REVIEW: Three steps forward – three steps back – The Association of British Insurers and the British Insurance Brokers Association guidance on selling telematics insurance products.
This review takes a stab at discussing, from the reasonably-informed citizen/consumer point of view, one of the first codes of guidance into the selling of telematics insurance products.
The guide (published May 2013) is available here.
It comes from the Association of British Insurers which represents ‘the UK’s insurance, long-term savings and investment industry’ and the British Insurance Brokers Association which is ‘the UK ‘s leading general insurance intermediary organisation representing the interests of insurance brokers, intermediaries and their customers’.
(In the following note I have abbreviated the authors to ‘ABI’).
The object of the guide is to ‘define good practice to ensure that customers buying these products continue to be treated fairly and their data is protected.’
Three steps forward:
1: It’s the first such guide and recognises that telematics has the power to rapidly transform the vehicle insurance market – but it’s cautious about how fundamental this change will be. But the fact that it has been done at all is an important step forward.
2: It recognises that insurance provides will have to introduce new policies and procedures to deal with these changes which are substantial in scope.
3: It recognises there are basic issues of privacy and information security, information processing, ownership, product design and management which need addressing particularly because the volume and type of information collected by telematics systems is itself a valuable, marketable, commodity. As such it gives an insight into the industry’s concerns.
Three steps back:
1: It is too conservative and too bothered about protecting the insurance industry from statutory oversight and general public criticism – when, in fact, this oversight and consumer input is essential given the complexity of the issues and the wide-ranging current debate on information security.
2: It advocates changes that insurance providers need to embrace but lacks detail as to what changes, relating to which innovations, demanding what kind of systems are required – this must leave many insurance companies bewildered particularly given the predominance of woolly thinking about essential concepts. As we discuss below, these issues are of wide public importance and it is presumptive of the insurance industry to assume it can sort these issues out in private.
3: The guidance as presently drafted gives insights into the current concerns of the insurance industry (what it perceives to be the problems in selling these products to us) but no clue as to how the insurers are to resolve them. If the ABI is offering representation and leadership then this is a woeful shortcoming and makes the document almost useless. In no way does this document meet its declared objectives.
So, for the detail: Three things we, the ordinary readers, need to remember when reading this guidance.
Firstly, it is written by the insurers for the insurers – it is an industry document and seeks to preserve and advance the insurers’ interests – and insurance companies (like any other commercial organisations) are in the business to make money. Commercial interest (though important in its own right) is not the same as the public interest. This document confuses these interests.
Secondly, codes of guidance are, in the main, no use in a court of law. They can give insights into how the insurers view their legal responsibilities, but going against a code of guidance is not in itself unlawful. And as the ABI reminds readers : `This is a voluntary good practice guide´. However, the ABI tries to have its cake and eat it – it is anxious to make its code authoritative – aware no doubt of the public scepticism of these voluntary codes given the recent débâcle over the Press Complaints Commission. However, in this ambition it fails. It is a clear indication of why the industry needs statutory regulation to give the consumer clear rights capable of challenge, enforcement and redress.
Thirdly, no matter how complex this all seems, the issues are simple and basic.
That is to say whenever you buy and sell anything your behaviour and the behaviour of the vendor, and the claims made, have to be reasonable. And there is nothing complicated about the meaning of the word ‘reasonable’.
If you are being asked for consent then that consent must be informed and freely given. That means reasonable steps have to be taken to inform you about the ins and outs needed to weigh up the options so that you are in a good position to give consent. The insurance industry knows all about this consent concept – to its cost.
And, in relation to electronic data which measures, weighs and records all that we do in our lives, well, that information is personal, it ours, we own it and its subject to one of the most basic and profound laws – in the UK, the Human Rights Act 1998 which in article 8 states: ‘Everyone has the right to respect for his private and family life, his home and his correspondence’. And ‘correspondence’ in this context has a wide definition – not just written material but electronic emails and, importantly, any type of coded electronic messages designed to reveal any aspect of any person’s activities. But, this right is (and at this point you could say obviously) one of the rights known as a balancing right – that is in its use a balance has to be struck between the person’s private rights and the needs of other people or society as a whole – hence the need for a bit more explanatory law making. But, the starting point is privacy.
The code does not deal with the underlying provisions of this act but it does make clear there are other key bits of law deriving from these principle which have to be addressed:
The conduct of those offering telematics products is already subject to regulation by the Financial Conduct Authority (FCA) , while consumer rights to data, and the obligations of firms in receipt of telematics data are set out in the Data Protection Act 1998 (DPA). Accordingly, this guidance seeks to complement and reinforce the responsibilities set out elsewhere, with a focus on compliance issues particular to telematics products.
Oddly, the code does not suggest that insurers adopt robust complaints procedures – or give an indication of how existing complaints processes should be adapted so as to match the corresponding issues arising from telematics or what systems it should have in place to redress the customer concern. Its own website entry on complaints and complaints procedures is remarkably vague and, as far as I can gather, it has never produced an industry-wide code of practice on complaints procedures (though I hope I shall be corrected on this point if I am wrong). As we shall see this is important because the use of telematics in most cases requires the joining-up of a variety of systems many of which will be owned and operated by sub-contracted specialist enterprises. Faced with a complaint, the insurance provider might have a tough time chasing the complaint to its source and then knowing how to resolve it justly.
The ABI notes the telematics market is expanding rapidly, but in its view, it is too early to see if telematics products will become ‘mainstream’. It says:
Since 2009, the number of consumers with Telematics Policies in the UK has increased significantly, as has the number of insurers and brokers offering Telematics Policies. While the market is expected to continue expanding rapidly in the immediate future, it is unclear whether Telematics Policies will remain a niche product or become mainstream.
The importance of telematics policies to the insurers is clearly stated, and, with a view to looking over its shoulders at what government might be doing, pushes the self-regulation angle. Trust is clearly an anxiety, as is public opinion:
…consumer confidence in telematics products will be a key determinant of the long – term viability and success of the telematics market … consumers need to trust insurers to treat them fairly and protect their personal information . Critically, consumer confidence will be influenced by the actions of all market participants … as any decision to regulate the market externally will consider the effectiveness of the industry’s own efforts to regulate itself.
Therefore, the ABI wants all insurers to act now:
`We urge stakeholders to implement any changes necessary to comply with the action as soon as possible.’
The ABI is keen to remind its members that it must operate within the law – well, quite. So, much of the advice on this topic is somewhat otiose. It is an ‘overarching’ principle that:
…the insurance industry is fully compliant with its legal responsibilities in respect of the collection and use of Personal Telematics Data; …consumers trust the insurance industry to use their Personal Telematics Data responsibly and to store Personal Telematics Data securely.
It says that we, the consumer, should understand:
…what Personal Telematics Data is being collected; who is using their Personal Telematics Data; how their Personal Telematics Data is being used; and what their rights are with respect to their Personal Telematics Data.
This implies that the insurance provider at the same time as installing and promoting telematics systems (of which there are many) needs to develop, in tandem, a customer information process which covers each of these issues (collection, use, rights).
Information, privacy and security
Shall we be safe – given this type of policy requires that the location of a vehicle could be detected at any time the question is how is my privacy to be protected – will I be able to use my car without being tracked – can I opt in and out?
The code is silent on whether this type of provision should be included in all or any policy as a matter of choice. Surely a point for industry guidance. Equally, what type of discount or reward should be offered to the telematic product user – surely a point of guidance to the industry. We get no clues from this document.
But, the code has a reasonable starting point:
No telematics data should be released to the authorities …
… good – but overlooking the fact the ‘the authorities’ has no definition – there is a catch …
… without a court order or the explicit written consent of the policyholder and the data subject(s)
… so, notice the policyholder and the data subject can be two different people and explicit consent has to be given – otherwise its an application to the court and (of course) the court before granting that order would have to hear both sides of the issue…
unless: i. the data is being released for the purpose of detecting and preventing insurance fraud; or ii. the data controller is compelled to do so …
…so, a weakness here – there appears to be nothing here in the code which would stop the insurance provider trawling its data to ‘detect’ fraud or ‘prevent’ fraud. The scope here is too wide – and surely open to abuse. Is this a general power (to trawl and go on a fishing through the data) or is the power specific (when the insurer has reasonable grounds to suspect fraud and requires the data for proof?). We do not know.
Tolerances and accidents
If you commit a traffic offence – will you be reported to the police – Not sure? If I am involved in an accident – what happens? The ABI wants insurers to have in place policies which
…do not cause undue concern.
The issue of tolerances is of wide-ranging public concern. There is a clear public gain to be made in encouraging the use of telematics devices to promote safe and economical driving. It is not for the insurance industry alone to set these parameters – too wide and the public gain will be lost (that is, the insurers will be turning a blind eye to bad driving defeating the public interest). Equally – too tight and the device becomes burdensome – the worst sort of back-seat driver – the type of passenger you want to dispose of at the first opportunity. No product would have a future in these circumstances – again, defeating the general public gain.
The ABI wants
‘clearly documented procedures for any accident alerts and those procedures should be strictly followed.’
An accident alert is not defined. It is difficult to understand the issues here. Clearly, the telematics providers have come across a specific issue which requires addressing. But there is not enough information here to understand what it is all about. And why does the accident alert procedure require ‘clearly documented procedures’ – surely all the issues require procedures clearly set out and understood and ‘strictly followed’– not just this one? Some examples of the issues here would be instructive but they have been boiled down into the following paragraph which only reveals the levels of complexity arising – leaving us without any hint of what kind of process the insurer has to create:
Where a Telematics Policy includes an Accident Alert , reasonable care should be taken to ensure that there has been an incident, before contact is made with the policyholder. There should be an agreed first point of contact in the event of any incident that requires the policyholder to be contacted. Any staff members, including outsourced staff, contacting policyholders about a possible accident should be specifically trained in how to handle such situations.
If you sell my data – what control do I have ?
The ABI is aware that ‘additional data protection issues arise from telematics products’ and usefully, it lists them (I have numbered them):
1. there is more data collected and
2. consumers need to understand what is being collected and why
3. without appropriate consent, there is potential for Personal Telematics Data to be collected, processed or disclosed illegally
4. the existence of additional data, combined with varying outsourcing arrangements, will make responding to subject access requests more complex;
5. Personal Telematics Data will be an attractive data resource for third parties.
But, buried underneath this is an issue I don’t understand. Whose data is this in the first place. Surely, if the insurers are collecting data from a device I own, placed in a vehicle I own – maybe even using a device for which I am paying a service-provider subscription – then that data is mine. I own it. At what point does the ownership of that data pass to another? And what is the bargain struck at the time? Why is the data ‘an attractive resource for third parties’ – who are these parties – what do they want and why? The ABI provides no guidance.
Whoaa! Too much woolly thinking here
We now live in the post-Edward Snowden era, when we know that governments appear to think they have the right to collect whatever electronic data they want, from whatever device at any time for whatever purpose they choose. This is clearly going to lead to new legislation which can only enforce, clarify and safeguard personal data and absolutely separate it from the information which can be used for the general public good (health, welfare, security). The ABI could be taking a leadership position here, instead it is weak on this issue, and makes unwarranted assumptions about telematics’ data ownership. It says:
Using Personal Telematics Data for marketing purposes
Personal Telematics Data will be valuable to other parties for marketing and research purposes . While it is acceptable if data is shared with other parties with the appropriate consent, consumers will lose trust in telematics products if explicit consent is not given before it is shared or if regardless of any consent obtained, the Personal Telematics Data are used in a manner or for purposes which go beyond the reasonable expectations of the consumer.
Who is defining what is ‘acceptable’,’acceptable data sharing’, ‘appropriate consent’ and ‘reasonable expectations’?
What is the difference between ‘appropriate consent’ and ‘explicit consent’?
How does it become possible for data to be shared ‘regardless of any consent obtained’? Are we talking about government here or some other dark forces?
These issues need a clear head. They need drawing out and examining carefully in a public arena. For example, given the above statement, what has the ABI been saying about all the recent data scandals – anything or nothing?
These are issues that cannot be confined to discussion among the insurers alone. All interested parties need to be involved (the insurer, the client, the device manufacturer, the outsourcing parties, the data protection agencies, the road-safety promoters) – and that has to involve representation of the consumer/citizen.
So – to re-cap. An interesting first stab at a guidance note – but needs much more work. What do the ABI and the brokers have to say in response to these criticisms – there is only one way to find out – let’s ask them.
Shortly – an examination of the insurers’ guidance note for the consumer.
Jonathan Coe