Policy for sharing data between specified partner Insurers and Absolute Partnership Ltd via thirdeye®
Appendix A — Data Sharing Guidance for Staff
Appendix B — Confidentiality and Release
The aim of this policy is to define how personal and sensitive data will be provided to Absolute Partnership Ltd by the specified insurers and the methods used by Absolute Partnership Ltd for the secure and legal management, accessing and processing of that data.
This document is one of a number of documents that combine to provide guidelines and rules covering all aspects of data sharing and management between Absolute Partnership Ltd and the specified insurers.
In writing this policy, due attention has been paid to the views of specified insurers, and all the guidance has been written taking into account relevant legislation where applicable, including:
A Data Sharing Guidance note and Confidentiality Guidelines also exist, which have been included in Appendices of this document. Together these documents form the basis on which all specified insurers share data with Absolute Partnership Ltd. It also sets out the responsibilities for the specified insurers on how Absolute will manage the access and processing of data, to ensure that accessing and / or processing of shared data is accurate, necessary, legal and ethical.
The existence of Absolute Partnership Ltd is to:
Provide services to its customers in the most effective and efficient way. In order to do this Absolute Partnership Ltd, though its database called thirdeye®, collects data from customers, and uses this data for a variety of information and service delivery functions for the purpose of fraud prevention.
The data collected by thirdeye®, as defined by the Data Protection Act 1998 (DPA), might contain both personal and sensitive data. Absolute Partnership Ltd therefore have developed guidance and agreements for partners that access the data which it holds, to ensure that they acknowledge their legal responsibilities in using and processing such data.
For the purposes of this set of documents there are essentially three classes of data as defined by the Act itself listed below:
Anonymised data are individual data records from which the personally identifiable fields have been removed. Where appropriate, data will be “anonymised” ensuring that the data subject’s identity is not discernible from such data.
Aggregated data are data which are processed to produce a generalised result, and from which individuals cannot be identified. This might include data brought together to give a broad understanding of e.g., fraud distribution by class or date range.
There is sometimes a slight risk that aggregated data might still allow an individual to be identified, for example by the results producing a very small group of results, from which other data may be used in identifying an individual, even though personal data has been removed.
In the DPA personal data are defined as:
“…data which relate to a living individual who can be identified
Such personal data might include, but not be limited to:
The law imposes obligations and restrictions on the way Absolute Partnership Ltd and its insurer partners process personal data (in this context processing includes collecting, storing, amending and disclosing data), and the individual who is the subject of the data (the “data subject”) has the right to know who holds their data and how such data are or will be processed, including how such data are to be shared.
In the DPA certain types of data are referred to as “sensitive personal data”. These are data which relate to the data subject’s:
Additional and more stringent obligations and restrictions apply to Absolute Partnership Ltd and its insurer partners whenever we process sensitive personal data through thirdeye®.
Under the DPA, any organisation which “determines the purposes for which and manner in which any personal data are, or are to be, processed” is called a “data controller”. All data controllers are required to comply with the DPA whenever they process personal data (bearing in mind, as stated above, that “processing” includes collecting, storing, amending and disclosing data). At all times, when receiving data into to thirdeye®, Absolute Partnership Ltd will be considered the data processer, as opposed to the insurer partner who will be the data controller and may be the first point of contact. As a data processor, Absolute Partnership Ltd must, at all times, process data solely in accordance with the security obligations set out in Section 4.
All organisations that manage, access, process and/or share personal data must be registered with the Information Commissioner’s Office (ICO).
Any insurer partner sharing personal data for thirdeye® must be registered with the ICO. It is a criminal offence to process (which includes sharing) personal data in a manner which is inconsistent with your registration.
The notification section of the Information Commissioner’s website: informationcommissioner.gov.uk contains more information on how to notify, including a downloadable handbook, which covers all the requirements of notification.
Registration should be done directly with the Information Commissioner via the above website address. Organisations (the ICO use this term to include all data controllers, including sole traders, companies, and MPs) need to pay either £35 or £500 to register (notify), depending on their size and turnover.
A fee of £500 applies to organisations with either:
A telephone help line is available from the Information Commissioner’s Office for any queries relating to the notification process. This number is 0303 123 1113 or 01625 545 745
Again, it is up to the insurer partners when registering to ensure that all purposes, classes and sub-sections are correctly notified.
The processing of personal data in a manner which is inconsistent with your registration is a criminal offence.
Regardless of the type of data being accessed, processed and stored, security is considered of paramount importance. Absolute Partnership Ltd has undertaken an audit by the ICO to ensure all systems and working practices are secure. In addition, Absolute Partnership Ltd is progressing towards ISO27001/2 accreditation.
All data that are held by thirdeye® are held on secure servers, with access restricted to internal use by appropriate members of staff.
As data processer for the data that thirdeye® collects, Absolute Partnership Ltd is expected to treat named data in accordance with the DPA, and ensure that security is in place sufficient to protect the data from unauthorised access. This includes physical security, such as adequate protection for premises when unattended, to IT related security such as passwords and secure IDs.
It is understood that each insurer partner may have differing security needs, however it is important that all reasonable steps are made to ensure data is kept private and confidential at all times. Each insurer partner is expected to comply with its Information Security Policy and to make staff aware of their obligations in this respect.
In particular, all insurer partners must take appropriate technical and organisational measures against unauthorised or unlawful accessing and / or processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This will include:
Insurer partners are themselves responsible for complying with security in respect of the DPA, irrespective of the specific terms of this agreement.
Absolute Partnership Ltd is expected to issue data only to data subjects who comply with the required procedure or those organisations which have a legitimate right to view and process that data. In accordance with the standard declaration (Appendix B), Absolute Partnership Ltd will not make named data available for commercial use.
Data recorded by thirdeye® is stored in a secure, purpose built database, access to the raw data is on a restricted basis, and all processing done on the data within thirdeye® requires authorisation from the team responsible for managing the data.
All personal data is treated with the utmost confidentiality, and shared by Absolute Partnership Ltd only with only those organisations which can demonstrate a professional or legal requirement for having access. No data will be used outside the service for commercial gain or advantage without the prior agreement of the specified insurer that submitted the data to thirdeye®
Data quality means producing information that is ‘fit for purpose’ on a ‘right first time’ basis. In order to achieve this there are a number of principles that underpin good quality data that need to be adhered to.
Failure to work to these standards introduces the possibility of inaccuracies and poor data quality with the potential knock on effect of flawed decision making. These standards are:
Before entering into any agreement, Absolute Partnership Ltd must be satisfied that the above criteria are met to the highest possible standard. When data is supplied to thirdeye® it is critical that we have an understanding of the supplier’s policies and controls when dealing with data quality.
All data stored, processed and/or passing through thirdeye® is tracked and recorded.
This provides an audit trail of where data has come from and where it is going. It is expected that insurer partners will also be able to provide robust audit trails for all data they hold that is considered personal or sensitive.
Under the Data Protection and Freedom of Information Acts, customers can ask to see the information that is held on computer and in some paper records about them. This is called a Subject Access Request (SAR). If customers wish to know what information is held about them, requests must be put in writing to the insurer organisation collecting the data. Further contact information on the appropriate officers can be found in the Fair Processing Notice.
Complaints about personal or sensitive information held by thirdeye® must be made in writing to Absolute Partnership Ltd, detailing the reasons for the complaint. Further contact information on the appropriate officers can be found in the Fair Processing Notice.
Sensitive and personal data are not passed to organisations outside Absolute Partnership Ltd and the specified insurer partners, except where an organisation may have a legal and legitimate reason for access and a requirement for the data in order to carry out its function.
Organisations wishing to have access to named data must first sign up to the thirdeye® data sharing policy for personal and sensitive data, submit a request as to which data elements are required and justify their request for access.
This request will then be considered by Absolute Partnership Ltd, and access to the data either granted or denied.
Personal and sensitive data are not shared unless the need is totally justified, Absolute Partnership Ltd believes the requesting organisation to be fully aware of their obligations under all relevant legislation, and the organisation has agreed to be bound by the policy for the sharing of such data.
This policy will be reviewed on a regular basis and consequently it may be subject to change. On changing a policy, the new publication will be provided by Absolute Partnership Ltd to each insurer partner.
thirdeye® Data Sharing Guidance
This document is intended to ensure that personnel working for and on behalf of Absolute Partnership Ltd understand the importance of good practice when dealing with personal and sensitive personal data held in customer records, and appreciate the rules by which individuals’ data may be accessed and processed.
The following items represent the Data Sharing Guidelines of thirdeye®, with respect to personal and sensitive personal data:
Periodically, this policy will be subject to review and change. Any changes to this policy will be published by Absolute Partnership Ltd, and up-to-date copies of the policy will be available via the Data Protection Officer.
thirdeye® Confidentiality and Release Guidelines for Personal and Sensitive Data
This document provides advice on the release of personal data to third party organisations, and guidelines for the process by which the decision whether or not to disclose will be made.
Data is collected about customers. The data is brought together to form a single database of information, called thirdeye®, which is used by Absolute Partnership Ltd and may also be shared with other government and statutory bodies.
Absolute Partnership Ltd has notified the Information Commissioner’s Office of the purposes for which it intends to process personal data.
Under the terms of the DPA, individuals have a right of access to any information held about them. Requests by individuals of this nature should be directed to the Data Protection Officer of one of the partner insurers.
There are a number of principles that apply to the confidentiality and release of data, and which should always be adhered to:
Personal data held by thirdeye® may be released to individuals and other organisations under certain conditions. These include:
Absolute Partnership Ltd and the specified insurer partners are registered individually with the ICO for the purposes of crime prevention. If required Absolute Partnership Ltd will allow data matching processes across thirdeye® in order to detect fraud, or identify other serious criminal activities.
This authority will only be used where Absolute Partnership Ltd believes it has reasonable grounds for taking such action, or a third party can provide reasonable grounds for justifying such action by Absolute Partnership Ltd.
Occasionally, Absolute Partnership Ltd might employ an external agency to do research or analysis work on its behalf. In these cases, information supplied to the third party will be supplied subject to a processing agreement, and the relevant data sharing agreement if appropriate.
At all times data that are held by thirdeye® will be treated in accordance with these guidelines, the data policy and guidelines published by Absolute Partnership Ltd, and the DPA.