July 2018: The ABI / ACPO MoU - is it dying?
The obtaining of police reports to assist the prompt resolution of claims is far from straightforward. Police constabularies can release reports of crime. There are several ways this can occur:
1. With the consent of the insured – with redactions; the removal of personal information relating to a living individual who has not consented to their information being provided.
2. Where there are the prospect of proceedings or to seek legal advice. In accordance with what was section 35(2) of the 1998 Data Protection Act, now section 3(2)(b)ii (see reference below) now section 5(3) – see references below
3. Where fraud is suspected, in accordance with what was section 29(3) of the 1998 Data Protection Act, now section 3(2)(b)ii - see reference below.
The above are nothing new; ‘1’ has always existed. The enabling sections at ‘2’ and ‘3’ also appeared in the original 1984 Data Protection Act.
In the 1970’s there was a reluctance by the police to provide information about crime reports. It took years of discussions likely helped by constabularies such as Kent who in the late 1990’s used their ‘Operation Igneous’ model to reduce crime. Specifically, they identified 20%+ of allegations were tainted by fraud and ‘no-crimed’.
Some 10 years later ACPO (the now defunct Association of Chief Police Officers) and the ABI (Association of British Insurers) agreed a ‘memorandum of understanding’, a process by which crime reports could be provided:
• Appendix D – with consent and upon payment of a fee (over £100)
• Appendix E – where fraud was suspected, no consent was required and no fee payable
To this day we encounter constabularies who do not understand the process, those who appear not to accept fraud allegations and at least one who it is said refuses to deal with requests based on a capacity issue - they can only resource dealing with Freedom of Information requests and Court Orders.
We have taken this up with the City of London police being concerned the process is failing insurers and their insureds; the victims of crime. It transpires the MoU is under review the principle reasons for this being:
• Police resources
• Constabularies require more assurances from insurers before releasing data
As a result, we can expect ‘guidance’ across constabularies as an MOU is unlikely to be accepted nationally. This guidance will outline what information can be shared, in which circumstances, under the correct GDPR gateways and recommend a time scale and charging framework. The process is understood to be as follows:
• This month (07/2018), a draft document should have been sent to the ABI for consultation with their members.
• This will then go out to forces following endorsement of the National Crime Operations Coordination Committee.
• Following consultation/rework it will be presented to the NPCC for them to agree the guidelines and cascade to their teams.
• Police services will be asked to nominate which of their teams would be best placed to deal with these requests*
*There is a concern requests are currently sent to the wrong department which compounds matters.
The planned process will be that any insurer / Claims Management Company / third party can submit a request. However, responses will only be sent to SPOCs within the insurance companies that they are working on behalf of, the insurer will then need to disseminate the information. This is to ensure information is only shared with genuine, regulated companies and preclude forces from having to conduct their own due diligence which may free them up to respond to more requests.
Apparently, the ABI are keen to ensure their agreement is specific to them as they ensure a degree of due diligence and regulation for their members, but the same document will also be put to the NPCC on behalf of Lloyds & the Insurance Industry as a whole.
The process will be ‘guidance’ and not a legal document so there will be no enforceable time scales. We are advised it would be unrealistic to expect forces who do not have enough officers to investigate ‘crimes in action’ to sign up for an agreement where they will be further penalised for failure to supply information within a set timeframe.
It is hoped that once police services are aware of the appropriate gateways, requests are sent through the correct channels and forces are freed of the requirement to conduct due diligence on every request, they receive they will all be in a better position to expedite requests.
A concern of ours is that no one appears to be considering the victim. At present there appears to be a culture of ‘it is easier to say no’ or ‘jobsworths’; it is more than my job is worth to provide information. The loss of a vehicle represents more than a substantial financial loss and distress, as transportation it can have a devastating effect on the victim’s employment and lifestyle.
(1)The GDPR provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.
(2)A risk assessment system falls within this sub-paragraph if
(a)it is operated by a government department, a local authority or another authority administering housing benefit, and
(b)it is operated for the purposes of—
(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or
(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.
(3)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—
(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).
Information required to be disclosed by law etc or in connection with legal proceedings
(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—
(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b)is necessary for the purpose of obtaining legal advice, or
(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
to the extent that the application of those provisions would prevent the controller from making the disclosure.