Our services. In the course of undertaking inquiries and reporting to your insurer, we will receive information about you.
Your personal information is very important to us and we treat the privacy of your information seriously. Please read this policy carefully as it explains what information we are gathering, how we will use it and demonstrates our commitment to your personal privacy.
As of 25/05/2018, GDPR (General Data Protection Regulation) will apply to all EU member states. GDPR is intended to give greater protection and rights to individuals, especially those who allow companies to use their personal information in exchange for ‘free services’.
We (CMA) do NOT use personal information in exchange for free services. We do not sell your data, we do not use it other than in relation to processing claims – this is our purpose, what we do.
Your insurer, our client, employs CMA to manage claims. We provide greater visibility and control of the data we manage. This is a reason your insurer engages with us – both you and they can trust CMA to use your data responsibly.
We maintain appropriate technical, physical and organisational security measures to protect against any unauthorised access or damage to, or disclosure or loss of, your information. We hold ISO ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. We are audited externally, in June each year not because we have to be but because we elect to be.
Recipients or Categories of Recipients of The Personal Data
Recipients to whom your information is disclosed will include ‘relevant parties’:
- your insurer and / or their subsidiaries, legal representatives, underwriters, brokers and / or Public Authorities (such as the police, ambulance service and DVLA) as is necessary to perform our instructions
- Potentially other insurers
- Finance companies (where appropriate or necessary)
- Possibly those associated with your vehicle - vendor, previous keepers, mechanics etc.
- our agents tasked with fulfilling our instructions
- those parties who demonstrate a valid reason by virtue of sections 29(3)* and / or 35(2)* of the Data Protection Act 1998 or
- where required to by law.
In the event you have reasonable grounds for us not to disclose your information to a relevant party you are asked to email using the above contact details.
Why do we possess your information?
We will use your information to facilitate and complete your claim and, if necessary, may disclose your personal information to a third party or provider to do so, for the following reasons:
- It is necessary for the performance of the service we provide you and / or your insurer
- It is necessary to meet a legal or regulatory obligation we may face
- Where we have a legitimate business interest to use your information
- Where you have given your insurer and / or us your consent
What is your data used for?
To process and conclude your claim. For example, we will review what you disclosed at proposal and compare this with information you supply and we obtain.
The Existence of Automated Decision Making, Including Profiling and Information About How Decisions are Made, the Significance & Consequences.
Claims handling is an information-led activity, and information assurance is fundamental to how CMA manages many of the challenges faced today. It is vital for maintaining client and subject confidence and for the efficient, effective, safe and secure conduct of services. Without robust information assurance governance and processes, there is a significant risk of compromise, potentially leading to the facilitation of crime, financial loss, damage to organisational reputation and consequently, a reduction in confidence. Having traded for 23 years, we at CMA are understandably proud of our heritage and reputation particularly with regard to data reasonable & responsible use and safe-guarding.
Once in force, the European Union General Data Protection Regulation (GDPR) will require companies offering products or services to European Union residents to adhere to a strict set of data privacy and security measures. Whilst CMA provides services to companies, as opposed to individuals the requirements apply equally to our business partners, such as your insurer.
CMA has long embraced the Data Protection principles and takes Data Protection seriously. Since 2011, without obligation to do so, we have ensured ISO27001 compliance and held the accreditation.
Information Security Framework
CMA has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our Information security frameworks represent a collection of best practices accumulated by professionals. Security is addressed by IT professionals and our embracing ISO 27001 – an accepted industry standard requiring annual audit. Additionally, we hold ISO 9001, the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.
Identifying Personal Data & “Special” Data
CMA does not ‘monitor IT systems’, is not involved in and does not engage in network-attached devices or mobile devices tracking. The personal data we obtain and retain is, in the main, that supplied or required to be supplied for the issuance of a policy and the subsequent processing of this, in particular with regard to claims.
We do not seek or hold:
- genetic or biometric data
- data revealing racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- or trade-union membership
- data concerning a person's sex life or sexual orientation
We have no interest in the above, save where it is directly related or believed to be related to a specific claim. For example, if a motive for a loss is reasonably believed to be motivated by one or more of the above.
We may hold personal health information where this is disclosed to us or pertinent to enquirers we are asked to undertake or in respect of a loss. For example, where an incident arises because of (or on reasonable suspicion of) a health-related issue or there exists a responsibility for the subject to disclose the information for the compliance with the terms & conditions of a contract (insurance policy).
Information is stored ‘in the cloud’ and as such subject to our information security program. The cloud storage is secure, the details of which is available to our clients but not publicly shared to reduce the opportunity of compromise.
Data Protection Impact Assessment
We are one of the few Loss Adjusters to have adopted the ISO standards. For more than 5 years we have held ISO 27001, the international information security standard. An impact assessment is conducted annually. ISO 27001 is the international standard that describes best practice for an ISMS (information security management system) and demonstrates CMA is following (and has been well before GDPR) information security best practice. ISO 27001 delivers an independent, expert assessment of whether our data is adequately protected and is supported by a code of practice for information security management, ISO 27002.
Risk Mitigation Actions
We have evaluated the risks inherent in the processing of personal data and implemented risk mitigation measures.
Cloud data is encrypted. Encryption is an exception to the requirement that controllers notify data subjects in the event of a personal data breach.
We have implemented security measures that include the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ways in which information is stored, accessed, modified and transferred have been crafted so that a single failure or manipulation does not cause downstream consequences that are detrimental to the system or that allow for exploitation/modification of information.
Business Continuity & Disaster Recovery Plan
CMA has long had in place plans that are made available to our clients. In the event of a data breach, our controller is able to report to the relevant supervisory authorities without undue delay and where relevant, notify data subjects. A processor is able to notify the controller about the nature and details of the breach, contact information for the data protection officer, the likely consequences of the breach and what measures have been taken (or are proposed) to address the breach, including efforts to mitigate adverse effects.
Our correspondence displays ISO accreditation:
- 9001 - the international standard that specifies requirements for a quality management system (QMS)
- 14001 - the international standard that specifies requirements for an effective environmental management system (EMS)
- 27001 - the international standard that describes best practice for an ISMS (information security management system
We have long demonstrated to our clients and their data subjects, compliance with regulations surrounding the processing operations by controllers and processors. CMA will give due consideration to pursuing the ‘European Data Protection Seal’. However, there is neither a published timetable for the development and release of the certification mechanism, nor is there an indication of its requirements. The certification process may resemble current certification or attestation processes such as ISO 27001, held by CMA since 2011.
Right to be Forgotten
Under current EU law, data subjects have the right to access personal data that a controller has about them and, if the processing is not in compliance with the law, to have that data rectified, erased or blocked. Under Article 16 of the Regulation, the data subject also has the right of rectification and, under Article 17, to have personal data erased simply because it is no longer necessary for the controller to have it; commonly referred to as the “right to be forgotten.” Given how often data is simply archived rather than deleted, it is relatively easy for a business to compile a mass of information much of which is extraneous. With storage costs no longer being prohibitive there can often be a ‘just in case’ or ‘why not?’ approach to data retention.
CMA has a dynamic approach; at the heart of our data handling is core claims handling (CHandler) software that links the various components we retain data about. We often refer to these as ‘VALIANT’:
- Vehicle / VRM
- At (date & time)
- Name / DoB
- Telephone / contact
‘Weeding’ or automated removal of information occurs at the expiry of 7 years. This is deemed a necessary and reasonable period; 6 years for potential Court proceedings plus a year.
In addition to Article 28.3 contractual obligations, as a processor we recognise that we have additional responsibilities under the GDPR. We will:
- only act on the written instructions of the controller (Article 29);
- not use a sub-processor without the prior written authorisation of the controller (Article 28.2);
- co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
- ensure the security of our processing in accordance with Article 32;
- keep records of our processing activities in accordance with Article30.2;
- notify any personal data breaches to the controller in accordance with Article 33;
- have nominated a data protection 'single point of contact' (SPoC) - albeit we are not required to appoint a Data Protection Officer (DPO).