Legal obligations for data on telematics devices rare in U.K.

Legal obligations to supply personal data held on telematics devices are rare in the United Kingdom, suggested a recent blog from Brussels, Belgium-based Ptolemus Consulting Group.

Thomas Hallauer, the group’s research and marketing director in London, said on Saturday that meeting with U.K. usage-based insurance (UBI) service providers — or telematics service providers — spurred discussions from UBI service providers regarding requests for their telematics data. The debates centred on what sort of data is typically requested from insurers and what are insurers’ legal obligations when providing that data.

“The short answer was that legal obligations to supply personal data held on telematics devices are rare and exist only in very specific circumstances,” Hallauer wrote. “In fact, the defendant legal community anticipated a wave of claimant solicitors fishing for telematics data when determining whether or not to bring a claim, but this, by in large, has not happened.”

In the auto insurance industry, vehicle telematics are applied in different ways. Driver behaviours (accelerating, braking, cornering, etc.) and driving characteristics (where, when, etc.) can be gathered through various sensor and communications devices, and the resulting data can be analyzed and reported. The results can be used simply to report back to the insured party to influence driving behaviour, or can be tied directly to insurance premiums.

The blog also discussed a draft European data protection regulation introducing a “right of portability” for personal data. “This reportedly was targeted at social media sites so that users could switch more easily. The potential effects of this on the other industries have however sunk in and the latest draft added the caveat ‘if technically possible’ to the right, which does dramatically water it down,” Hallauer wrote. “So, again, the UBI industry can breathe a sigh of relief … for the time being.”

Related: Mobile, cloud computing high priorities for insurers: survey

The regulation has been in draft form and debated for over three years.

As the law stands currently, organizations in Europe should not be keeping data any longer than is necessary, for limited purposes and in certain limited circumstances should delete the data if the holding of that data is causing unwarranted damage and distress. As a general rule, if an insurance company has a Financial Conduct Authority obligation to keep data for a certain period of time and it is reasonable to do so for business or regulatory reasons, then the individual has no right to request it to be deleted.

The draft regulation – based on a presentation from Rhiannon Davies, an associate from DAC Beachcroft LLP last month, also increases the threshold for “consent,” when it is required to process personal data. “It is a common misconception that consent is always required to process personal data, but this is not the case,” Hallauer wrote. “Although there are very few exemptions from having to give clear notices to individuals detailing what you are going to do with their personal data, consent to processing personal data is only required in certain circumstances.”

Although it is unclear what legal implications would apply in Canada, the blog noted that “there is no doubt that… news stories have increased awareness and sensibilities towards personal data processing and it is good practice to implement disclosure policies and data retention and destruction policies and ensure they are known, understood and followed across various departments of your organization.”