Disclosure of Subject's Date of Birth and GDPR

Insurers in Ireland can disclose a person’s date of birth to an investigator for legitimate purposes, such as investigating suspected fraud, provided they comply with Data Protection Acts 1988-2018 and GDPR. This is generally allowed when necessary to process a claim, prevent fraud, or comply with legal obligations. However, this disclosure must be proportionate and, where a private investigator is acting on behalf of an insurer, a contract must be in place restricting the investigator's use of the personal data.

Key Considerations for Data Disclosure:

• Purpose: Data must be collected and disclosed only for specific, lawful purposes.

• Proportionality: Insurers must limit the information provided to investigators to that which is strictly necessary.

• Legal Basis: GDPR regulations permit the exchange of information to fight third-party claims fraud.

• Data Controller Responsibility: Insurers are responsible for ensuring investigators act in compliance with data protection laws.

How to share information?

Under the GDPR and DPA 2018, the sharing of information is permitted with consent, but this is unhelpful in a fraud investigation. Fortunately, there are certain limited circumstances in which the sharing of information is allowed without consent when "…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party".

What qualifies as a legitimate interest?

Legitimate interest includes:

• Preventing fraud

• Preventing or detecting a crime

• Preventing or detecting unlawful acts

• Necessary for an insurance purpose (the handling of a claim).

It is clear therefore that information can be shared for the purpose of investigating fraud by the legitimate reason of detecting a crime or unlawful act. An insurer can also share information lawfully where it is necessary for an insurance purpose.

This means sharing information for the administration of a claim where it is required for reasons of substantial public interest. This would, of course, include fraud prevention.

Despite the stricter controls on the processing and storing of information that has been introduced since the GDPR, there still remains avenues open to insurers to lawfully share information. The GDPR now specifically provides a basis for insurers to share information which was not envisioned when the DPA 1998 was implemented. As a result, insurers are in a stronger position now than under the old law to share information as part of a fraud investigation into a third-party claim. 

In order to protect against GDPR consequences here are some basic steps that you can follow to ensure the continued sharing of data:

• Establish the legitimate interest ground or grounds before sharing information

• Document your thinking – in the unlikely event of an ICO/DPO challenge, this will be vital

• Share information only where fraud concerns exist, documenting reasons where you do

• Update your data sharing request forms by specifying the relevant sections of the new law – this will provide the organisation you want information from with legitimate grounds to process the data lawfully and assist you with a fraud investigation

Comments

The introduction of the GDPR and DPA 2018 has not drastically altered the landscape. It remains that insurers can freely exchange information as part of a fraud investigation.

Insurers are able to freely exchange information as they would have done before and, if anything, the basis for that exchange of information is bolstered by the provisions now set out.

There is no need to panic. Provided the correct process is followed, insurers can continue to exchange information in the continued fight against third-party claims fraud.