Information Sharing Policy

CMA take your privacy seriously and will only use your personal information to administer your claim and to undertake the services we have been instructed to provide.

We will not contact you or share your details other than:

  • In the course or connection with our enquiries
  • Where required by a Court
  • In accordance with sections 29(3) and / or 35(2) of the data Protection Act 1998


This protocol sets out the obligations on CMA staff:

  • to share or disclose information about individuals
  • to maintain confidentiality

It does not impose any new obligations. It reflects current regulations and legislation. This document is an overarching information sharing protocol for CMA.

This protocol has been developed to meet the information security requirements for sharing person identifiable information.


This overarching protocol contains the various requirements regarding safe and secure handling of information. It is supplemented by our individual policies and operational protocols. We have ensured that these requirements are communicated to staff.


We recognise the importance of sharing person identifiable information for improving client services, protecting the public and responding to statutory requirements. We also recognise the importance of having clear guidelines to follow and ensuring that this information is shared in a secure and confidential manner and in accordance with the law, including the common law of confidentiality, the Data Protection Act 1998 (DPA), the Human Rights Act 1998 (HRA). This protocol explains the principles that must be followed to ensure the proper and safe exchange of information.

Legal Requirements

There are legal requirements that must be considered and complied with to ensure an individual's rights are respected. Standards and procedures are in place to ensure CMA do not breach these legal requirements. There is no single source of law that regulates the powers to use and to share person identifiable information. The collection, use and disclosure of personal information are governed by several different areas of law. The main pieces of legislation governing an individual's rights are:

And regarding public Authorities the:

Designated officers

CMA has a Designated Officer responsible for information security, management and confidentiality.

Sharing of information

Organisations may only share person identifiable information about in accordance with the 8 data protection principles contained within the Data Protection Act 1998.  To obtain, use, disclose, share or destroy person-identifiable information, a condition in schedule 2 of the Data Protection Act 1998 must be met. In addition, if the information being used, disclosed, shared or destroyed is sensitive (section 7.2), a condition in schedule 3 of the Data Protection Act 1998 must also be met.

The person requiring information from another organisation should submit their request in writing through the Designated Officer.

CMA are members of the Insurance Fraud Investigators Group (IFIG


Routine and non-routine information sharing

A routine disclosure of person identifiable information is one that happens as a matter of course and is usually essential for the smooth running of a business, the provision of a service – e.g. processing and progressing a claim.  You are advised that routine sharing will take place.

Non-routine sharing of information is sharing that does not happen as a matter of course – e.g. police requests for information. Non-routine sharing will generally be authorised by the Designated Officer.  However, this is unnecessary where it is demonstrated that the activity satisfies the requirements of sections 29(30 and 35(2) of the Data Protection Act 1998.

Errors or Omissions

There will be occasions when information we hold about an individual will be incorrect.  Where this occurs, we wish to act quickly to address the anomaly.  Should you become aware of any mistakes in the information we possess, please email us and we will correct the data.

We will only process a subject’s information in the course of connection with claims.  However, if a subject wishes us to change their preference regarding the use of their personal information they need only email us.  You should have no concerns in respect of your personal details being passed to another; we are not involved in any direct marketing, we do not sell on data and it is not routinely provided to any third party.

Sensitive information

  • CMA recognise the sensitivity of information about the following:
  • racial or ethnic origin
  • political opinions
  • religious or other similar beliefs
  • trade union membership
  • physical and mental health
  • sexuality
  • criminal offences and proceedings

Lawfulness of processing conditions

For processing to be lawful under the GDPR we believe the most relevant basis, the most applicable 'condition for processing', under the DPA to be:

6(1)(b) –  Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

However, in many if not all instances, our clients, insurers, will have obtained a subject's consent concerning the use and processing of personal data in relation to claims handling and the associated investigation.


The Data Protection Act 1998 specifies that personal identifiable information should only be used for specific purposes and shared only for justifiable reasons.

Consent is required from all persons whose information is to be shared with other organisations unless there are statutory grounds or other overriding justification for doing so (see exemptions 7.4). This protocol recommends that consent should be in permanent form (i.e. written) and should not be assumed or implied. However, where instructed by an insurer, it will be reasonably assumed that consent has been given at proposal or claim stage. Consent is obtained by our client, usually the subject's insurer. 

Explicit consent should always be gained (subject to exemption) in relation to the sharing of person identifiable information save where an exemption applies or to do so is reasonably believed to amount to ‘tipping off’.

In seeking consent to disclose personal information to another agency party to this protocol, the individual will need to be made fully aware of:

  • the nature of the information that will be shared
  • who the information will be shared with
  • the purposes for which the information will be used
  • other relevant details including their right to withhold or withdraw consent
  • the potential consequences of not sharing information

In addition to the above, CMA’s sharing the information should:

  • anonymise or pseudo-anonymise the data wherever possible
  • keep disclosures proportionate
  • ensure that there is a justifiable need to know

Other exemptions to gaining consent

There will be a limited number of situations when consent will not be required to share person-identifiable information. The advice and authorisation of the Designated Officer will generally be sought prior to the sharing of information without consent taking place, save where sections 29(3) and / or 35(2) of the Data Protection Act 1998 are satisfied. The main circumstances where sharing without consent occurs are where:

  • informing the client would be likely to prejudice the detection and prevention of crime
  • informing the client would be likely to mean national security would be compromised
  • informing the client would be likely to prejudice regulatory functions conferred by enactment
  •  disclosure is required by enactment, or for legal proceedings or for the obtaining of legal advice

Police requests for personal identifiable information will be processed in accordance with section 29. Non police requests will be be processed in accordance with sections 29(3) and / or section 35(2) as appropriate. 

Recording of disclosure

CMA has procedures in place for recording the details of the information sought and disclosed.

Onward transmission of person identifiable information

CMA possesses and pursues data on behalf of their client and any recipient must undertake not to disclose it without our consent or that of the data owner, our client. Recipient organisations should have procedures in place to ensure the safe and secure transportation of person identifiable information.

Organisational Responsibility

CMA will ensure that:

  • all staff are made aware of information security and confidentiality issues and the need to follow this protocol
  • the Designated Officer is widely known within the organisation
  • requests for information are responded to within a reasonable time scale, as agreed in local/specific protocols