A clause of the UK's Data Protection Act that allows companies to share personal information to investigate crime is actually hampering the insurance industry's fight against fraud, according to the Chartered Insurance Institute.
Section 29(3) of the Data Protection Act says that personal data processed for the prevention or detection of crime can be shared without the subject's consent. In the insurance industry, this clause is used to investigate fraudulent claims.
There is a central list of all personal insurance claims filed in the UK, and when a new claim comes in, an insurance provider will check to see whether any similar claims have been filed by the same customer with other firms.
If there are similar claims, an insurance provider or its lawyers can request information about those claims under Section 29(3). The other insurance providers are under no obligation to provide the information, but given that they all want to crack down on claims fraud they are usually happy to help.
However, according to the CII, the vagueness of Section 29(3) has led to an extremely high volume of information requests, with little consistency or clarity. This, it says, is hindering investigations.
"Certain companies, particularly the lawyers, are sending requests out without thinking about them," David Clements, motor investigations manager at Zurich and member of the CII's New Generation Claims Board, which has investigated the matter.
The CII survey ten insurance companies and found they had received over 21,000 requests in a year between them.
There is little guidance in the Data Protection Act about what constitutes a compliant request or response, Clements said, meaning insurance providers could run the risk of breaking the law. "If you ask for something very sensitive like a medical report, should you receive the full report or should you receive certain key data from the report?"
"There are a lot of issues around what is relevant and what is appropriate."
Also, the fact that requests and responses are made in a haphazard, non-standard fashion creates unnecessary work for fraud investigators.
"We need to cut out the stuff that isn't relevant, and give fraud teams the time to look at only relevant and appropriate referrals," Clements said. "That means time will be spent on cases that will actually improve fraud detection and the outcomes of fraud cases."
Section 29(3) is an essential tool for fraud investigation, he adds, but its implementation needs to improve. "The law is vague, there is no best practice, and there is no consistency in the way companies are handling this."
The New Generation Claims Board is working on a voluntary code of best practice to help insurance providers both improve the efficacy of their fraud investigations and reduce their risk of non-compliance.
"We're going to provide the industry with a best practice protocol plus a template for sending and receiving requests," Clements explains.
This has to be a voluntary scheme, however, as insurance companies are not even obliged to respond to Section 29(3) requests.
According to the UK's Insurance Fraud Bureau, undetected general insurance claim fraud in the country totals £2.1 billion a year. This adds an average of £50 to annual policy costs.
Earlier this year, the IFB signed a "landmark agreement" with the Association of Chief Police Officers to share information about organised criminal gangs.
“The sharing and use of information and intelligence is the key to dismantling criminal networks which have a huge impact on people’s lives," Durham chief constable Michael Barton said at the time.
