Insurers, what is the privacy regulator telling you?

Last week the Information Commissioner, the UK privacy regulator, published a press statement expressing frustration about the way some parts of the insurance sector are handling medical data. 

Basically, he's found out that some insurers are requiring customers to sign over their data subject access rights, so that they can get hold of health records before making a decision on cover and pay outs. 

It is pretty obvious from the way the Commissioner has put things that he sees the insurance sector taking advantage of a loophole in the law. 

You see, while insurers have a separate statutory scheme to access health records, the Data Protection Act doesn't expressly outlaw what is going on here.  The only express outlawing provision about the misuse of subject access requests is in section 56 of the Act, but that's about would-be employers asking job candidates to use their subject access rights to obtain criminal records for handing over before a hire decision is taken.  So the way the loophole argument goes is this: seeing that Parliament considered it necessary to outlaw the misuse of SARs in an employment context and went to the trouble of embedding this in the legislation, it must mean that Parliament intended the ban on misuse of SARs to be narrowly construed.  Bingo! Insurers, you can drive your cart through the loophole, merrily free of legal worry.

Whoa, hold on tiger, not so fast.  Back up a bit.  You see, the Commissioner's expression of frustration is telling us something much more fundamental.  What the press statement is about is regulatory intent.  The regulator is telling the insurance sector that he is going to do something about this. The between-the-lines message is simple: insurance sector, your time in the sun is coming.

I've been studying the detail of regulator behaviours for data protection in the UK for years now, both academically and in practice, perhaps longer than anyone else in this country, and when you take a 'bigger' view, the patterns become obvious, just like crop circles, lay lines and missing pyramids when you look down from the sky. 

A statement of frustration is part of the pattern of regulator behaviour. These statements are one of the starting points that lead eventually to hand-to-hand combat between the regulatory system and the regulated sectors. Frustration is the most basic expression of the belief that something is wrong in the regulatory scheme.  Going public with the frustration is telling us that it's got to the top of the agenda.  And when it's top of the agenda, it means that the problem has to be fixed.

Think about the volume of the issues that make their way to ICO each year. There's a lot for them to handle. To narrow down their focus they take a 'risk based approach' to their priorities and regulatory action.  This means that most of the issues drop off the table. The weeding is intense and only a small number of issues can get to the stage that this one has reached. 

So, insurers who are doing SARs, you've become a regulatory burning platform. You've joined the ranks of dodgy detectives, tricksy journalists, spammers and encryption mavericks at the top table.  Insurance sector, I'm afraid the SAR thing has put you with health, telco and a few others as one of the priority concerns.

So how will this play out? As, I said, there are repeating patterns.  The range of next steps and impacts are obvious.  If you're working in insurance, give me a call and I'll talk you through it and what you need to think about to protect your business.

If you are actually doing SARs, I'll be able to show you the detail of the legal position.  The legal arguments are clear cut, so there is risk for insurers here.


To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.