Typically, your insurer will have explained they share data with us, loss adjusters for the purposes of handling claims as is necessary for the performance of a contract between you and them.
Use of our web site.
In the course of undertaking inquiries and reporting to your insurer, we will receive information about you. Your personal information is very important to us and we treat the privacy of your information seriously. Please read this policy carefully as it explains what information we are gathering, and how we will use it and demonstrates our commitment to your personal privacy.
As of 25/05/2018, GDPR (General Data Protection Regulation) will apply to all EU member states. GDPR is intended to give greater protection and rights to individuals, especially those who allow companies to use their personal information in exchange for ‘free services’.
We (CMA) do NOT use personal information in exchange for free services. We do not sell your data, we do not use it other than in relation to processing claims – this is our purpose, what we do.
Your insurer, our client, employs CMA to manage claims. We provide greater visibility and control of the data we manage. This is a reason your insurer engages with us – both you and they can trust CMA to use your data responsibly.
We maintain appropriate technical, physical and organisational security measures to protect against any unauthorised access or damage to, or disclosure or loss of, your information. We maintain a security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
Recipients or Categories of Recipients of The Personal Data
Recipients to whom your information is disclosed will include ‘relevant parties’:
• your insurer and/or their subsidiaries, legal representatives, underwriters, brokers and/or Public Authorities (such as the police, ambulance service and DVLA) as is necessary to perform our instructions
• Potentially other insurers
• Finance companies (where appropriate or necessary)
• Possibly those associated with your vehicle – vendor, previous keepers, mechanics etc.
• our agents tasked with fulfilling our instructions
• those parties who demonstrate a valid reason by virtue of sections 29(3)* and / or 35(2)* of the Data Protection Act 1998 or
• where required to by law.
*the ‘enabling sections’ of the DPA
In the event you have reasonable grounds for us not to disclose your information to a relevant party you are asked to email using the above contact details.
Why do we possess your information?
We will use your information to facilitate and complete your claim and, if necessary, may disclose your personal information to a third party or provider to do so, for the following reasons:
• It is necessary for the performance of the service we provide you and/or your insurer
• It is necessary to meet a legal or regulatory obligation we may face
• Where we have a legitimate business interest to use your information
• Where you have given your insurer and/or us your consent
What is your data used for?
To process and conclude your claim. For example, we will review what you disclosed at the proposal and compare this with the information you supply and what we obtain.
what information do we collect about you?
- name, address and address history, date of birth
- contact details, including telephone numbers and email address
- details about your family and dependents (e.g. your marital status and number of children) where pertinent to a claim / policy
- information about your lifestyle – your employment details and possibly home ownership
- sensitive personal information such as criminal convictions, health details and medical history for the purposes of considering your claim and reporting to your insurers concerning your policy or processing claims, or details of any court or judgements for the purposes of preventing, detecting and investigating fraud.
- we collect vehicle details such as registration number & Driving Licence Number
- public record enquiries and information you have consented to disclose for example electoral register data that may confirm your identity and address (which is publicly accessible).
- data from other sources where we believe this is necessary to administer or validate policies or claims; investigate fraud; or assist with settlement/claim negotiations. This may include consulting publicly available online information such as public registers, social media and other online sources.
HOW WE COLLECT INFORMATION ABOUT YOU
Most of the personal information we hold about you is that which is provided by your insurer (at the point of policy inception or claim) and that which we collect directly from you.
Automated Decision Making, Including Profiling and Information About How Decisions are Made, the Significance & Consequences.
Claims handling is an information-led activity, and information assurance is fundamental to how CMA manages many of the challenges faced today. It is vital for maintaining client and subject confidence and for the efficient, effective, safe and secure conduct of services. Without robust information assurance governance and processes, there is a significant risk of compromise, potentially leading to the facilitation of crime, financial loss, damage to organisational reputation and consequently, a reduction in confidence. Having traded for 25+ years, we at CMA are understandably proud of our heritage and reputation, particularly with regard to data reasonable & responsible use and safeguarding.
The European Union General Data Protection Regulation (GDPR) requires companies offering products or services to European Union residents to adhere to a strict set of data privacy and security measures. Whilst CMA provides services to companies, as opposed to individuals the requirements apply equally to our business partners, such as your insurer.
CMA has long embraced the Data Protection principles and takes Data Protection seriously.
Information Security Framework
CMA has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our Information security frameworks represent a collection of best practices accumulated by professionals. Security is addressed by IT professionals.
Identifying Personal Data & “Special” Data
CMA does not ‘monitor IT systems’, is not involved in and does not engage in network-attached devices or mobile devices tracking. The personal data we obtain and retain is, in the main, that supplied or required to be supplied for the issuance of a policy and the subsequent processing of this, in particular with regard to claims. We do not seek or hold:
• genetic or biometric data
• data revealing racial or ethnic origin,
• political opinions,
• religious or philosophical beliefs,
• or trade-union membership
• data concerning a person’s sex life or sexual orientation
We have no interest in the above, save where it is directly related or believed to be related to a specific claim. For example, if a potential cause of a loss is reasonably believed to be motivated by one or more of the above. For example, a hate crime possibly based on ethnicity.
We may hold personal health information where this is disclosed to us or pertaining to enquirers we are asked to undertake or in respect of a loss. For example, where an incident arises because of (or on reasonable suspicion of) a health-related issue or there exists a responsibility for the subject to disclose the information for compliance with the terms & conditions of a contract (insurance policy).
Information is stored ‘in the cloud’ and as such subject to our information security program. The cloud storage is secure, the details of which are available to our clients but not publicly shared to reduce the opportunity of compromise.
Risk Mitigation Actions
We have evaluated the risks inherent in the processing of personal data and implemented risk mitigation measures.
Cloud data is encrypted. Encryption is an exception to the requirement that controllers notify data subjects in the event of a personal data breach.
We have implemented security measures that include the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ways in which information is stored, accessed, modified and transferred have been crafted so that a single failure or manipulation does not cause downstream consequences that are detrimental to the system or that allow for the exploitation/modification of information.
Business Continuity & Disaster Recovery Plan
CMA has long had in place plans that are made available to our clients. In the event of a data breach, our controller is able to report to the relevant supervisory authorities without undue delay and where relevant, notify data subjects. A processor is able to notify the controller about the nature and details of the breach, contact information for the data protection officer, the likely consequences of the breach and what measures have been taken (or are proposed) to address the breach, including efforts to mitigate adverse effects.
We have long demonstrated to our clients and their data subjects, compliance with regulations surrounding the processing operations by controllers and processors.
Right to be Forgotten
Under current EU law, data subjects have the right to access personal data that a controller has about them and, if the processing is not in compliance with the law, to have that data rectified, erased or blocked. Under Article 16 of the Regulation, the data subject also has the right of rectification and, under Article 17, to have personal data erased simply because it is no longer necessary for the controller to have it; commonly referred to as the “right to be forgotten.” Given how often data is simply archived rather than deleted, it is relatively easy for a business to compile a mass of information much of which is extraneous. With storage costs no longer being prohibitive there can often be a ‘just in case’ or ‘why not?’ approach to data retention.
CMA has a dynamic approach; at the heart of our data handling is core claims handling (CHandler) software that links the various components we retain data about. We often refer to these as ‘VALIANT’:
• Vehicle / VRM
• At (date & time)
• Name / DoB
‘Weeding’ or automated removal of information occurs at the expiry of 7 years. This is deemed a necessary and reasonable period; 6 years for potential Court proceedings plus a year.
In addition to Article 28.3 contractual obligations, as a processor, we recognise that we have additional responsibilities under the GDPR. We will:
• only act on the written instructions of the controller (Article 29);
• not use a sub-processor without the prior written authorisation of the controller (Article 28.2);
• co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
• ensure the security of our processing in accordance with Article 32;
• keep records of our processing activities in accordance with Article30.2;
• notify any personal data breaches to the controller in accordance with Article 33;
• have nominated a data protection ‘single point of contact’ (SPoC) – albeit we are not required to appoint a Data Protection Officer (DPO).
It is necessary for us to have a valid lawful basis in order to process personal data. Given that we act for insurers, dealing with their insureds, seeking to progress insurance claims related to and commonly intended to benefit individuals, it is obvious we need, must use, personal information.
There are six available lawful bases for processing with most lawful bases requiring that processing is ‘necessary’ for a specific purpose. Clearly, we cannot reasonably achieve enquiries in relation to an insurance claim and report upon same without the processing.
As a data processor, we are acting for the data controller, an insurer who has a contract with you. Ours is a legitimate interest on behalf of an insurer and there is no other reasonable way to achieve our purpose without processing the data
We may store and use your personal information for the purposes of:
- reviewing your insurance quotes and policies (as is necessary for the performance of a contract between you and insurers and/or as is necessary for our legitimate interests);
- carrying out anti-fraud and anti-money laundering checks and verifying your identity (as is necessary for compliance with insurers’ legal obligations and/or as is necessary for an insurer’s legitimate interests);
- assessing financial and insurance risks
- handling insurance claims, including by carrying out checks on claims-related databases (as is necessary for the performance of a contract between you and your insurers and/or as is necessary for their legitimate interests);
- communicating with you about your claim(s), including responding to your enquiries (as is necessary for the performance of a contract between you and your insurer and/or as is necessary for their legitimate interests);
- potentially administering helping us with recovering monies you owe us under a contract or otherwise (as is necessary for the performance of a contract between you and your insurer and/or as is necessary for their legitimate interests);
Our “legitimate interests” as referred to above include our legitimate business purposes and commercial interests in operating our business in a customer-focused, efficient and sustainable manner, in accordance with all applicable legal and regulatory requirements of our insurer clients.
USING YOUR PERSONAL DATA FOR MARKETING
We will not use your data for marketing purposes.
We do not pass your information to a third party save as where required to do so in furtherance of your claim i.e. to request information from third parties who may hold information pertinent to your policy and/or claim.
Data Protection legislation gives you certain rights. These include the right to:
- ask us how we use your personal data
- access your personal data
- ask us to correct any information about you that’s out of date, incorrect or incomplete
- tell us that you don’t want us to use your personal data in a certain way
- tell us to delete the personal data we have on file. In some circumstances we will not be able to do this, however for example, if we’re required to keep the information by law
- ask us to give your data to a 3rd party e.g. another insurer or claims handling agency.
- ask us to temporarily pause processing your data