Insurers that adopt the guidelines will be required to set out a range of information when making requests to other insurers for personal data to be disclosed, including the "key fraud indicators that lead you to suspect that a crime has been committed" and why the data cannot be sourced elsewhere. Insurers must also explain why the failure of another insurer to release the requested data "would be likely to impact upon/prejudice/significantly harm" their counter-fraud strategy.
Insurers responding to requests for data must set out whether all, some or none of the information requested can be disclosed and "detail the information that can be shared".
Insurers that adopt the new guidelines must appoint a single point of contact for requests for data to be submitted to and use new template forms when making requests for data or responding to such requests. A record of all requests made should also be kept by insurers.
The guidelines are voluntary but are intended to help resolve concerns previously identified by a working group within the Chartered Insurance Institute (CII).
The group found that there was "unmanageably high volumes" of requests for personal data to be shared for the purpose of tackling fraud being submitted by insurers and that those requests were often of "poor quality". It said there was a "lack of industry consistency" in how the requests were presented and "confusion over what constitutes a valid request" under the Data Protection Act. Other issues identified included "poor response rates to requests" and the limited helpfulness of the information being asked for in aiding counter fraud investigations.
The new guidelines, set by the CII in conjunction with the Insurance Fraud Bureau (IFB), are aimed at clarifying how provisions of the Data Protection Act that enable the sharing of personal data to combat fraud work in practice. They are also aimed at improving both the quality of requests for data and responses to those requests made by insurers, and the speed of responses to those requests.
Under Section 29 of the Data Protection Act (DPA) organisations are generally freed from conditions placed on the legitimate processing of personal data, such as the need to obtain individuals' consent for such processing, where the processing takes place for the purpose of preventing or detecting crime.
The Act permits companies to share personal information they hold with others for the purpose of preventing or detecting crime without informing individuals concerned if doing so would be likely to prejudice such investigations.