This is not an easy one the legal relationships between the parties is the
key along with statutory obligations.
Employer liability insurance is a contract between the Insurer and the
Employer not the Insurer and the Employee. So the emphasis by Charles has to
be turned to the Employer / employee relationship. As there is a statutory
obligation on the majority of employers to obtain Insurance in case they
cannot cover their liability the onus is on the employer to ensure their
staff are advised of the disclosures they will be requested to make by the
Insurer should the employer choose to make a claim from their Insurer.
(There is no obligation to raise any claim under an Insurance policy).
I enclose an extract of an amendment (1998) to the Employer Liability
(Compulsory Insurance) Act 1969 which links to the Insurers right to obtain
data which may not have been obtained in compliance with the DPA 98. See
http://www.hmso.gov.uk/si/si1998/19982573.htm ) which govern contract terms
placed on insurers being unable to void including a lack of provision of
information. (See section 2d)
Prohibition of certain conditions in policies of insurance
2. - (1) For the purposes of the 1969 Act[4], there is prohibited in
any contract of insurance any condition which provides (in whatever terms)
that no liability (either generally or in respect of a particular claim)
shall arise under the policy, or that any such liability so arising shall
cease, if-
(a) some specified thing is done or omitted to be done after the happening
of the event giving rise to a claim under the policy;
(b) the policy holder does not take reasonable care to protect his employees
against the risk of bodily injury or disease in the course of their
employment;
(c) the policy holder fails to comply with the requirements of any enactment
for the protection of employees against the risk of bodily injury or disease
in the course of their employment; or
(d) the policy holder does not keep specified records or fails to provide
the insurer with or make available to him information from such records.
An employer can therefore withhold all personal data from the Insurer if
they have failed to obtain it correctly under DPA98. Section 2d makes it
clear an employer is under no statutory obligation to supply the Insurer
(possibly because they have not notified employees of the holding or
obtained their consent to disclose any medical data beyond the employer).
Therefore DPA Sch3 Condition 2 cannot be used by the employer as their
processing condition to hold sensitive data on employees by reference to
their Insurance obligations. They may have other statutes however e.g.
health and safety related. As far as passing data to Insurers Sch 3 clause 6
comes into play. This begs the question whether consent is ever needed for
medical data to be passed to Insurers or solicitors where the use is purely
to assess a contested claim.
Solicitors can be acting for either the Insurer / Employer or the data
subject. If the data flow is sought via court process so each can prepare
their case the DPA will not stand in the way via section 35 (statutory due
to court disclosure processes) and its linkage to non-disclosure (27(4)).
27(4a) appears to indicate in this circumstance not even a fairness notice
to a data subject is required. However the claim appears to need to be a
contested claim relying on a court process requiring disclosure of evidence
in readiness for a case. Claims which do not get this far, e.g. agreed
amicably, presumably rely on data subject consent to allow sharing of
physical or mental health data. In many cases I find that Insurers are
supplied with an entire personnel file simply because the employer does not
screen to supply only that which is relevant to the claim. This is a
nightmare for subject access and registration processes within the Insurer.
How many of those on this group can find any reference in their employment
contract that their employer who is under a statutory obligation to take out
insurance cover will disclose your personnel history to their insurer. If
such a notice is not given then consider how you would approach your claim
against the employer knowing that your employer has not obtained your
consent and potentially may not be able to rely on Sch 3 6 to disclose
without ensuring the process goes to court.
Could see some arguments raised under Section 13 by data subjects in
relation to employers disclosing sensitive data to their Insurers without
having complied with the Acts principles. The Insurer will use their
resources to assist their policyholder (employer) and a priority would be to
attempt to reduce the claim against their policyholder by demonstrating from
the data where possible that the employee(data subject) may have an element
of contributory negligence in their loss or injury. Clearly the employer
does not wish to face a premium rise which may come about through proof of
their negligence so may have a conflict of interest in the set of data
provided e.g suppress that which proves they were negligent such as records
where an employee had previously notified their employer that they had a bad
back but were given a lifting job. This is why cases go into court for full
disclosure of evidence.
As a consultant my advice emphasis would be different depending who my
customer was :
From an Insurers view I would recommend that they make reference to their
policyholders obligation under DPA to obtain consent to disclosure data on
their employees when the contract is sold to avoid conflicts arising when a
claim subsequently occurs.
If advising an employer I would point out their risks in relation to the
potential rises to their Insurance premium if they failed to sort out fair
processing.
If advising a data subject I would suggest that they point their solicitor
at the employers DPA obligations to see if they can win they case due to
inadmissible evidence assuming employer has not complied with DPA in
disclosing files to their Insurer.
In relation to conflicts of interest what do I do as a data subject working
for an employer who insurers with one of their own group companies :). All
comments gratefully received.
David Wyatt
.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Neil Chadwick
Sent: 22 January 2001 09:02
To: [log in to unmask]
Subject: Re: Insurance etc.
This would not be the case with third party liability insurance (which
accounts
for a large number of cases a year for us). For example where a member of
the
public makes a claim against the authority. The Authority would claim from
its
own liability insurance but would have to pass on details of the member of
the
public. Obviously the claimant would be informed about this but would it be
seen as informing the claimant if this was done via their solicitor?
Charles Prescott (19/01/01 6:52 pm):
>Shouldn't the notification, and prior consent, be in the insurance policy
or
other document presented to the individual at the time the take out the
insurance? If it is sensitive information, a signature providing proof of
the
consent may be necessary.
>
>Neil Chadwick wrote:
>
>> Our insurance manager tells me that we often receive claims from members
of
the public or staff via their soliciter. In order to process these we need
to
exchange sensitive personal data with a number of organisations (medical,
insurance companies etc.). To fully comply with the first principle we
would
have to inform the data subject of these disclosures.
>>
>> If we inform the data subject's soliciter of these disclosures as the
soliciter is representing the subject have our obligations been met or do we
have to inform the data subject directly?
>>
>> Any thoughts?
>>
>> Neil
>>
>> ___________________________
>> Neil Chadwick
>> Stoke-on-Trent City Council
>
>--
>Charles A. Prescott
>Vice President, International Business Development & Government Affairs
>Direct Marketing Association
>1120 Avenue of the Americas
>New York, NY 10036
>USA
>Tel.+1.212.790-1552
>Fax.+1.212.790.1449
>e-mail: [log in to unmask]
>e-mail: [log in to unmask]
>
>
>
|