Insurers need to exercise caution with Subject Access Requests
Important changes in the law
There was a significant change in the law on 10 March 2015 in relation to Subject Access Requests (SARs) made under the Data Protection Act 1998 (DPA) as the statutory instrument bringing section 56 of the Act into operation came into force. It did so as part of the government’s aims to bring about a package of reforms affecting the operation of the Rehabilitation of Offenders Act 1974. However, the new rules relating to SARs encompass more than applications for criminal record disclosure.
It had sometimes been the case that if there had been a suspicion that the policyholder has undeclared criminal convictions, or the claim itself is suspicious, then the insurer may ask the policyholder to complete a SAR. The SAR allows the subject (the policyholder) to obtain data about him or herself from a data controller. Thus the SAR has given the insurer the ability, vicariously though the policyholder completing the SAR, to access personal data on the policyholder from a data controller.
Typically this may be used to obtain criminal conviction details and data held on a subject by a police force, but it had other uses - for example, in obtaining DVLA documentation, benefits documents or employment documentation. A SAR could basically be used to attempt to obtain data from any data controller.
From 10 March 2015 it has become a criminal offence punishable by unlimited fine to require an individual to make a SAR under the circumstances as set out in Section 56 of the Data Protection Act 1998. The important subsection from an insurer’s perspective is s.56(2):
‘A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or provide a relevant record to him.’
The policy of insurance will be a contract for services. So an insurer cannot ‘require’ a policyholder to complete a SAR in order to obtain a ‘relevant record’ as a condition of indemnifying a claim or writing the insurance in the first place.
A wide interpretation of ‘require’
The Information Commissioner’s Office (ICO) has already said that it is taking a broad interpretation of what ‘require’ means under s.56. At its most basic, this means to ‘make necessary’. However, the ICO says anything that would leave the policyholder in a detrimental position if he or she does not complete a SAR would be determined by the ICO to be a ‘requirement’. It is not dependent upon the actual withdrawal of the service (the insurance). The ICO has also said that it can cover circumstances where the subject is ‘asked’ or ‘invited’ to make a SAR.
Therefore insurers now need to be extremely cautious and to seriously consider whether in any case it would be appropriate to ask a policyholder to complete a SAR for a relevant record.
What is a ‘relevant record’?
Within s.56(6) of the DPA there is a table of what constitutes a relevant data controller and a relevant record. The list is quite extensive, but it essentially covers any SAR that may reveal criminal convictions or periods of incarceration. For example, it will include a SAR made to a chief officer of a police force for data as to convictions or cautions, or a request to the Secretary of State for Justice seeking data recording whether a person has been in detention. However, the table also includes requests on the subject matter of social security benefits paid under various acts.
There are very limited defences to committing an offence under s.56(3), one being that the request is ‘in the public interest’. However, the DPA makes it clear that a request is not in the public interest simply because it is for the prevention or detection of crime.
Another defence is where the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by order of the court. Therefore, this potentially gives insurers an opportunity to obtain a court order for a SAR in contested proceedings, but this will remain difficult because even a solicitor asking for a SAR could arguably constitute a breach of s.S56. Whilst currently untested, it could be the case of having to request that the court make the order without first requesting the SAR from the policyholder, but the court may be very reluctant to make such an order simply to circumvent s.56.
The message must be that any insurer is playing quite a dangerous game asking any policyholder to complete a SAR without an intimate knowledge of s.56. As a result, it is probably best avoided without first obtaining legal advice.
There has been concern that this could leave insurers disadvantaged because the only way that they can now independently verify criminal convictions is to ask a policyholder to complete ‘basic disclosure’ via the process which is to apply to Disclosure Scotland (who are tasked with supplying UK wide basic disclosure). The problem with this approach is that it will not tell the insurer if there are any spent convictions (or give any other criminal intelligence). So it is quite feasible (particularly as many quite serious offences lead to convictions now being spent after only 6 months) that the policyholder has failed to disclose a conviction on inception and that the insurer is unable to find out about it because it is spent by the time of the claim.
But in reality the inability to request certain types of SARs may not affect insurers too much. Insurers tend to take their policyholders at face value with regards to criminal convictions. Should they uncover undisclosed convictions or criminal activities by other means (typically newspaper or internet reports or other intelligence), then as long as those convictions were not spent at time of inception the insurer could seek to adduce its evidence of them and rely upon that.
The main way the new law will affect insurers is if they inadvertently breach it, which could then have serious criminal ramifications. Clear training and instruction is appropriate in the circumstances where an unlimited fine is the potential penalty.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.