For the purposes of this notice personal data or data may include both personal data, such as your name, address, date of birth and claims history and “special” categories of data such as information about offences, criminal or motoring convictions and medical conditions.
We are committed to ensuring that your privacy is protected. Should We hold or use your personal data, you can be assured that it will only be used in accordance with this privacy notice. You must have received the consent of any third party named on your insurance policy to provide their personal data to Us and you should show this notice to them. This policy should be read in conjunction with the Terms of Business that relates to your insurance policy with Us. First may change this policy from time to time, however We are not obliged to give notice of the changes so you should check our websites or contact Us to ensure you are referring to the latest version.
First Underwriting Ltd is the data controller and processor in respect of your personal data. This means that we decide how your personal data is processed and for what purposes and process your personal data.
We comply with our obligations under the GDPR by keeping personal data up to date, by storing and destroying it securely, by not collecting or retaining excessive amounts of data, by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
Use of Personal Information
We use personal information for the following purposes:-
- To assess your request for insurance, provide a quotation and administer your policy;
- To undertake the performance of a contract of insurance to which you are a party;
- To administer your claims and third party claims;
- To prevent fraud and financial crime;
- Statistical analysis and management information;
- Audits, system integrity checking and risk management;
- To send marketing information about our products and services if we have received specific consent.
There is no obligation to provide us with personal information, but if you do not, we may not be able to provide products or services or administer claims.
Profiling and Automated Decision Making
We may use automated decision making, which includes profiling in our assessment of insurance risks and for the administration of policies. This is used to help us decide whether to offer insurance, determine prices and validate claims.
We may also use your personal data for profiling purposes. For example, We may analyse how many claims happen in a particular postcode or if some types of people are more likely to be involved in accidents than others. Using your data in this way assists Us in providing our customers with the lowest premiums possible.
Collection of Personal Information
We collect the following types of personal information to allow us to complete the activities described under ‘use of personal information’ above:-
- Individual details such as name, address, phone numbers, age, gender, marital status, dependents, employment status and job title;
- Financial details such as bank account or credit card information;
- Identification details such as driver licence number, passport number or national insurance number;
- Tracking, telematics, camera or video records if it is relevant to the insurance policy or the claim;
- Background insurance checks including previous policy information and claims history;
- Special categories of data including health, disability, motoring convictions and criminal convictions.
Where we collect Personal Information From
We may collect information about you from the following sources:-
- You or your family members;
- Your representatives;
- Information you have made public (such as via social media);
- Credit reference or fraud prevention agencies; this includes Call Credit, who’s privacy notice can be found at https://www.callcredit.co.uk/legal-information/bureau-privacy-notice
- Emergency services, law enforcement agencies, medical and legal practices;
- Insurance industry registers and databases used to detect and prevent insurance fraud, for example, the Motor Insurance Database (MID), the Motor Insurers Anti-Fraud and Theft Register (MIAFTR) and the Claims and Underwriting Exchange (CUE)
- In the event of a claim, insurance investigators, claims service providers, claimants or witnesses;
- Other service providers or provider services for our products.
Sharing of Personal Information
We may need to share your personal information with other recipients which could include:-
- Approved service providers or suppliers or other group companies that provide support services;
- Fraud prevention or credit reference agencies or other agencies that carry out work on our behalf such as the Motor Insurers Database (MID) or the Insurance Fraud Bureau (IFB);
- Other insurers, reinsurers, underwriters, regulators, law enforcement, Ombudsman Services or the Claims and Underwriting Exchange (CUE);
- Purchasers of the whole or part of our business.
Retention of Personal Information
If you decide to take a policy with Us, We will normally retain your personal data for up to ten years from when your policy expires. We may also retain telephone call recordings for up to seven years.
Where We have obtained your personal data directly or via a third party – for example an insurance broker, introducer or a marketing firm and We have your agreement to contact you at your next renewal, We will retain data for up to two years from your next renewal date.
If your insurance is an employer’s liability policy, We will retain the details of this policy for at least 60 years. This is ensure that the details are available to you should an employee lodge a claim against you far into the future, such as may be the case for an industrial disease where symptoms may not present themselves for many decades.
Use and Sharing of Special Categories of Personal Information
Special categories of personal information under Data Protection legislation include medical history, disabilities, motoring or criminal convictions. We may need to collect and process this information for the purposes of evaluating the risk and/or administering your policy or a claim. You or any person covered under this policy must provide explicit verbal or written confirmation to such information being processed by us.
We will only share this information in accordance with appropriate laws and regulations or where it is essential to administer the policy or when dealing with a claim. First Underwriting Ltd is authorised and regulated by the Financial Conduct Authority. All policies are underwritten on behalf of Accredited Insurance (Europe) Ltd.
What legal basis do We use for processing your personal data?
First Underwriting will only use and store your personal data if We have a legal basis for doing so. It is your right as the subject of this data to be informed what the legal basis is for each type of processing that We undertake.
- We will process your personal data for the purposes of providing an insurance quotation, managing and administering your insurance policy, assisting with or administering claims, responding to complaints, handling policy enquiries and arranging premium finance on the legal basis that this processing is necessary for the performance of a contract with you or in the course of entering into a contract with you. For the purposes above, personal data that is classed as “special data”, such as information relating to criminal or motoring convictions and medical conditions, will be processed in accordance with the law and on the legal basis that it is necessary for the performance of a contract necessary for reasons of substantial public interest. We will follow all appropriate safeguards to ensure the security of this personal data.
- Vehicle data added to the MID is processed under the basis of a legal obligation (Road Traffic Act 1988).
- We may use your personal data for marketing purposes i.e. offering related products to you where We have a legitimate interest in doing so. We will normally seek your consent to marketing as an additional legal basis, but if We do not hold this We may still send you marketing material using legitimate interest alone. You have the right to request that We do not contact you for marketing purposes at any time by contacting Us – see the Contact Us section below. If you withdraw consent then your interests will over-ride ours and We will be unable to use this legal basis to further process your data.
- If your policy is cancelled or not renewed and We are contacted by your new insurer or broker to confirm details of any no claims bonus, claims history or the reason for cancellation, We may release this personal data under the basis of legitimate interest. If you do not wish Us to do this then you may object or request that We restrict the processing of your personal data.
- For any processing of personal data for analytical purposes, our legal basis for processing is that it is necessary for the purposes of a legitimate interest.
- If your personal data is being used for the purposes of debt recovery, our legal basis is that processing is necessary for the purposes of a legitimate interest.
You have the following rights in relation to the data We hold about you, however some of these rights may not apply in certain circumstances – details are noted below. First have strict internal processes in place that ensure your rights are upheld and that any requests you make in relation to these rights are responded to within 30 days of you making it.
The right to be informed
You have the right as a data subject to be informed in a clear and precise manner about the data We hold about you. Within this privacy notice We detail the nature of this data We hold, the reasons We hold it, how this data is used, who We will share this data with, how long We will retain your data and the rights you have in relation to your data. If you require any further information, you can contact Us using the details below.
The right of access
In order to demonstrate the legitimacy of the personal data We hold on you, its accuracy and the lawfulness of the processing We undertake, you have the right to request a copy of all data We hold about you. You can request this information free of charge using the details below. We will provide a copy of all personal data We hold about you within 30 days of you making this request.
The right to rectification
You have the right to ensure that all data We hold on you is both accurate and complete. If you are concerned that the data We hold about you is inaccurate or incomplete when considering the purposes for which your data is being used, you can ask Us to rectify this. To do so, you should contact Us using the details below.
The right to erasure (the right to be forgotten)
You have the right to request that all of the data We hold on you be erased from our systems. We may only be able to comply with this request in specific circumstances. This request would also apply to any third party whom We had shared your data with, and We would notify them accordingly if your request was valid. We will not be able to erase your data in all circumstances. For example, We would not be able to erase data that is being processed for the purposes of administering a live or lapsed insurance policy unless policy has been lapsed for seven years or more (or longer in some circumstances). This is because We have a legal obligation to retain this data for the defence of legal claims should a third party make a claim against your policy. If you require any further information, or you wish to exercise your right of erasure, you should contact Us using the details below.
The right to restrict processing
You have the right to restrict our processing of your data under the following circumstances:
- If you contest the accuracy of the information We hold until such time that We are able to verify the accuracy of this data or correct any errors.
- You believe that the processing of this data is unlawful.
- We no longer need the data for any purpose other than for the defence of any future insurance claims made against your policy.
- You are awaiting a decision following an objection you have raised regarding an automated decision making process.
If you wish to exercise your right to restrict processing, you should contact Us using the details below.
The right to data portability
Where We are processing data under the basis of contractual performance or consent you have the right to request that We provide your data in a machine readable format that you can then share with other businesses or in any other way you see fit. You have the right to request that We transfer your data to third parties directly for them to use as you see fit. You are able to utilise your data in this way by contacting Us using the details below.
The right to object
You have the right to object to your data being processed. The right to object for direct marketing purposes or profiling of your data for the purpose of direct marketing is absolute and We must cease the processing of your data for these purposes. However for other processing the right to object is not absolute and there may be some compelling reason why We need to continue processing your data. Please contact Us using the details below if you want to exercise this right.
The rights regarding automated decision making and profiling
You have the right to request human intervention into any process involving automated decision making where this results in a legal implication to you. This right would not apply to underwriting decisions or to applications for credit made on our website or internal system as this automated decision making is required for entering into a contract with Us. Currently, We do not use automated decision making for any other functions, but if you have concerns regarding this, please contact Us using the details below.
The right to complain
You have the right to complain about the use of your personal data – in the first instance please contact Us using the details below. Our complaint handling procedure is available upon request or can be accessed from the First Underwriting website. You are also entitled to complain to the Information Commissioner by writing to –
Information Commissioner’s Office
Alternatively, you can access their website here.
If you have any questions about how we use personal information, you can contact our Data Protection Officers as follows:-