The Association of British Insurers (ABI) has published new guidance that advises insurance companies to obtain 'opt-in' consent from drivers to the sharing of their telematics data (17-page / 278KB PDF) with firms that are not themselves "directly involved in managing or delivering a policy, handling a claim, setting premiums, detecting and preventing fraud, responding to customer queries or delivering any service included as part of the policy".
Telematics data refers to the information that is collected about motorists' driving patterns. Insurance companies are increasingly deploying technology within vehicles that records such information in order to allow them to set motor insurance premiums that reflect the driving style of motorists.
The ABI said that companies that collect the information must respect UK data protection laws. In practice this initially means they need to ensure that individuals are provided with "clear and comprehensive information" about how their personal telematics data will be collected and used, who has rights of access to the information and what their own rights are with respect to the data, it said.
Insurance firms need to obtain the consent of all named drivers on a telematics policy before they can collect personal telematics data about those individuals, the ABI said. Steps should be taken to ensure the information recorded is accurate and that "effective security standards" are maintained to allow the data to be processed securely, it added. In addition, it said that telematics data cannot be recorded unless it is "necessary for the purposes it is being used for as declared to the consumer".
Policyholders whose telematics data is collected have the right to request a copy of the information held by the companies that store it, the ABI said. However, other named drivers on that policy whose personal data may have been collected should be asked whether they consent to the release of the information, it said.
"Where consent sought ... is not given, personal data should only be released where it is reasonable in all the circumstances to comply with the request," the guidance said.
The trade body also said insurance firms should take steps to prevent telematics data either being recorded or received by them in the event that customers' policies are terminated.
"When a policy is terminated, consumers should be given the option to have any after-market Telematics Device removed, while the consumer should be able to fully delete any smartphone application," the ABI said in its guidance. "If a policy has been terminated and the after-market Telematics Device has not been removed, the device should no longer transmit data to any Data Controller or Processor."
"If a policy has been terminated and it is impracticable to either have the after-market Telematics Device removed or stop the device from transmitting data, the link between the Telematics Device and the database should be severed such that no additional data received is accessible to any Data Controller or Processor," it added.
The ABI said that it was important that consumers have trust in how companies involved in the insurance market were making use of telematics data.
"Given the nature of telematics products specifically, and insurance products more generally, maintaining consumer confidence in telematics products will be a key determinant of the long-term viability and success of the telematics market," it said. "That is, consumers need to trust insurers to treat them fairly and protect their personal information. Critically, consumer confidence will be influenced by the actions of all market participants."
The ABI warned insurance firms that they could be in breach of the Data Protection Act if they allow a policyholder online access to information about the telematics data recorded for their vehicle where there is more than one named driver on the policy and where those other named drivers have not consented to the disclosure of their personal data.
It also issued guidance to insurance firms that attempt to obtain policyholders' consent to the collection of their telematics data through 'tick boxes' at the point when policies are being agreed upon. It said those firms must ensure that the information provided to consumers is "sufficiently clear" to enable them to understand what they are agreeing to. If this standard is not achieved the companies may not have achieved a "sufficient level of consent" to use individuals' personal telematics data.