Data Protection is to blame for many things (sleepness nights for Data Protection officers, hits to the public purse, a proportionate measure of respect and security for people’s sensitive private information, bulging wallets for lawyers) and many people like to criticise it. In this occasional series I want to come to its defence, by pointing out examples where data protection has been wrongly blamed for a failure elsewhere. The Information Commissioner used to do something similar but seems to have given up with that (and, after all, “data protection duck out” is a cringemaking phrase).
So here’s my first example: “Vague” Data Protection Act blights fraud detection, say insurers
The facts of the article itself are fine, as one would expect if the author is Pete Swabey, but it’s the message itself that grates. According to the Chartered Insurance Institute (CII), there is a problem with section 29 of the Data Protection Act 1998 (DPA), which permits the disclosure of personal data by a data controller, whereby the general presumption against non-disclosure is disapplied if applying it would be likely to prejudice any of the following purposes: the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature. Normally the question whether to disclose will arise in response to a specific request from another person or body (normally one with crime detection or prosection powers, or tax collection powers). This comes down to a matter of applying a balancing test to specific facts: if I don’t disclose this information, would it be likely to cause prejudice to those purposes?
This is often a difficult decision for a data controller (it’s about serious matters – why should it always be easy?). But the CII complain that
the vagueness of Section 29…has led to an extremely high volume of information requests, with little consistency or clarity. This, it says, is hindering investigations.
“Certain companies, particularly the lawyers, are sending requests out without thinking about them,” [says] David Clements, motor investigations manager at Zurich
Bad Data Protection Act! Making people ask for disclosure of personal data without giving it much thought!
Also, the fact that requests and responses are made in a haphazard, non-standard fashion creates unnecessary work for fraud investigators.
Silly Data Protection Act! Making an industry incapable of standardizing procedures!
And, indeed, the article says that the industry is trying to sort itself out
The New Generation Claims Board is working on a voluntary code of best practice to help insurance providers both improve the efficacy of their fraud investigations and reduce their risk of non-compliance.
“We’re going to provide the industry with a best practice protocol plus a template for sending and receiving requests,” Clements explains.
But the evil Data Protection Act is still lurking about causing trouble, because this is only a voluntary scheme
as insurance companies are not even obliged to respond to Section 29(3) requests
Come on Data Protection Act, sort yourself out!
informationrightsandwrongs 
