GDPR and fraud investigations – don’t panic!

The sharing of information between insurers in the context of investigating claims fraud is crucial. Without that exchange of information, a fraud investigation can be limited, particularly in third party claims where no prior relationship between insurer and claimant exists.

Background

Before the General Data Protection Regulation (GDPR), insurers would share information relevant to claims in line with the Data Protection Act 1998 (DPA 1998). Insurers operated under the ‘prevention or detection of crime’ non-disclosure exception and freely exchanged information without consequence. That information was used effectively detect and evidence dishonesty.

On 25 May 2018, the GDPR came into effect replacing the DPA 1998. The aim of the GDPR is to protect all EU citizens from privacy and data breaches. The Data Protection Act 2018 (DPA 2018) supplements it in the United Kingdom.

There can be serious consequences of processing data and getting it wrong under the GDPR with the top end fines available to the ICO being highly publicised. These fines can be as much as €20m (£18m) or 4% of annual turnover (whichever is the greater), not to mention the damage any adverse publicity would inflict. 

Whilst no sanction has gone anyway near the top of the scale (Google being given a fine of €50m which may sound a lot but equates to only a fraction of their $136bn annual turnover in 2018), there is nevertheless a high level of unease within the industry.

How to share information

Under the GDPR and DPA 2018, the sharing of information is permitted with consent, but this is unhelpful in a fraud investigation. Fortunately there are certain limited circumstances in which the sharing of information is allowed without consent when "…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party".

What qualifies as a legitimate interest?

Legitimate interest includes:

• Preventing fraud
• Preventing or detecting a crime
• Preventing or detecting unlawful acts
• Necessary for an insurance purpose (the handling of a claim).

It is clear therefore that information can be shared for the purpose of investigating fraud by the legitimate reason of detecting a crime or unlawful act. An insurer can also share information lawfully where it is necessary for an insurance purpose.

Despite the stricter controls on the processing and storing of information that has been introduced since the GDPR, there still remains avenues open to insurers to lawfully share information. The GDPR now specifically provides a basis for insurers to share information which was not envisioned when the DPA 1998 was implemented. As a result, insurers are in a stronger position now than under the old law to share information as part of a fraud investigation into a third party claim. 

In order to protect against GDPR consequences here are some basic steps that you can follow to ensure the continued sharing of data:

• Establish the legitimate interest ground or grounds before sharing information
• Document your thinking – in the unlikely event of an ICO challenge, this will be vital
• Share information only where fraud concerns exist, documenting reasons where you do
• Update your data sharing request forms by specifying the relevant sections of the new law – this will provide the organisation you want information from with legitimate grounds to process the data lawfully and assist you with a fraud investigation

Comments

The introduction of the GDPR and DPA 2018 has not drastically altered the landscape. It remains that insurers can freely exchange information as part of a fraud investigation.

Insurers are able to freely exchange information as they would have done under before and, if anything, the basis for that exchange of information is bolstered by the provisions now set out.

There is no need to panic. Provided the correct process is followed, insurers can continue to exchange information in the continued fight against third party claims fraud.