Practical problems in processing medical information under the GDPR
Insurers and service providers need to comply with the General Data Protection Regulation (GDPR) by 25 May 2018, but as the wording currently stands, it is not workable in respect of processing medical information in an insurance context.
Insurers will want to update their data protection consents on application forms and claim forms to make them GDPR compliant, but we first need to see what derogations the UK government proposes bringing in to force to supplement the GDPR.
The Statement of Intent issued by the government on 7 August 2017 seeks to reassure businesses that it is listening to the practical difficulties presented by the GDPR and a draft Bill is expected by September.
One of the provisions of the GDPR is the right for individuals to withdraw consent (the “right to be forgotten”). However, it is fundamental to the operation of life, health, protection and parts of travel insurance products that the insurer will need to process medical information (referred to as “special category” data under the GDPR).
How can such an insurer continue to operate insurance cover if the insured person elected to withdraw their consent?
If explicit consent regarding processing medical information is withdrawn this would, in effect, mean that the insurer would have to justify processing such medical information for “the establishment, exercise or defence of legal claims” (Article 9.2 (f)). But medical information would still need to be processed, in the sense of retaining the application form which contains medical information, even before a claim or any dispute has arisen. Further, any claim ultimately presented will be validated by handling and gathering further medical information before it is paid.
It is not entirely clear what the EU intended by the phrase “establishment, exercise or defence of legal claims” and where the line would be drawn. It is used again in recital 52 in the context of the ability to have derogations regarding special categories of personal data:
“A derogation should also allow the processing of such personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure”. (our emphasis)
One of the difficulties arising from the GDPR is that it was prepared for all industry sectors and one size does not neatly fit all. For the insurance industry to obtain clarity, use of derogations seems the sensible way forward.
A further practical issue for insurers is whether an individual, in this context, can truly be regarded as giving consent for the processing of their medical information (Article 9.2(a)). The GDPR requires consent to be ‘freely given’ (Recital 32 and Article 7). But can consent really be regarded as freely given where in order to have that particular insurance contract the person needs to give consent for processing of their medical information?
The Information Commissioner’s Office provided draft guidance on consent in their 7 October 2016 Code of Practice and gave examples in their March 2017 consultation document:
“….if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing. This may be the case if, for example….you ask for ‘consent’ to the processing as a precondition of accessing your services…”
“If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing”.
In March 2017, various insurance industry bodies, including the Lloyd’s Market Association and the ABI, proposed a solution in the form of a UK derogation to the GDPR. This purpose of the proposed derogation was to extend the list in Article 9.2.
This was fine-tuned in their May 2017 response to the government’s ‘call for views’. They proposed a new legal ground for processing special categories of data, namely, that the prohibition in paragraph 1 of Article 9 should not apply where:
“(1) the processing is necessary for the arranging, underwriting, and administration of insurance and reinsurance policies and insurance and reinsurance policy claims, and provided the data controller complies with section (2).
(2) the data controller shall implement suitable and specific measures to safeguard the data subject’s rights and freedoms in respect of such processing, being at least providing an explanation of the special categories of data and that it is processed for the purpose set out in Section 1, with the information required under Articles 13 and 14”.
Having a further legal ground would be better than relying on conditional consent. It also recognises that there can be many entities, such as brokers, involved in the insurance chain but only some have direct contact with the data subject for the purposes of obtaining consent.
On 7 August 2017 the government issued a Statement of Intent which intended to give high level reassurance to businesses and individuals by setting out a plan to ensure a smooth transition to the data protection upgrade both up to and beyond Brexit. A draft Data Protection Bill is promised by September 2017 for actioning when Parliament resumes that month. The message was that the government is:
“...determined to ensure that the GDPR best supports UK interests – for citizens and businesses. The GDPR requires some modification to make it work for the benefit of the UK and the Data Protection Bill will make the necessary changes..”.
So the way forward is use of derogations, where appropriate. Further clarification will hopefully be provided in the forthcoming draft Bill, which we await with interest.
Please contact us if you would like sight of the source documents.
- Preparing for the worst: the importance of cyber contingency planning
- Annual Report: GDPR — 12 months to go and 12 key points for the healthcare sector