Following a recent case in which two former employees of mobile phone operator T-Mobile were fined for selling the company’s customer data, Information Commissioner Christopher Graham described the trade in unlawfully-gained information as ‘huge’.
Jack Straw, the MP for Blackburn and former Justice Secretary, has now raised concerns over the practice whereby insurance companies pass on the personal details of customers who have been involved in an accident to personal injury claims companies.
Typically, insurance companies that supply this information are then paid a referral rate of between £200 and £1,000 for each lead that generates business and such payments have become a vital part of their income. Mr Straw claims that insurance companies justify the practice on the ground that if they do not sell the information to claims companies, others – such as recovery firms, garages, credit companies and even the police – will.
Mr Straw has called for increased enforcement action on the part of the ICO and the tighter regulation of claims companies in order to outlaw the practice.
In response to Mr Straw’s findings AXA, one of Britain’s leading motor insurance companies, has announced that it will cease to pass on details of customers who have been involved in accidents, a decision that will cost the company several million pounds a year. Paul Evans, Group CEO, AXA UK, said, “The industry needs to be tidied up, but it will not tidy itself up. This has to be stopped; this dysfunctional market cannot be allowed to continue.” AXA is calling for the Government to ban referral fees completely.
Mr Straw’s claims have drawn criticism from the Chief Constable of West Yorkshire Police, who, in a letter to the Times newspaper, categorically states that West Yorkshire Police does not sell information on those involved in road traffic accidents. Should a claims company request information about a specific collision, however, a charge is made for providing the data.
Any organisation which retains personal data has a duty to maintain such data safely. The ICO takes a very strong line over breaches of the Data Protection Act 1998 (DPA) and can impose a penalty of up to £500,000 for serious breaches of one or more of the eight data protection principles contained therein. For guidance on complying with the DPA, see