Data Protection Act 1998 – Statement of Practice
Risk Assurance Management Limited (The Company) is a Lloyd's Coverholder authorised by the Corporation of Lloyd's of London to arrange certain insurances at Lloyd's. The Company is regulated by the Financial Conduct Authority.
The Company is registered as a Data Controller under the Data Protection Act 1998 (DPA) and transacts business in accordance with the terms of that Act. The Company is subject to annual audits on behalf of Lloyd's and by its own auditors.
As a registered Data Controller the DPA places responsibility on The Company to ensure that personal data of all types is properly managed and protected within the Company and that all aspects of the legislation is complied with at all times.
At the commencement of any group insurance with The Company, the Proposer is required to sign a declaration within the proposal form :-
- Consenting to use by The Company of any information provided, for the purpose of the insurance in connection with the processes of underwriting, administration, claims management, rehabilitation and handling of customer concerns
- Acknowledging that the information may be shared with other insurers, reinsurers, insurance intermediaries and service providers who are involved in either the operation of insurance which covers employees or the employee benefit arrangements provided by the Company
- Acknowledging that the data will be processed fairly and securely in accordance with the Data Protection Act 1998 and the details will be stored on computer but will not be kept for longer than necessary
- Confirming that the data in relation to the insurance has been obtained and passed to The Company in accordance with the requirements of the Data Protection Act 1998 and confirming that the Proposer has the employee's consent to forward such information to The Company.
During the administration of new proposals and the administration of completed contracts strict procedures are in place to ensure the confidentiality of information provided to The Company for the purpose of the insurance and when contracts cease information is only retained for a limited period of time to:-
- Process claims
- Answer questions from former policyholders about their ended contracts
- For use in the event of litigation should there be a complaint against the Company
We are required by our regulator the Financial Conduct Authority to maintain accurate records and information is retained but only for as long as required by legislation or necessary business purposes.
As a Data Controller The Company complies with the eight key principles of the Data Protection Act 1998 being:-
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Company only transacts business received from intermediaries which are regulated by the Financial Conduct Authority who act on behalf of the Policyholder.