Data Sharing Policy

Version 4

June 2013

Policy for sharing data between specified partner Insurers and Absolute Partnership Ltd via thirdeye®

Appendix A — Data Sharing Guidance for Staff
Appendix B — Confidentiality and Release

1 Introduction and Overview

The aim of this policy is to define how personal and sensitive data will be provided to Absolute Partnership Ltd by the specified insurers and the methods used by Absolute Partnership Ltd for the secure and legal management, accessing and processing of that data.

This document is one of a number of documents that combine to provide guidelines and rules covering all aspects of data sharing and management between Absolute Partnership Ltd and the specified insurers.

In writing this policy, due attention has been paid to the views of specified insurers, and all the guidance has been written taking into account relevant legislation where applicable, including:

  • Data Protection Act 1998
  • Human Rights Act 1998
  • Freedom of Information Act 2000

A Data Sharing Guidance note and Confidentiality Guidelines also exist, which have been included in Appendices of this document. Together these documents form the basis on which all specified insurers share data with Absolute Partnership Ltd. It also sets out the responsibilities for the specified insurers on how Absolute will manage the access and processing of data, to ensure that accessing and / or processing of shared data is accurate, necessary, legal and ethical.

1.1 Absolute Partnership Ltd

The existence of Absolute Partnership Ltd is to:

Provide services to its customers in the most effective and efficient way. In order to do this Absolute Partnership Ltd, though its database called thirdeye®, collects data from customers, and uses  this data for a variety of information and service delivery functions for the purpose of fraud prevention.

The data collected by thirdeye®, as defined by the Data Protection Act 1998 (DPA), might contain both personal and sensitive data. Absolute Partnership Ltd therefore have developed guidance and agreements for partners that access the data which it holds, to ensure that they acknowledge their legal responsibilities in using and processing such data.

Absolute Partnership Ltd have identified that the categories of both personal and sensitive data as defined in the DPA fall into a number of classifications in terms of use by thirdeye®, and that the risks surrounding the different uses of the data requires further clarification of the DPA definitions.

2 Types of Data

For the purposes of this set of documents there are essentially three classes of data as defined by the Act itself listed below:

2.1 Anonymised and Aggregated Data

Anonymised data are individual data records from which the personally identifiable fields have been removed. Where appropriate, data will be “anonymised” ensuring that the data subject’s identity is not discernible from such data.

Aggregated data are data which are processed to produce a generalised result, and from which  individuals cannot be identified. This might include data brought together to give a broad understanding of e.g., fraud distribution by class or date range.

There is sometimes a slight risk that aggregated data might still allow an individual to be identified, for example by the results producing a very small group of results, from which other data may be used in identifying an individual, even though personal data has been removed.

2.2 Personal Data

In the DPA personal data are defined as:

“…data which relate to a living individual who can be identified

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

Such personal data might include, but not be limited to:

  • Name
  • Address
  • Telephone Number
  • Date of Birth / Age
  • Unique reference number if that number can be linked to other information which identifies the data

The law imposes obligations and restrictions on the way Absolute Partnership Ltd and its insurer partners process personal data (in this context processing includes collecting, storing, amending and disclosing data), and the individual who is the subject of the data (the “data subject”) has the right to know who holds their data and how such data are or will be processed, including how such data are to be shared.

2.3 Sensitive Data

In the DPA certain types of data are referred to as “sensitive personal data”. These are data which relate to the data subject’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or other beliefs of a similar nature
  • Trade union membership
  • Physical or mental health or condition
  • Sexual life
  • Commission or alleged commission of any offence
  • Any proceedings for any offence committed, or alleged to have been

Additional and more stringent obligations and restrictions apply to Absolute Partnership Ltd and its insurer partners whenever we process sensitive personal data through thirdeye®.

3 Data Management

3.1 Data Control

Under the DPA, any organisation which “determines the purposes for which and manner in which any personal data are, or are to be, processed” is called a “data controller”. All data controllers are required to comply with the DPA whenever they process personal data (bearing in mind, as stated above, that “processing” includes collecting, storing, amending and disclosing data). At all times, when receiving data into to thirdeye®, Absolute Partnership Ltd will be considered the data processer, as opposed to the insurer partner who will be the data controller and may be the first point of contact. As a data processor, Absolute Partnership Ltd must, at all times, process data solely in accordance with the security obligations set out in Section 4.

  • Data Protection Registration/Notification

All organisations that manage, access, process and/or share personal data must be registered with the Information Commissioner’s Office (ICO).

Any insurer partner sharing personal data for thirdeye® must be registered with the ICO. It is a criminal offence to process (which includes sharing) personal data in a manner which is inconsistent with your registration.

The notification section of the Information Commissioner’s website: informationcommissioner.gov.uk contains more information on how to notify, including a downloadable handbook, which covers all the requirements of notification.

Registration should be done directly with the Information Commissioner via the above website address. Organisations (the ICO use this term to include all data controllers, including sole traders, companies, and MPs) need to pay either £35 or £500 to register (notify), depending on their size and turnover.

A fee of £500 applies to organisations with either:

  • a turnover of £25.9M and 250 or more members of staff
  • if they are a public authority with 250 or more members of All other organisations pay £35 per annum unless they are exempt.

A telephone help line is available from the Information Commissioner’s Office for  any queries relating to the notification process. This number is 0303 123 1113 or 01625 545 745

Again, it is up to the insurer partners when registering to ensure that all purposes, classes and sub-sections are correctly notified.

The processing of personal data in a manner which is inconsistent with your registration is a criminal offence.

4 Security

Regardless of the type of data being accessed, processed and stored, security is considered of paramount importance. Absolute Partnership Ltd has undertaken an audit by the ICO to ensure all systems and working practices are secure. In addition, Absolute Partnership Ltd is progressing towards ISO27001/2 accreditation.

All data that are held by thirdeye® are held on secure servers, with access restricted to internal use by appropriate members of staff.

As data processer for the data that thirdeye® collects, Absolute Partnership Ltd is expected to treat named data in accordance with the DPA, and ensure that security is in place sufficient to protect the data from unauthorised access. This includes physical security, such as adequate protection for premises when unattended, to IT related security such as passwords and secure IDs.

It is understood that each insurer partner may have differing security needs, however it is important that all reasonable steps are made to ensure data is kept private and confidential at all times. Each insurer partner is expected to comply with its Information Security Policy and to make staff aware of their obligations in this respect.

In particular, all insurer partners must take appropriate technical and organisational measures against unauthorised or unlawful accessing and / or processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This will include:

  • Appropriate technological security measures, having regard to the state of technology available and the cost of implementing such technology, and the nature of the data being protected
  • Secure physical storage and management of non-electronic data
  • Password protected computer systems
  • Restricted access to data and taking reasonable steps to ensure the reliability of employees who have access to sensitive data
  • Ensuring data is only held as long as is necessary, in line with Data Protection principles
  • Appropriate security on external routes into the organisation, for example Internet firewalls and secure remote access facilities.

Insurer partners are themselves responsible for complying with security in respect of the DPA, irrespective of the specific terms of this agreement.

4.1 Issuing of Data

Absolute Partnership Ltd is expected to issue data only to data subjects who comply with the required procedure or those organisations which have a legitimate right to view and process that data. In accordance with the standard declaration (Appendix B), Absolute Partnership Ltd will not make named data available for commercial use.

4.2 Storage of Data

Data recorded by thirdeye® is stored in a secure, purpose built database, access to the raw data is on a restricted basis, and all processing done on the data within thirdeye® requires authorisation from the team responsible for managing the data.

4.3 Confidentiality of Data

All personal data is treated with the utmost confidentiality, and shared by Absolute Partnership Ltd only with only those organisations which can demonstrate a professional or legal requirement for having access. No data will be used outside the service for commercial gain or advantage without the prior agreement of the specified insurer that submitted the data to thirdeye®

4.4 Data Quality

Data quality means producing information that is ‘fit for purpose’ on a ‘right first time’ basis. In order to achieve this there are a number of principles that underpin good quality data that need to be adhered to.

Failure to work to these standards introduces the possibility of inaccuracies and poor data quality with the potential knock on effect of flawed decision making. These standards are:

  • Validity and Relevance — the correctness and reasonableness of data and ensuring it is appropriate to the purpose of the performance measure it has been selected for;
  • Completeness — there are controls over input, especially that information is input on an on- going basis rather than being entered at a later date;
  • Consistency and reliability — data should be internally consistent with the aim of being accurate 100% of the time;
  • Accuracy — there are verification procedures in place as close to the point of input as possible.
  • Timeliness — data should be timely and up to
  • Relevance — Appropriate use of the data, is it fit for purpose and applicable?

Before entering into any agreement, Absolute Partnership Ltd must be satisfied that the above criteria are met to the highest possible standard. When data is supplied to thirdeye® it is critical that we have an understanding of the supplier’s policies and controls when dealing with data quality.

5 Data Audit

All data stored, processed and/or passing through thirdeye®  is tracked and recorded.

This provides an audit trail of where data has come from and where it is going. It is expected that insurer partners will also be able to provide robust audit trails for all data they hold that is considered personal or sensitive.

6 Requests about Personal or Sensitive Data held

  • Subject Access Requests

Under the Data Protection and Freedom of Information Acts, customers can ask to see the information that is held on computer and in some paper records about them. This is called a Subject Access Request (SAR). If customers wish to know what information is held about them, requests must be put in writing to the insurer organisation collecting the data. Further contact information on the appropriate officers can be found in the Fair Processing Notice.

6.2 Complaints

Complaints about personal or sensitive information held by thirdeye® must be made in writing to Absolute Partnership Ltd, detailing the reasons for the complaint. Further contact information on the appropriate officers can be found in the Fair Processing Notice.

6.3 External Organisations

Sensitive and personal data are not passed to organisations outside Absolute Partnership Ltd and the specified insurer partners, except where an organisation may have a legal and legitimate reason for access and a requirement for the data in order to carry out its function.

Organisations wishing to have access to named data must first sign up to the thirdeye® data sharing policy for personal and sensitive data, submit a request as to which data elements are required and justify their request for access.

This request will then be considered by Absolute Partnership Ltd, and access to the data either granted or denied.

Personal and sensitive data are not shared unless the need is totally justified, Absolute Partnership Ltd believes the requesting organisation to be fully aware of their obligations under all relevant legislation, and the organisation has agreed to be bound by the policy for the sharing of such data.

7 Changes to Policies

This policy will be reviewed on a regular basis and consequently it may be subject to change. On changing a policy, the new publication will be provided by Absolute Partnership Ltd to each insurer partner.

Appendix A — Data Sharing Guidance for Staff

thirdeye®  Data Sharing Guidance

This document is intended to ensure that personnel working for and on behalf of Absolute Partnership Ltd understand the importance of good practice when dealing with personal  and sensitive personal data held in customer records, and appreciate the rules by which individuals’ data may be accessed and processed.

The following items represent the Data Sharing Guidelines of thirdeye®, with respect to personal and sensitive personal data:

  • Data held by thirdeye® will be treated as confidential at all
  • Data held by thirdeye® will be processed in accordance with the DPA, and internally produced
  • Individuals have the right of access to information about them. (Refer to Data Protection section for more details).
  • Personal data will be made available to the data subject, provided the data subject satisfies the request requirements of the
  • Data will only be held that are needed in order for thirdeye® to perform and fulfil its statutory and business
  • The uses to which personal and sensitive data may be put, are detailed in the Data Sharing
  • Data will not be made available to third parties for commercial or marketing purposes. Data will only be shared with organisations that have a legal requirement to access such data in order to fulfil their statutory Organisations using any type of data held by thirdeye® will have to sign up to a data sharing policy and be bound by the requirements of that Policy.
  • All documentation that relates to the management of data will be made publicly

Periodically, this policy will be subject to review and change. Any changes to this policy will be published by Absolute Partnership Ltd, and up-to-date copies of the policy will be available via the Data Protection Officer.

Appendix B — Confidentiality and Release Guidelines

thirdeye® Confidentiality and Release Guidelines for Personal  and Sensitive Data

Introduction

This document provides advice on the release of personal data to third party organisations, and guidelines for the process by which the decision whether or not to disclose will be made.

Data is collected about customers. The data is brought together to form a single database of information, called thirdeye®, which is used by Absolute Partnership Ltd and may also be shared with other government and statutory bodies.

Data Protection Act 1998

Absolute Partnership Ltd has notified the Information Commissioner’s Office of the purposes for which it intends to process personal data.

Under the terms of the DPA, individuals have a right of access to any information held about them. Requests by individuals of this nature should be directed to the Data Protection Officer of one of the partner insurers.

Principles of Confidentiality

There are a number of principles that apply to the confidentiality and release of data, and which should always be adhered to:

  • Data identifying individuals, whosoever they may be, are regarded as
  • Data of any kind will only be shared with organisations which have equivalent data protection policies and guidelines, or who have signed up to the relevant thirdeye® data sharing
  • Personal data will only be shared in accordance with these
  • Anonymised or aggregated data, which produces publishable results of less than five individuals, will only be published with the policy of the specified insurer
  • An individual has the right to request copies of data that are held by thirdeye®, and Absolute Partnership Ltd or the specified insurer partners will endeavour to supply this information at the earliest

Release Guidelines

Personal and Sensitive Data

Personal data held by thirdeye® may be released to individuals and other organisations under certain conditions. These include:

  • Internal staff who require access to the data, in order to perform their
  • External staff, working within the Absolute Partnership Ltd offices, such as consultants who are working under contract to Absolute Partnership Ltd and require access to personal or sensitive personal data in order to perform their
  • Governmental and statutory organisations that require access to such data in order to perform statutory or public functions. Agreement to the thirdeye® data sharing policies may be a requirement under certain

Crime Prevention

Absolute Partnership Ltd and the specified insurer partners are registered individually with the ICO for the purposes of crime prevention. If required Absolute Partnership Ltd will allow data matching processes across thirdeye® in order to detect fraud, or identify other serious criminal activities.

This authority will only be used where Absolute Partnership Ltd believes it has reasonable grounds for taking such action, or a third party can provide reasonable grounds for justifying such action by Absolute Partnership Ltd.

External Organisations Working on Behalf of Absolute

Occasionally, Absolute Partnership Ltd might employ an external agency to do research or analysis work on its behalf. In these cases, information supplied to the third party will be supplied subject to a processing agreement, and the relevant data sharing agreement if appropriate.

Summary

At all times data that are held by thirdeye® will be treated in accordance with these guidelines, the data policy and guidelines published by Absolute Partnership Ltd, and the DPA.

ENDS