We have recently identified a difficulty with schedule three and the
health and safety information we provide to our insurance company. Our
insurers have asked me to check if other organisations have come across
this issue and, if so, how do you deal with it? If there are any DPOs
for insurance companies out there, your views would also be very
welcome...
In the past it has been our practice to provide our insurance brokers
and insurers with copies of all completed F2508 forms (the form used
under RIDDOR to inform HSE of a notifiable injury of dangerous
occurrence) at the time that we complete them. At this point we do not
know whether or not the person who suffered the accident will make a
claim, but the insurance company use the information to assist them in
estimating the amount of our premium and to help in the detection of
fraudulent claims. I understand that many organisations provide their
insurance companies with similar information.
We store the original forms in such a way that they would qualify as a
'relevant filing system', and because they may contain information about
people's injuries (physical or mental health or condition), the
information contained in the form includes 'sensitive personal data'.
We, therefore, need to meet one condition from each of schedules two and
three in order to pass a copy of the forms to our insurers lawfully.
From schedule two we could rely on the 'legitimate interests' condition,
but which schedule three condition do other organisations use to justify
the transfer of this sort of information to their insurers? If you
obtain 'explicit consent', how do you go about doing this?
We are not concerned about providing the information to the insurance
company once a claim has been made; our worry is only about providing
information when we do not know whether or not the data subject will (or
even is likely to) make a claim.
Susan Graham.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|