It is important to us that you have confidence in our solution so we have created this guide which will explain the most common UKGDPR, DPA and legal questions in respect of applicable privacy laws.
So who is the ‘Controller’ and who is the ‘Processor’?
You are instructing us to complete each search which we process on your behalf. Therefore, primarily you are the Controller and we act as your Processor. However because a limited sub-set of personal data is retained by us (to offer additional metrics in respect of repeated searches and associated risks, as described in more detail below) we are also a Controller in respect of that, more limited, personal data.
You mention you retain data – what do you retain, for how long and for what purpose?
We retain the normal site use / user data which is collected via cookies.
We also retain data relating to the searches you complete. This is to enable our community approach and allows for all users to be made aware when another user conducts a search on a Data Subject who has been previously searched. This functionality which is called the Follow Facility, can be switched off at client request and would mean that notifications to the client of previous searches and notifications to other users would be disabled. Where retained, search data is only held for 12 months.
We also retain the data associated with search results. This is also only held for a period of 30 days and is to enable us to respond to any Data Subject Access Requests (DSAR) from Data Subjects and to enrich the results of further searches. Without retaining search data we would not be able to provide a record of the search result. Legal privilege and the associated GDPR exemptions do not apply and as results are focused on an individual’s personal data and publicly available data, clients should be aware that if DSAR requests are received we would fully disclose the Heads Up search results to the Data Subject whilst making the client aware of the DSAR application.
So what is the basis of Lawful Processing for users of Heads Up?
So this is where client Privacy Policy and Notices come in.
In an ideal scenario to guarantee GDPR compliance you would provide a Fair Processing notice to each Data Subject outlining what specific searches will take place, using what elements of their personal data and gain their consent to the search being completed.
We all know that this is impractical.
The first step is necessity – before considering whether to complete a Heads Up search or becoming a user of our platform you, as Controller, must determine that the personal data we will collect from you, process for the searches and then the results that we will provide you with when searches are completed is necessary and cannot be reasonably obtained through another, less intrusive method.
Once you are comfortable that the processing is necessary, you must determine the lawful basis for processing – there are six lawful basis outlined within Article 6 of the UKGDPR.
Of the six lawful basis available, the most commonly applied for use of Heads Up is what is commonly referred to as “legitimate interest”, i.e.– that the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless it is disproportionate or there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
In the vast majority of scenarios when Insurers use Heads Up they are doing so to protect their own legitimate interests – someone has applied for a policy, someone has submitted a claim and is asking for financial compensation.
In these scenarios, our view (although it is important you satisfy your own compliance lead) is that as long as:
Below is an example of how legitimate interest can be outlined to Data Subjects within a Privacy Policy. In this case not only has legitimate interest been provided as a lawful basis for data processing but further detail has been outlined regarding when this lawful basis will apply.
In this example we would advise that the ‘Fraud detection and prevention’ and ‘setting reserves for injury claims’ both support the application of Heads Up. Of course, if you have any doubts about your position, you should seek legal advice.
Legitimate Interests
Sometimes we need to process your personal data for our legitimate business purposes in order to ensure we continue to provide a great customer experience. In every instance. We will always balance our interests against yours.
The processes below are considered necessary to meet our legitimate interests:
What of Purpose Limitation issues?
Within Privacy Policy wordings there will be a defined set of reasons for processing the personal data which has been collected from data subjects. This is often outlined as part of a ‘How we use your data’ section and can include legitimate interest as a specifically defined lawful basis for processing.
Our legal review activity has found that the vast majority of Insurer’s Privacy Policies include within their wording the following four data processing purposes which are all relevant purposes to support the use of Heads Up and the processing of someone’s personal data. Sometimes as in the above example these data uses are linked to a specific legitimate interest section but this is not always necessary:
By outlining that an individual’s data may be gathered for processing within these scenarios enables Insurers to support a justifiable legitimate interest to conduct a search via the Heads Up platform that is clearly aligned to a reason for data processing which has been outlined within the applicable Privacy Policy.
But what about Third Parties? For injury claims submitted via the Claims Portal, the Privacy Notice associated with the portal makes it clear that by submitting data this data will be processed for the following purposes (amongst a range of others):
Again this provides Insurers with a justifiable legitimate interest to process the personal data for these explicitly outlined scenarios.
What about Special Category Data?
Heads Up does not use special category data.
What about Criminal Data?
Heads Up does bring back links to data sources which may contain information regarding criminal data – arrests, cautions, prosecutions and convictions. These links potentially provide criminality data relating to a data subject but it is for the client to analyse and review the data contained within these links and assess whether the linked data actually relates to the data subject in question.
We are not sourcing DBS or similar conviction data, only publicly available data which would be found by any one searching the internet. Heads Up simply provides clients with a more efficient and pinpoint way of identifying potentially related data – avoiding clumsy and time consuming search engine activity by staff members.
It is worth noting that criminal convictions form a key element of the underwriting process and is a part of the data disclosed at policy inception. Heads Up enables you to validate this disclosure using publicly available data which your staff could be locating themselves with training and time. Heads Up just shortcuts this process.
We ask all clients to ensure that Privacy Policies / Notices inform data subjects that –
Please remember that the criminality search functionality can be disabled and is completely optional. It is important that you are comfortable that the results of any searches you choose to make are in line with your wider compliance position in respect of the collection and processing of Criminal Data.
Finally we always stress the need to analyse and assess the links to data sources identified to ensure they do relate to the correct data subject.
Are you sure we can share data with you?
Legally, a Controller can share any personal data with a Processor to carry out a function that the Controller itself is lawfully able to undertake. Strictly, there is no need to have a lawful basis for sharing personal data with a Processor but of course, in practice, ensuring transparency even in this regard does help reduce uncertainty and complaints that may arise as a result.
To the extent you do share limited details with us as a Controller for the purposes above, again the vast majority of Privacy Policies have a ‘Sharing our data’ section in which a range of third party entities are outlined to Data Subjects. We are happy to work with you to ensure that we are both satisfied that we fall within the definition of one of the third party types outlined within your Privacy Policy. However common inclusions such as –
We are satisfied that in both examples above Heads Up Technologies Limited fall within the scope of the entities described.
What about Data Minimisation?
We have designed Heads Up with GDPR compliance and privacy impact minimisation as a core consideration. Heads Up allows you to provide us with minimal personal data to complete your search and our system architecture allows you to only search the risk categories which are relevant to your justification for processing and which therefore minimise the amount of personal data you receive. This importantly allows for searches to be proportionate to your justification for processing. It is our belief that this should also help add comfort when assessing the necessity of any chose searches, as set out above.
We will work with clients to ensure that search parameters adhere to the ‘adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed’ GDPR requirement.
Have you thought about Data Accuracy?
We have! We are going to need to rely on you for the accuracy of the search data provided and our contract will include an obligation on all clients to apply best endeavours to only search using accurate and current personal data – but of course that is a lesser obligation than the law itself imposes in terms of data accuracy.
When we provide results these will be accompanied by the wording below which explains our position in respect of data accuracy as a Processor:
The risk ratings we provide are determined by any and all publicly sourced data available on the search date. Heads Up Technologies Limited have no liability for the accuracy of any content contained within the linked source data or for the removal of any linked source data by the Controller. Heads Up Technologies Limited have in no way amended, altered, deleted or added to the source data or in any way changed the content of any of the identified source data. Heads Up Technologies Limited recommends this report is considered in conjunction with other data to build a robust profile of the Data Subject and that this report is not solely relied upon. Heads Up Technologies Limited act as both Processor and Controller (as defined within the UKGDPR and/or GDPR, as applicable) and therefore have only retained certain elements of any Personal Data once this report has been issued to the client. This Report is not intended to be used for disclosure purposes.
What about system security and user controls?
Keeping personal data secure is unusual in that it is a direct obligation on the Controller and the Processor separately. The obligation is to implement appropriate technical and organisational security measures to ensure a level of security for the personal data that is appropriate to the risk presented to that personal data. There are a number of factors to be considered when making this decision, for example the type of personal data being processed (e.g. a hospital’s patient medical records would need a stronger level of protection than a business’ list of supplier contacts).
Therefore we have designed strict security protocols with limitations on user access in terms of periods of inactivity, password resets, password acceptability as well as sure storage controls and secure methods of exchanging data during the search process when completed by API or CSV upload connectivity.
We will be training your staff on how to handle personal data safely and securely and how to use the platform compliantly and safely, but it is important you stress that such instructions and measures should be followed at all times.
GDPR compliance and Privacy Impact by design – of course!
Another overriding theme in data protection law is that Controllers should generally act in a manner that adopts data protection by design and default in relation to its processing activities. This means that it should design its systems and processes with data protection at their heart and that risks in this area should be though about at the outset (which is why we prepared this note). In our case, it means the Heads Up platform can be easily adapted so that it can smoothly comply with data protection laws in its use. For example, we have made it easy to perform searches for individuals’ personal data and to retrieve it if someone submits a DSAR, or to identify and delete personal data that is past its retention period.
What if we still have questions?
We expected that! Please send any legal and compliance questions to our Founder and CEO David Beardsworth via David@hut.global
Copyright © 2024 HeadsUp Technologies Limited
Company registered in England & Wales
Company number 12968519