-compulsory. For instance, one cannot get a mortgage without buying household insurance. It is greatly to society’s benefit that a wide choice of good products is available at a reasonable price.
9.15 pm
The amendments seek broadly to achieve two things. The first is to amend the Bill so that the ordinary person and the ordinary small business can continue to have the best access to a choice of good insurance at a good price, while being consistent with the GDPR, and the second is to ask the Information Commissioner, who works for Parliament, to provide the insurance sector with the specific guidance necessary in this area and not guidance on a one-size-fits-all basis, which does not provide sufficient clarity.
The root of the issue is that the threshold for valid consent under the GDPR will now be much higher, which impacts the handling of special-category personal data. For insurers and reinsurers, the two most common types of special-category personal data are information relating to health and information relating to criminal convictions. Being able to consider health and criminal conviction data is hugely important for insurers uniformly and throughout the world both in taking policies on and in handling claims. As I remarked previously, the ABI estimates that the ability to process such data helped in detecting around £1.3 billion in fraudulent claims in 2015 alone. The LMA estimates the size of the Lloyd’s market alone where health data are required at £2.3 billion of premiums annually.
The ICO draft guidance suggests that consent as a precondition of accessing a service, as would be the case for a proposal for an insurance contract, would not be a legitimate basis for processing special-category personal data. This gives rise to a chicken-and-egg problem for insurance. In Committee, I gave several examples of undesirable results, which I do not propose to revisit.
There are many examples where ordinary citizens and small businesses would have problems were the Bill to be unamended. Where society asks for insurance to be bought, be it the compulsory classes of motor insurance or employers’ liability insurance, or the quasi-compulsory classes, of which there are many—household insurance with a mortgage in place is one—there is a substantial public interest in allowing heavily regulated insurers to process special-category personal data.
As I have said before, trying to shoehorn insurance business into the GDPR consent environment under article 9.2(a) is far from being in the public interest and the public would be best served to use the derogation under article 9.2(g)—that is,
“processing is necessary for reasons of substantial public interest”.
The amendments set out one way in which the issues might be tackled while being wholly consistent with the GDPR. While our detailed and highly constructive discussions continue, the eventual solution may or may not look like them, but I hope that it will have the same effect. Under Amendment 25, the new “insurance” paragraph would continue to sit within the “Substantial Public Interest Conditions” sub-heading in Schedule 1, Part 2, as do the current paragraphs 14 and 15, but the substantial public interest derogation for processing special-category personal data would be used rather than the consent derogation. Further, it makes it clear that special-category personal data can be used only for “necessary … purposes” and not, let us say, for a marketing drive. Sitting over the top will be the ICO and FCA, which I have no doubt will patrol matters with their usual thoroughness.
The other amendment would ask the ICO to prepare insurance-specific guidance and in doing so to consult. In its September response to the consultation on consent, the ICO noted the differing worries of various sectors but said that it did not intend to give any sector-specific guidance. The amendment asks them to do so. Given that the sectors named by the ICO included health and social care, education and charities as well as insurance, it is right that Parliament should ask its Information Commissioner to be as helpful as possible to all sectors. The case for that has grown strongly in the many days of debate that we have had on this Bill, and again today and tonight. I therefore ask the Minister to confirm that these issues will be brought back at Third Reading.