I'd welcome any comments anyone on the list has either as a data subject or
as an employer / employers consultant  regarding two scenarios below linked
to sensitive personal data held by employers being disclosed to Insurers.

I believe it is argued that Personnel files and possibly payroll files are
subject to a common law duty of confidence between employer and employee.
If so then it appears to follow that an employer may need consent to
disclose to a third party such as an Insurer if such disclosure processing
is to be lawful.

Below are two situations linked to disclosures to insurers which appear to
me to need consideration in most employment contracts.

1: With the new stakeholder pension I believe employers with more than 5
employees now have to offer a Pension Scheme. Commission restrictions on
scheme administrators such as insurers are limited to 1%. To ensure such
schemes can be run profitably we will see increasing electronic interfaces
between HR payroll records and insurers, possibly sponsored by insurers.
Trustees of the Pension schemes as a potential data controller may need to
ensure notices are issued via the employer to its employees to declare the
potential disclosure to the insurer / scheme administrator.  (e.g.
administration activity occurring on a members pension due early retirement
through ill health)

2: As most Employers also need to have Employer liability (EL) insurance,
Insurers claims divisions will request all files held by the employer to
enable them to assess claims made against the policy by the employer e.g.
Personal Injury claims from employee.   Such files will contain 'sensitive
data'.

Insurers are already finding increasing numbers of queries from employers as
to their ability to disclose sensitive data given most have forgotten to
notify their employees of this potential future disclosure when recruiting.

Any employer who has failed to obtain adequate consents prior to claims
arising has a difficult decision to make.

a) Handle the claim themselves
b) Try to obtain subsequent consent from a disgruntled employee / ex
employee
c) Disclose anyway which may lead to a dispute of unlawful processing if the
personal data disclosed was subject to a duty of confidence.

An insurers reaction will be either
i) Increased premiums for employers.
ii) A clause placed in EL insurance contracts which obliges employers to get
the necessary consent from employees to permit disclosure of any data
requested by the insurer.

Any comments / observations regarding the above welcomed specifically in
relation to questions below:

a) Does anyone see any arguments why the disclosures indicated in 1 and 2
below would not need a notice to be given by an employer to their employees?
(Do many employers give such notices currently?).
b) Should the employer get employee consent to the disclosure to Insurer and
is the identity of the Insurer required in such notices?
c) Can consent to the disclosure be refused by an individual and if so on
what basis?

David Wyatt
(DP Manager Norwich Union)



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%