I wonder if this is not a transfer of data made "in the interest of the data
subject"and thus permissible without explicit consent, or pursuant to a contract
made "for the benefit of the data subject".
Dave Wyatt wrote:
> This is not an easy one the legal relationships between the parties is the
> key along with statutory obligations.
>
> Employer liability insurance is a contract between the Insurer and the
> Employer not the Insurer and the Employee. So the emphasis by Charles has to
> be turned to the Employer / employee relationship. As there is a statutory
> obligation on the majority of employers to obtain Insurance in case they
> cannot cover their liability the onus is on the employer to ensure their
> staff are advised of the disclosures they will be requested to make by the
> Insurer should the employer choose to make a claim from their Insurer.
> (There is no obligation to raise any claim under an Insurance policy).
>
> I enclose an extract of an amendment (1998) to the Employer Liability
> (Compulsory Insurance) Act 1969 which links to the Insurers right to obtain
> data which may not have been obtained in compliance with the DPA 98. See
> http://www.hmso.gov.uk/si/si1998/19982573.htm ) which govern contract terms
> placed on insurers being unable to void including a lack of provision of
> information. (See section 2d)
>
> Prohibition of certain conditions in policies of insurance
> 2. - (1) For the purposes of the 1969 Act[4], there is prohibited in
> any contract of insurance any condition which provides (in whatever terms)
> that no liability (either generally or in respect of a particular claim)
> shall arise under the policy, or that any such liability so arising shall
> cease, if-
> (a) some specified thing is done or omitted to be done after the happening
> of the event giving rise to a claim under the policy;
>
> (b) the policy holder does not take reasonable care to protect his employees
> against the risk of bodily injury or disease in the course of their
> employment;
>
> (c) the policy holder fails to comply with the requirements of any enactment
> for the protection of employees against the risk of bodily injury or disease
> in the course of their employment; or
>
> (d) the policy holder does not keep specified records or fails to provide
> the insurer with or make available to him information from such records.
>
> An employer can therefore withhold all personal data from the Insurer if
> they have failed to obtain it correctly under DPA98. Section 2d makes it
> clear an employer is under no statutory obligation to supply the Insurer
> (possibly because they have not notified employees of the holding or
> obtained their consent to disclose any medical data beyond the employer).
> Therefore DPA Sch3 Condition 2 cannot be used by the employer as their
> processing condition to hold sensitive data on employees by reference to
> their Insurance obligations. They may have other statutes however e.g.
> health and safety related. As far as passing data to Insurers Sch 3 clause 6
> comes into play. This begs the question whether consent is ever needed for
> medical data to be passed to Insurers or solicitors where the use is purely
> to assess a contested claim.
>
> Solicitors can be acting for either the Insurer / Employer or the data
> subject. If the data flow is sought via court process so each can prepare
> their case the DPA will not stand in the way via section 35 (statutory due
> to court disclosure processes) and its linkage to non-disclosure (27(4)).
> 27(4a) appears to indicate in this circumstance not even a fairness notice
> to a data subject is required. However the claim appears to need to be a
> contested claim relying on a court process requiring disclosure of evidence
> in readiness for a case. Claims which do not get this far, e.g. agreed
> amicably, presumably rely on data subject consent to allow sharing of
> physical or mental health data. In many cases I find that Insurers are
> supplied with an entire personnel file simply because the employer does not
> screen to supply only that which is relevant to the claim. This is a
> nightmare for subject access and registration processes within the Insurer.
>
> How many of those on this group can find any reference in their employment
> contract that their employer who is under a statutory obligation to take out
> insurance cover will disclose your personnel history to their insurer. If
> such a notice is not given then consider how you would approach your claim
> against the employer knowing that your employer has not obtained your
> consent and potentially may not be able to rely on Sch 3 6 to disclose
> without ensuring the process goes to court.
>
> Could see some arguments raised under Section 13 by data subjects in
> relation to employers disclosing sensitive data to their Insurers without
> having complied with the Acts principles. The Insurer will use their
> resources to assist their policyholder (employer) and a priority would be to
> attempt to reduce the claim against their policyholder by demonstrating from
> the data where possible that the employee(data subject) may have an element
> of contributory negligence in their loss or injury. Clearly the employer
> does not wish to face a premium rise which may come about through proof of
> their negligence so may have a conflict of interest in the set of data
> provided e.g suppress that which proves they were negligent such as records
> where an employee had previously notified their employer that they had a bad
> back but were given a lifting job. This is why cases go into court for full
> disclosure of evidence.
>
> As a consultant my advice emphasis would be different depending who my
> customer was :
> >From an Insurers view I would recommend that they make reference to their
> policyholders obligation under DPA to obtain consent to disclosure data on
> their employees when the contract is sold to avoid conflicts arising when a
> claim subsequently occurs.
> If advising an employer I would point out their risks in relation to the
> potential rises to their Insurance premium if they failed to sort out fair
> processing.
> If advising a data subject I would suggest that they point their solicitor
> at the employers DPA obligations to see if they can win they case due to
> inadmissible evidence assuming employer has not complied with DPA in
> disclosing files to their Insurer.
>
> In relation to conflicts of interest what do I do as a data subject working
> for an employer who insurers with one of their own group companies :). All
> comments gratefully received.
>
> David Wyatt
>
> ..
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Neil Chadwick
> Sent: 22 January 2001 09:02
> To: [log in to unmask]
> Subject: Re: Insurance etc.
>
> This would not be the case with third party liability insurance (which
> accounts
> for a large number of cases a year for us). For example where a member of
> the
> public makes a claim against the authority. The Authority would claim from
> its
> own liability insurance but would have to pass on details of the member of
> the
> public. Obviously the claimant would be informed about this but would it be
> seen as informing the claimant if this was done via their solicitor?
>
> Charles Prescott (19/01/01 6:52 pm):
> >Shouldn't the notification, and prior consent, be in the insurance policy
> or
> other document presented to the individual at the time the take out the
> insurance? If it is sensitive information, a signature providing proof of
> the
> consent may be necessary.
> >
> >Neil Chadwick wrote:
> >
> >> Our insurance manager tells me that we often receive claims from members
> of
> the public or staff via their soliciter. In order to process these we need
> to
> exchange sensitive personal data with a number of organisations (medical,
> insurance companies etc.). To fully comply with the first principle we
> would
> have to inform the data subject of these disclosures.
> >>
> >> If we inform the data subject's soliciter of these disclosures as the
> soliciter is representing the subject have our obligations been met or do we
> have to inform the data subject directly?
> >>
> >> Any thoughts?
> >>
> >> Neil
> >>
> >> ___________________________
> >> Neil Chadwick
> >> Stoke-on-Trent City Council
> >
> >--
> >Charles A. Prescott
> >Vice President, International Business Development & Government Affairs
> >Direct Marketing Association
> >1120 Avenue of the Americas
> >New York, NY 10036
> >USA
> >Tel.+1.212.790-1552
> >Fax.+1.212.790.1449
> >e-mail: [log in to unmask]
> >e-mail: [log in to unmask]
> >
> >
> >
--
Charles A. Prescott
Vice President, International Business Development & Government Affairs
Direct Marketing Association
1120 Avenue of the Americas
New York, NY 10036
USA
Tel.+1.212.790-1552
Fax.+1.212.790.1449
e-mail: [log in to unmask]
e-mail: [log in to unmask]
|