Using indirectly obtained data in the insurance value chain
Although insurance regulators support innovation, they are conspicuously monitoring the insurance industry’s increasing reliance on data that has not been directly provided by customers.
Newly available external sources of information, such as social media posts, provide underwriters with an opportunity to bridge the traditional information gap between underwriters and policyholders. While there are legitimate reasons to use non-traditional sources of data, such as for detecting insurance fraud, regulators are mindful the data is also used to derive lifestyle indicators about customers for the purposes of profiling and, more recently, for automated decision-making.
New York’s insurance regulator released a circular in January 2019 that puts life insurers on notice that they can use external data to set premiums, but restrictions apply, and customer outcomes will be monitored. In Europe, the GDPR anticipates the use of non-traditional sources of information by (among others) the insurance industry and includes specific provisions on indirectly obtained information. It is also striking the first quesiton in Eipoa's 2019 thematic review on the use of big data in motor and health insurance is about the types of data used by insurers and the sources of such data.
In light of this focus by insurance regulators on the use of external data sources, insurers, intermediaries and insurtech firms should review their culture, governance and processes around the collection, retention and use of such information. For those using the personal data of European customers, the key points to consider under the GDPR are:
- Lawful access: data controllers must ensure they have lawful access to any informaiton not provided directly by a customer;
- Legal basis for processing: data controllers must have a lawful basis for processing indirectly obtained information. Care should be taken when using the data for a purpose not compatible with the purpose for which the data was originally collected, too;
- Purpose and transparency: Article 14 of the GDPR includes disclosure requirements designed to encourage fairness and transparency with respect to the use of information not obtained from the data subject. For example, the data controller must provide data subjects with information on the intended purposes of processing the personal data and might need to disclose the sources of the data and if applicable if it came from publicly accessible sources. These disclosures must be provided within the timescales set out in Article 14(3);
- Data collection and retention: data controllers must comply with the GDPR’s data minimisation and limitation principles and should be wary of collecting more personal data than they need. This includes avoiding the temptation to collect indirectly obtained information simply because it is available and to keep it just in case it might be useful. Not that Article 14 requires controllers to disclose how long data will be retained for, including indirectly sourced data; and
- Accuracy: non-traditional sources of information can be out of date and not fully representative. Data controllers must consider the accuracy of data, especially when used for profiling and automated decision-making.
This article first appeared in Insurance Day