Who does UK General Data Protection Regulation apply to?
The UK General Data Protection Regulation (UK GDPR) applies to data controllers (those who say how and why personal data is processed) and data processors (those who act on behalf of controllers).
What is the effect of UK GDPR and the Data Protection Act 2018?
The UK GDPR and the Data Protection Act (DPA) 2018 regulate the use of computers and other automatic data processing equipment as a means of storing data.
The rules also cover ‘relevant filing systems’ (broadly, systems equivalent to a computerised system with ready accessibility to relevant information).
The rules encourage personal information about people to be kept confidential and prohibit the unauthorised disclosure of personal records to third parties.
What the main elements of the Data Protection Act 2018?
Its main elements include:
- ensuring that sensitive health, social care and education data can continue to be processed, to ensure confidentiality in health and safeguarding situations;
- restricting the rights to access and delete data where there are legitimate grounds for doing so (e.g. for national security purposes);
- setting the age from which parental consent is not needed to process data online; and
- providing the Information Commissioner’s Office (ICO) with enhanced powers to regulate and enforce data protection laws.
What are the Powers of the ICO for serious data breaches?
The ICO can levy fines of up to £17.5 million or 4% of annual global turnover.
It can also bring criminal proceedings against a data controller or processor if they have altered records following a Subject Access Request (SAR) with the intent to prevent disclosure.
What are the six data protection principles of the UK GDPR?
These principles require that personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does UK GDPR handle breaches?
All businesses handling personal data must also register with the Public Register of Data Controllers (maintained by the Information Commissioner’s Office (ICO)).
The UK GDPR introduces a duty on all organisations to report certain types of breach to the ICO, and in some cases to the individual.
What the rights does the UK GDPR give individuals in respect of information held about them by others?
The UK GDPR provides the following rights to individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
In order to protection information held on computers, what are the procedures that all organisations should follow?
To protect information held on computers, there are some procedures which all organisations, including those in the insurance industry should follow:
- Restricted access
- File saving and backup
- Source documentation retention
- Protection against theft or damage
- Copyright
- Use of passwords
- Secure storage and file disposal
What does The Computer Misuse Act 1990 state?
The Computer Misuse Act 1990 was passed to provide a deterrent against unauthorised computer access and introduced these three criminal offences.
In addition, making, supplying or obtaining anything which can be used in computer misuse offences is illegal.
The Act sets out the maximum penalties for such offences.
A complaint is defined as?
Any oral or written expression of dissatisfaction, whether justified or not, from, or on behalf of, a person, about the provision of or failure to provide, a financial service.
How should companies handle complaints?
Complaints must be recorded, investigated and a decision made that is appropriate, timely and fair by someone independent of the original complaint. Records of complaints must be kept for three years from the date of the complaint.
What are ICOBS claims handling rules?
ICOBS requires that an insurer must:
- handle claims promptly and fairly;
- provide reasonable guidance to help a policyholder make a claim and appropriate information on its progress;
- not unreasonably reject a claim (including by terminating or avoiding a policy);
- and settle claims promptly once settlement terms are agreed.
What does Enterprise Act 2016 state?
This requires insurers to pay claims within a reasonable time.
Reasonable time depends on the type of insurance, the size and complexity of the claim, compliance with regulatory rules and guidelines, as well as factors outside the insurer’s control.
Failure to pay a claim within a reasonable time will mean the policyholder can claim damages if the delay is unreasonable and this causes them additional losses.
What does ICOBS say about the rejection of a claim?
ICOBS states that rejection of a consumer (i.e. private individual) policyholder’s claim is unreasonable, except where there is evidence of fraud, if it is for:
- non-disclosure of a fact material to the risk which the policyholder could not reasonably be expected to have disclosed; or
- non-negligent misrepresentation of a fact material to the risk; or
- breach of warranty or condition, unless the circumstances of the claim are connected to the breach.
What type of data are UK GDPR and the Data Protection Act 2018 mainly concerned with?
They are both mainly concerned with personal data.
Personal data is any data relating to an identifiable living individual.
There are also some types of personal information that are more sensitive than others and so there are additional requirements for processing it.
UK GDPR refers to sensitive personal data as ‘special categories of data’.
These categories include such things as a person’s ethnic or racial origin, religious or political beliefs, health, sexual life, genetics or biometrics (where used for ID purposes).
All businesses handling personal data must also register with?
The Public Register of Data Controllers which is maintained by the Information Commissioner’s Office (ICO)
What are the six outcomes related to treating customers fairly?
Outcome 1 – Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture
Outcome 2 – Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are targeted accordingly.
Outcome 3 – Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.
Outcome 4 – Where consumers receive advice, the advice is suitable and takes account of their circumstances.
Outcome 5 – Consumers are provided with products that perform as firms have led them to expect, and the associated service is of an acceptable standard and as they have been led to expect.
Outcome 6
–
Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint.
What are the cross-cutting rules of Consumer Duty?
- act in good faith;
- avoid causing foreseeable harm;
- and enable customers to pursue their financial objectives.
What are the four outcomes of the firm-consumer relationship?
- Communications
- Products and Services
- Customer Service
- Price and Value
What is the a vulnerable customer according to the FCA?
The FCA defines a vulnerable consumer as ‘someone who, due to their personal circumstances, is especially susceptible to detriment, particularly when a firm is not acting with appropriate levels of care’.
Complaint files for a company must include?
- the name of the complaint handler, the complainant and whether they are an eligible complainant or not;
- the substance of the complaint;
- all correspondence relating to the complaint; and
- any redress offered.
How long do firms have to give a final response or written response to a complaint?
The FCA expects firms to have provided either a final or written response within eight weeks.
A written response differs from a final response insofar as it is a holding note advising the complainant why they have not received a final response and informing them of their right to refer the complaint to the FOS if they so wish.
How long do complainants unhappy with a final response have to refer it to the Financial Ombudsan?
Complainants unhappy with a final response have six months to refer it to the FOS
What is the Financial Ombudsman Service (FOS)?
The Financial Ombudsman Service (FOS) is an independent mechanism for dealing with disputes from eligible complainants.
Internal complaints procedures within the authorised firm need to be exhausted before a complaint can be referred to the FOS.
The maximum award the FOS can make is £375,000. It can recommend a higher figure if appropriate, but it will not be binding on the insurer.
If the insured accepts the FOS’s decision, the insurer must pay out up to the £375,000 ceiling.
If the insured rejects the decision, they will need to issue legal proceedings to take their complaint any further.
