Best practice guide for data protection issued by CII group

Published 28 April 2015

A new best practice guide has been produced by the Chartered Insurance Institute (CII) with support from the Insurance Fraud Bureau (IFB), providing guidance in relation to requests under Section 29(3) of the DPA.

S.29 (3) of the DPA permits the sharing of Personal Data for the purposes of the prevention or detection of crime without having to comply with certain provisions of the DPA. S.29 requests are typically used in the insurance industry for insurers to request or share information in pursuance of the detection of fraud. However it is acknowledged that these requests are often misused, framed as demands and many organisations citing this provision of the DPA have little understanding of its scope and application.

Section 29(3) requests concern the sharing of information with third parties in the interests of financial crime prevention within the insurance sector.

The guidance aims to:

• Provide clarity on the use and application of Section 29(3) of the DPA within the insurance industry;
• Improve the quality of requests made under Section 29(3) within the insurance industry;
• Improve the quality of responses to requests made under Section 29(3) within the insurance industry, even where the data controller is unable or unwilling to disclose the information requested.

View the IFB best practice guide.

View the IFB webpage.

What action could be taken to manage any risks that may arise from this development?

Financial services companies should consider updating their policy on responding to and making s.29 requests to comply with this guidance.