Recipients or Categories of Recipients of The Personal Data
Recipients to whom your information is disclosed will include ‘relevant parties’:
- your insurer and / or their subsidiaries, legal representatives, underwriters, brokers and / or Public Authorities (such as the police or ambulance service) as is necessary to perform our instructions
- our agents tasked with fulfilling our instructions
- those parties who demonstrate a valid reason by virtue of sections 29(3)* and / or 35(2)* of the Data Protection Act 1998 or
- where required to by law.
In the event you have reasonable grounds for us not to disclose your information to a relevant party you are asked to email using the above contact details.
The Existence of Automated Decision Making, Including Profiling and Information About How Decisions are Made, the Significance & Consequences.
Claims handling is an information-led activity, and information assurance is fundamental to how CMA manages many of the challenges faced today. It is vital for maintaining client and subject confidence and for the efficient, effective, safe and secure conduct of services. Without robust information assurance governance and processes, there is a significant risk of compromise, potentially leading to the facilitation of crime, financial loss, damage to organisational reputation and consequently, a reduction in confidence. Having traded for 23 years, we at CMA are understandably proud of our heritage and reputation particularly with regard to data reasonable & responsible use and safe-guarding.
Once in force, the European Union General Data Protection Regulation (GDPR) will require companies offering products or services to European Union residents to adhere to a strict set of data privacy and security measures. Whilst CMA provides services to companies, as opposed to individuals the requirements apply equally to our business partners, such as your insurer.
CMA has long embraced the Data Protection principles and takes Data Protection seriously. Since 2011, without obligation to do so, we have ensured ISO27001 compliance and held the accreditation.
What is the GDPR?
On May 4, 2016, the official text of the General Data Protection Regulation (the “Regulation”) was published in the Official Journal of the European Union, capping a four-year process to replace the European Union’s principle data privacy and security regime, the Data Protection Directive 95/46/EC (the “Directive”) that proved inadequate to resolve challenges posed by changing technology.
Information Security Framework
CMA has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our Information security frameworks represent a collection of best practices accumulated by professionals. Security is addressed by IT professionals and our embracing ISO 27001 – an accepted industry standard requiring annual audit. Additionally, we hold ISO 9001, the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.
Identifying Personal Data & “Special” Data
CMA does not ‘monitor IT systems’, is not involved in and does not engage in network-attached devices or mobile devices tracking. The personal data we obtain and retain is, in the main, that supplied or required to be supplied for the issuance of a policy and the subsequent processing of this, in particular with regard to claims.
We do not seek or hold:
- genetic or biometric data
- data revealing racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- or trade-union membership
- data concerning a person's sex life or sexual orientation
We have no interest in the above, save where it is directly related or believed to be related to a specific claim. For example, if a motive for a loss is reasonably believed to be motivated by one or more of the above.
We may hold personal health information where this is disclosed to us or pertinent to enquirers we are asked to undertake or in respect of a loss. For example, where an incident arises because of (or on reasonable suspicion of) a health-related issue or there exists a responsibility for the subject to disclose the information for the compliance with the terms & conditions of a contract (insurance policy).
Information is stored ‘in the cloud’ and as such subject to our information security program. The cloud storage is secure, the details of which is available to our clients but not publicly shared to reduce the opportunity of compromise.
Data Protection Impact Assessment
We are one of the few Loss Adjusters to have adopted the ISO standards. For more than 5 years we have held ISO 27001, the international information security standard. An impact assessment is conducted annually. ISO 27001 is the international standard that describes best practice for an ISMS (information security management system) and demonstrates CMA is following (and has been well before GDPR) information security best practice. ISO 27001 delivers an independent, expert assessment of whether our data is adequately protected and is supported by a code of practice for information security management, ISO 27002.
Risk Mitigation Actions
We have evaluated the risks inherent in the processing of personal data and implemented risk mitigation measures.
Cloud data is encrypted. Encryption is an exception to the requirement that controllers notify data subjects in the event of a personal data breach.
We have implemented security measures that include the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ways in which information is stored, accessed, modified and transferred have been crafted so that a single failure or manipulation does not cause downstream consequences that are detrimental to the system or that allow for exploitation/modification of information.
Business Continuity & Disaster Recovery Plan
CMA has long had in place plans that are made available to our clients. In the event of a data breach, our controller is able to report to the relevant supervisory authorities without undue delay and where relevant, notify data subjects. A processor is able to notify the controller about the nature and details of the breach, contact information for the data protection officer, the likely consequences of the breach and what measures have been taken (or are proposed) to address the breach, including efforts to mitigate adverse effects.
Our correspondence displays ISO accreditation:
- 9001 - the international standard that specifies requirements for a quality management system (QMS)
- 14001 - the international standard that specifies requirements for an effective environmental management system (EMS)
- 27001 - the international standard that describes best practice for an ISMS (information security management system
We have long demonstrated to our clients and their data subjects, compliance with regulations surrounding the processing operations by controllers and processors. CMA will give due consideration to pursuing the ‘European Data Protection Seal’. However, there is neither a published timetable for the development and release of the certification mechanism, nor is there an indication of its requirements. The certification process may resemble current certification or attestation processes such as ISO 27001, held by CMA since 2011.
Right to be Forgotten
Under current EU law, data subjects have the right to access personal data that a controller has about them and, if the processing is not in compliance with the law, to have that data rectified, erased or blocked. Under Article 16 of the Regulation, the data subject also has the right of rectification and, under Article 17, to have personal data erased simply because it is no longer necessary for the controller to have it; commonly referred to as the “right to be forgotten.” Given how often data is simply archived rather than deleted, it is relatively easy for a business to compile a mass of information much of which is extraneous. With storage costs no longer being prohibitive there can often be a ‘just in case’ or ‘why not?’ approach to data retention.
CMA has a dynamic approach; at the heart of our data handling is core claims handling (CHandler) software that links the various components we retain data about. We often refer to these as ‘VALIANT’:
- Vehicle / VRM
- At (date & time)
- Name / DoB
- Telephone / contact
‘Weeding’ or automated removal of information occurs at the expiry of 7 years. This is deemed a necessary and reasonable period; 6 years for potential Court proceedings plus a year.