Information Security at The Insurance Surgery
This document provides a general overview of information security at The Insurance Surgery for existing and prospective customers.
Data Protection and GDPR
In its capacity as an Insurance broker, as per the definition under the Data Protection Act (DPA) and the upcoming General Data Protection Regulation (GDPR), The Insurance Surgery are a data controller (i.e. we determine the purposes and manner in which we process the personal data that we collect).
As data controller of the personal data that we collect either from individuals or advisers, we are required to comply with the requirements of the DPA, including that the data we hold is adequately protected, that it’s kept up to date and accurate and that we allow our customers to exercise their rights.
If we, as an Insurance broker, breached the GDPR, we would be liable for any potential sanctions and regulatory scrutiny.
In order to achieve compliance with our obligations under the GDPR, we have policies, standards and guidance in place and ensure that the appropriate controls and safeguards are implemented to protect personal data.
General Data Protection Regulations (GDPR)
The Insurance Surgery is fully aware of the upcoming changes to data protection regulations that will come into force in May 2018 under GDPR. The Insurance Surgery have already appointed a company Data Protection Officer. We also have a GDPR programme in force, ensuring that the requirements of the new regulations are fully in place.
Senior management are involved in all aspects of the project and are actively monitoring the Information Commissioners Office (ICO) to ensure that the GDPR project is - and continues to - operate with the latest guidance.
Information Security Risk Management
(Key governance positions responsible for data security)
- Managing Director.
- Head of Sales and Operations.
- Data Protection Officer.
We would also like you to know that The Insurance Surgery operates the three lines of defence approach personal data protection.
- All staff within The Insurance Surgery understand and work to the guides and regulatory factors surrounding GDPR and information security.
- Head of Sales and management team proactively monitor this working practice alongside performing checks and continuing to safeguard GDPR and information security directly and independently.
- An internal audit is performed quarterly reporting directly to the DPO/ICO.
The Insurance Surgery is an Insurance broker authorised and regulated by the Financial Conduct Authority (FCA) and is a member of the Association of British Insurers (ABI) – The Insurance Surgery is also registered with the Information Commissioner’s Office (number Z8689672).
The Insurance Surgery is an insurance broker. We are committed to ensuring your privacy and personal information is protected. Below we set out our policy in commitment to that. For the purposes of this document The Insurance Surgery will henceforth be referred to as “We”.
When we collect and use your personal information, we ensure we look after it properly and use it in accordance with our privacy principles set out below, keep it safe and will never sell it.
- Personal information you provide is processed fairly, lawfully and in a transparent manner.
- Personal information you provide is collected for a specific purpose and is not processed in a way which is incompatible with the purpose which The Insurance Surgery collected it.
- Your personal information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Your personal information is kept accurate and, where necessary kept up to date.
- Your personal information is kept no longer than is necessary for the purposes for which the personal information is processed.
- We will take appropriate steps to keep your personal information secure.
- Your personal information is processed in accordance with your rights.
- We will only transfer your personal information to another country or an international organisation outside the European Economic Area where we have taken the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards.
- The Insurance Surgery does not sell your personal information and we also do not permit the selling of customer data by any companies who provide a service to us.
Whilst there are a number of ways in which we collect your personal information, the two main ways are from things you tell us yourself and via medical disclaimers.
This can come via the following routes;
- Application forms.
- Telephone conversations.
- Historical policies taken via us.
- Your family members where you may be incapacitated or unable to provide information relevant to your policy.
- Third parties such as authorised introducers acting on your behalf in your pursuit of a policy or policy options.
Where The Insurance Surgery is the data controller of your personal information we may collect the following about you:
- Contact details such as name, email address, postal address and telephone number.
- Details of any other persons included on the policy where they are named on your policy and the relationship to you as policyholder.
- Financial information such as bank details.
- information relevant to your insurance policy such as details about your previous policy.
- Details of your current or former physical or mental health.
- Details concerning sexual life or sexual orientation, for example marital status.
Under data protection laws we need a reason to use and process your personal information and this is called a legal ground. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so.
Processing is necessary in order for us to provide your insurance policy and services, such as assessing your application and setting you up as a policyholder, administering and managing your insurance policy, providing all related services, providing a quote, handling and communicating with you. In these circumstances, if you do not provide such information, we will be unable to offer you a policy. We process your data only in relation to legitimate business needs.
We share your personal data only with the providers related to obtaining your policy for matters of underwriting and review.
Once obtained, your personal data is stored by us only in relation to needs associated with your policy. This includes our ability of contact you in order to establish if we may be able to offer you better protection post the data of your policy, as medical conditions and industry knowledge may change.
Know your rights
You have the following rights in relation to our use of your personal information.
The right to access your personal information
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. There will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible.
The right to rectification
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us by using the details shown in your documentation and you can ask us to update or amend it.
The right to erasure:
In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request.
The right to restriction of processing:
In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.
The right to object to direct marketing:
You can ask us to stop sending you marketing messages at any time.
The right to lodge a complaint
You have a right to complain to the ICO at any time if you object to the way in which we use your personal information. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/
Should you wish to discuss any of the above, please write to The Data Protection Officer at;
Data Protection Officer
45 Pickford Street
Or email: firstname.lastname@example.org