We summarise the importance of data security for insurance brokers and highlight some basic measures to minimise the risk of security breaches.
Storing files electronically on a plethora of devices and networks is the norm in business today, but offers greater opportunities for illegal access than ever before.
Insurance brokers hold a wealth of valuable information on their customers (whether individuals or businesses) and depending on how this data is stored, properly managing and securing it to current standards can prove to be a major challenge.
Your responsibilities under Data Protection regulations
The use of, storage and disposal of data, in whatever format, comes under the Data Protection Act 1998 which puts the onus on companies who handle data (including all insurance brokers) to implement rigorous security measures.
By law, companies who process personal information must register as a “Data Controller” annually with the Information Commissioner the body tasked with ensuring businesses comply with the Data Protection Act. The current registration fee is £35 and the register can be searched here
There are eight key principles enforced by the act, whereby companies must ensure that personal data is:
- Processed fairly and lawfully
- Obtained for a specified and lawful purpose
- Adequate, relevant and not excessive
- Accurate and where necessary, up to date
- Retained only for as long as is necessary
- Processed in accordance with subject’s rights
- Kept secure from unauthorised and unlawful processing and protected against loss and damage
- Kept within the European Economic Area
Distinction between personal and sensitive data
Personal data is defined as any information that can uniquely identify a person, such as their date of birth or contact details. However, special rules apply to sensitive data, which includes information in specific categories such as such as physical or mental health conditions and records of criminal proceedings or convictions.
Insurance brokers have an obvious need to ask for sensitive data in order to provide accurate quotes, for example for car insurance.
You should be aware that sensitive data can only be processed “with the explicit consent of, and for the performance of, a contract with the data subject”.
Further guidance on the specific rules regarding the processing of sensitive data can be found here