IF2 - Module 12 Flashcards
Who does UK General Data Protection Regulation apply to?
The UK General Data Protection Regulation (UK GDPR) applies to data controllers (those who say how and why personal data is processed) and data processors (those who act on behalf of controllers).
What is the effect of UK GDPR and the Data Protection Act 2018?
The UK GDPR and the Data Protection Act (DPA) 2018 regulate the use of computers and other automatic data processing equipment as a means of storing data.
The rules also cover ‘relevant filing systems’ (broadly, systems equivalent to a computerised system with ready accessibility to relevant information).
The rules encourage personal information about people to be kept confidential and prohibit the unauthorised disclosure of personal records to third parties.
What the main elements of the Data Protection Act 2018?
Its main elements include:
- ensuring that sensitive health, social care and education data can continue to be processed, to ensure confidentiality in health and safeguarding situations;
- restricting the rights to access and delete data where there are legitimate grounds for doing so (e.g. for national security purposes);
- setting the age from which parental consent is not needed to process data online; and
- providing the Information Commissioner’s Office (ICO) with enhanced powers to regulate and enforce data protection laws.
What are the Powers of the ICO for serious data breaches?
The ICO can levy fines of up to £17.5 million or 4% of annual global turnover.
It can also bring criminal proceedings against a data controller or processor if they have altered records following a Subject Access Request (SAR) with the intent to prevent disclosure.
What are the six data protection principles of the UK GDPR?
These principles require that personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does UK GDPR handle breaches?
All businesses handling personal data must also register with the Public Register of Data Controllers (maintained by the Information Commissioner’s Office (ICO)).
The UK GDPR introduces a duty on all organisations to report certain types of breach to the ICO, and in some cases to the individual.
What the rights does the UK GDPR give individuals in respect of information held about them by others?
The UK GDPR provides the following rights to individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
In order to protection information held on computers, what are the procedures that all organisations should follow?
To protect information held on computers, there are some procedures which all organisations, including those in the insurance industry should follow:
- Restricted access
- File saving and backup
- Source documentation retention
- Protection against theft or damage
- Copyright
- Use of passwords
- Secure storage and file disposal
What does The Computer Misuse Act 1990 state?
The Computer Misuse Act 1990 was passed to provide a deterrent against unauthorised computer access and introduced these three criminal offences.
In addition, making, supplying or obtaining anything which can be used in computer misuse offences is illegal.
The Act sets out the maximum penalties for such offences.
A complaint is defined as?
Any oral or written expression of dissatisfaction, whether justified or not, from, or on behalf of, a person, about the provision of or failure to provide, a financial service.
How should companies handle complaints?
Complaints must be recorded, investigated and a decision made that is appropriate, timely and fair by someone independent of the original complaint. Records of complaints must be kept for three years from the date of the complaint.
What are ICOBS claims handling rules?
ICOBS requires that an insurer must:
- handle claims promptly and fairly;
- provide reasonable guidance to help a policyholder make a claim and appropriate information on its progress;
- not unreasonably reject a claim (including by terminating or avoiding a policy);
- and settle claims promptly once settlement terms are agreed.
What does Enterprise Act 2016 state?
This requires insurers to pay claims within a reasonable time.
Reasonable time depends on the type of insurance, the size and complexity of the claim, compliance with regulatory rules and guidelines, as well as factors outside the insurer’s control.
Failure to pay a claim within a reasonable time will mean the policyholder can claim damages if the delay is unreasonable and this causes them additional losses.
What does ICOBS say about the rejection of a claim?
ICOBS states that rejection of a consumer (i.e. private individual) policyholder’s claim is unreasonable, except where there is evidence of fraud, if it is for:
- non-disclosure of a fact material to the risk which the policyholder could not reasonably be expected to have disclosed; or
- non-negligent misrepresentation of a fact material to the risk; or
- breach of warranty or condition, unless the circumstances of the claim are connected to the breach.
What type of data are UK GDPR and the Data Protection Act 2018 mainly concerned with?
They are both mainly concerned with personal data.
Personal data is any data relating to an identifiable living individual.
There are also some types of personal information that are more sensitive than others and so there are additional requirements for processing it.
UK GDPR refers to sensitive personal data as ‘special categories of data’.
These categories include such things as a person’s ethnic or racial origin, religious or political beliefs, health, sexual life, genetics or biometrics (where used for ID purposes).
