Insurers ‘Privacy & Protection’

UK insurers, whether they are ABI members, Lloyd’s syndicates, or independent firms, are subject to a wide range of privacy, data protection, and confidentiality regulations. These rules ensure that personal data is handled lawfully, fairly, and securely, especially in sensitive contexts like claims handling, fraud investigation, and underwriting.

Core Privacy and Data Protection Laws

  1. UK General Data Protection Regulation (UK GDPR)

    Applies to all UK insurers processing personal data. Key obligations include:
  • Lawfulness, fairness, transparency (Article 5)
  • Data minimisation and purpose limitation
  • Security of processing (Article 32)
  • Subject access rights (Article 15)
  • Lawful basis required (commonly: legitimate interests, contract, or legal obligation)
  • Special category data (e.g. health data) requires additional safeguards (Article 9)
  1. Data Protection Act 2018 (DPA 2018)

    Supplements the UK GDPR and includes criminal offences, such as unlawful data disclosure (Section 170).
  • Part 3 deals with law enforcement data and Part 4 with intelligence services data.
  1. Privacy and Electronic Communications Regulations (PECR)

    Regulates direct marketing, cookies, and electronic communications (e.g. email, SMS).
  • Insurers must ensure consent when required and maintain marketing preferences.

Insurance-Specific Regulation and Guidance

  1. Financial Conduct Authority (FCA) Handbook

    All insurers regulated by the FCA must follow:
  • Principle 6 – Treat customers fairly
  • Principle 10 – Protect client assets
  • SYSC – Systems and Controls: includes data and security governance
  1. Codes of Conduct – Industry Bodies

    Even non-ABI and non-Lloyd’s insurers often adhere to:
  • CII Code of Ethics (Chartered Insurance Institute)
  • Insurance Fraud Bureau (IFB) data handling principles
  • Data sharing protocols like CIFAS (fraud prevention)

6. Technical and Organisational Safeguards (Security Expectations)

Insurers must:

  • Encrypt personal and special category data
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Appoint a Data Protection Officer (DPO) if required
  • Ensure third-party processors (e.g. claims handlers, loss adjusters) are compliant
  • Report breaches within 72 hours to the ICO (if reportable under UK GDPR)

There are penalties for Non-Compliance