Your privacy is very important to us. We promise to respect and protect your personal information and try to make sure that your details are accurate and kept up to date. This Privacy Policy sets out details of the information that we may collect about you and how we may use that information. Please take your time to read this Privacy Policy carefully. When using our website, this Privacy Policy should be read alongside the website terms and conditions.

1 - About Insure The Box

In this Privacy Policy references to “we” or “us” refer to Insure The Box Limited. Insurethebox is a trading style of Insure The Box Limited. We are part of the MS&AD Insurance Group of companies. You can find out more about the group at www.ms-ad-hd.com/en. We will share data within the group, but this is limited to our group companies within the European Economic Area (EEA), except in exceptional circumstances where we may need to discuss a policy or claim with our parent companies.

In order to provide our services, we will collect and use data about individuals. This means that we are a ‘data controller’ and we are responsible for complying with data protection laws. We have appointed a data protection officer to oversee our handling of personal information. If you would like more information about how we collect, store or use your personal information, see the Contact us section below.

2 - What do we mean by personal information?

“Personal information” means information that relates to you as an individual, whether linked to your name or any other way which you could be identified, such as your driving licence number or your insurance policy number.

Certain types of personal information are considered to be “special categories of information” due to their more sensitive nature. Sometimes we will ask for or obtain special categories of information because it is relevant to your insurance policy or claim. For example, to assess risk appropriately, we will ask our customers about previous motoring convictions. This Privacy Policy highlights where we are likely to obtain special categories of information, and the grounds on which we process this data. We will only process special categories of information where they are relevant and will never process certain types e.g. details of your sex life.

Special categories of information: Information about your health, criminal convictions, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
3 - Our processing of your personal information

The personal information that we collect will depend on our relationship with you.  For example, we will collect more detailed information about you if you have become a customer than if you simply ask for a quote. We have included a number of sections below – simply read those which most apply to your relationship with us.

If you provide personal information to us about other people you must provide them with a copy of this Privacy Policy, and obtain relevant consent from them where we have indicated in this Privacy Policy that we need it.
3.1 - If you have (or someone on your behalf has) taken out a quote through us

 

(This section shows what personal information we collect about you and use if you are either: a prospective customer and have submitted your personal information so that we can provide you with an insurance quote; or are somebody named on a quotation.)

What personal information will we collect and where will we collect it from?

We collect the following information provided by you (or anyone applying for a policy on your behalf) by phone or web:

  • Individual details: Your name, address, contact details (e.g. email / telephone), gender, marital status, date of birth, nationality
  • Employment information: Your job title and the nature of the industry you work in
  • Identification details: Your driving licence number
  • Previous and current claims: Any previous insurance policies you have held and claims made against those policies
  • Other risk details: Details about the car to be insured, along with the following special categories of information relating to each driver:
    • Health data: Physical or mental health factors relevant to the insurance application, e.g. DVLA notifiable conditions
    • Criminal convictions which are unspent under the Rehabilitation of Offenders Act. This includes both motoring and non-motoring offences / alleged offences which you have committed, or any court sentences which you are subject to
  • Marketing preferences: Where relevant, including whether you have requested not to receive marketing information
  • Website usage, including Cookies and use of our Live Chat facility: See section 3.6 below
  • Other information: that we capture during recordings of our telephone calls, or if you make a complaint. This may include special categories of information you volunteer when communicating with us (we will not further process these without your explicit consent).

We use external sources to supplement and verify information the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you
  • Demographic data: Lifestyle indicators such as income, education, and size of your household
  • Open source data: Unstructured data which is in the public domain.

The external sources that provide us with information about you include:

  • The policy applicant (where you are an individual named under a quote) or anyone authorised to act on your or their behalf
  • Other MS&AD Insurance Group companies
  • Other third parties involved in the insurance application process (such as the price comparison website used, or other insurers)
  • Credit reference agencies
  • Providers of demographic data and vehicle data
  • Financial crime detection agencies and insurance industry financial crime databases (such as for fraud prevention and checking against international sanctions) including the Claims and Underwriting Exchange (known as “CUE”) and CIFAS
  • Insurance industry bodies and databases (including the Motor Insurance Database, the MID)
  • Government agencies and bodies such as the DVLA or regulators (e.g. Financial Conduct Authority)
  • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles).

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following grounds:

  • We need your personal information because it is necessary to enter into or perform a contract (e.g. you request a quote with a view to entering into an insurance contract)
  • We have a genuine business need to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and/or develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
  • We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • It is in the substantial public interest and it is necessary: i) for an insurance purpose (e.g. assessing your insurance application and managing claims; or ii) to prevent and detect an unlawful act (e.g. fraud)
  • To establish, exercise or defend legal rights (g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

See the table below. Where we’ve used the acronym PH this refers to the proposed policy applicant. ND refers to any named driver on the quote:

Type of Processing Grounds for using personal information Grounds for special categories
To assess your insurance application and provide a quote (or a quote in which you are named)  PH – To enter into or perform a contract

ND – We have a genuine business need (to assess the insurance application and provide a quote)

  • It is necessary for an insurance purpose
To carry out fraud, credit and anti-money laundering checks (or a quote in which you are named)  PH – To enter into or perform a contract

 ND – We have a genuine business need (to carry out appropriate fraud / credit checks)

  • It is necessary for an insurance purpose
  • It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
  • To establish, exercise or defend legal rights
To communicate with you and resolve any complaints that you might have
  • To enter into or perform a contract
  • We have a genuine business need (to send you communications, record and handle complaints)
  • It is necessary for an insurance purpose
  • To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations
  • We have a legal or regulatory obligation
  • It is necessary for an insurance purpose to establish, exercise or defend legal rights
To ensure that we consider any customers who may be in a vulnerable circumstance

 

  • We have a genuine business need (to ensure a consistent service to all of our customers and that all customers are treated equally)
  • It is necessary for an insurance purpose
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys)
  • We have a genuine business need (to develop and improve our products and services)
  • We will not process your special categories of information for this purpose

 

Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance)
  • We have a genuine business need (to carry out business operations and activities that are necessary for the everyday running of a business)
  • We will not process your special categories of information for this purpose

 

For insurance administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment and costs and charges
  • We have a genuine business need (to develop and improve our products and services)
  • We will not process your special categories of information for this purpose

 

To send you marketing materials about our products and services (with your permission)
  • We have a genuine business need (to market our products)
  • We will not process your special categories of information for this purpose

 

Who will we share your personal information with?

On occasion, we will share personal information within the MS&AD Insurance Group or with the following third parties for the above purposes:

  • The policy applicant (where you are an individual named in a quote), or anyone authorised to act on your or their behalf
  • Credit reference agencies
  • Providers of demographic data and vehicle data
  • Financial crime detection agencies and insurance industry financial crime databases (such as for fraud prevention and checking against international sanctions) including the Claims and Underwriting Exchange (known as “CUE”), and CIFAS
  • Insurance industry bodies and databases (including the Motor Insurance Database, the MID)
  • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
  • Other third parties involved in the insurance application process (such as the price comparison website used, or other insurers)
  • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, subcontractors, and any outsourced service centre providers
  • The police and other crime prevention and detection agencies
  • Selected third parties in connection with any sale, transfer or disposal of our business.

If you would like more information about any of the above uses of your personal information, see the Contact us section below.

3.2 - If you hold (or are covered under) an insurance policy through us

(This section shows what personal information we collect about you and use if you are a customer, or are covered by an insurance policy through us)

 What personal information will we collect and where will we collect it from?

In addition to the information provided to us by you (or on your behalf) in section 3.1 above, we will obtain information about you during the lifetime of your policy, and if you claim against your insurance. This information includes:

  • Financial information: Bank and payment information
  • Telematics information: The telematics Black Box fitted to the insured car collects a wide range of driving data such as:
    • Date/time: This helps us to understand at what time of day the car is driven
    • Locational data: This helps us to understand which roads the car is driven on, and supports the Theft Tracking service
    • Speed, acceleration, and braking data: This helps us to understand how smooth the driving style is
    • Accident detection: This helps us to operate the Accident Alert service and to understand the circumstances relating to any accident
    • Note: The telematics data obtained will relate to the car, not necessarily just to the policyholder. It is not possible to determine an individual driver at any point in time. If a policy ends, or is cancelled, the Black Box is remotely deactivated and will stop recording data.
  • Additional identification details: This may include items to verify your identity, residency, marital status, address, driving licence details and details of your car. All of this information will be obtained from you, but can contain special categories of information (e.g. a driving licence may show details of any motoring convictions)
  • Claims information: In relation to any incident or alleged incident involving the insured car. This includes special categories of information you volunteer when communicating with us about your claim (We will only process such information to the extent necessary in connection with your claim or where in connection with legal proceedings. All further processing will only be with your explicit consent).

We use external sources to supplement and verify information the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases Some of this information (e.g. criminal offences) may include special categories of information relating to you
  • Demographic data: Lifestyle indicators such as income, education, and size of your household
  • Open source data: Unstructured data which is in the public domain, including social media, about you, or the circumstances of any accident
  • Photo or video data: including photos taken of the car at the point that the Black Box is installed; or footage recorded relating to a claim (including accident circumstances and interviews)
  • Claims assessment reports: by engineers, medical experts, claims investigators, and in limited circumstances, private investigators. Some assessment reports may include special categories of information relating to you.

The external sources that provide us with information about you include:

  • The named policyholder (where you are an individual covered or named under an insurance policy)
  • Other MS&AD Insurance Group companies
  • Other third parties involved in your insurance policy (such as the price comparison website used, providers of optional extra insurance)
  • Third party suppliers we appoint to help us to carry out:
    • fitting of Black Boxes on our behalf; and
    • our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors
  • In the event of a claim:
    • other parties involved in a claim, including passengers, witnesses, any third party claimants, or their insurer
    • third party suppliers we appoint to help us provide a service in relation to a claim (such as external claims handlers, our accident repair network, medical experts, claims investigators and private investigators)
  • Credit reference agencies
  • Providers of demographic data and vehicle data
  • Financial crime detection agencies and insurance industry databases (such as for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as “CUE”) and CIFAS
  • Insurance industry bodies and databases (including the Motor Insurance Database, the MID)
  • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
  • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media)
  • The police, HMRC and other crime prevention and detection agencies.

What will we use your personal information for?

We may process your personal information for a number of purposes. For each purpose, we will rely on one or more of the following legal grounds:

  • We need your personal information because it is necessary to enter into or perform a contract (e.g. the insurance contract)
  • We have a genuine business need to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
  • We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • It is in the substantial public interest and it is necessary: i) for an insurance purpose (e.g. assessing your insurance application and managing claims; or ii) to prevent and detect an unlawful act (e.g. fraud)
  • To establish, exercise or defend legal rights (eg. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

See the table below. Where we’ve used the acronym PH this refers to the proposed policy applicant. ND refers to any named driver on the quote:

Type of Processing Grounds for using personal information Grounds for special categories
To carry out fraud, credit and anti-money laundering checks PH – To enter into or perform a contract

ND – We have a genuine business need (to carry out appropriate credit / fraud checks)

  • It is necessary for an insurance purpose
  • It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
  • To establish, exercise or defend legal rights
To set up your insurance policy

(or a policy you are covered on)

PH – To enter into or perform a contract

ND – We have a genuine business need (to set up and validate insurance policies)

  • It is necessary for an insurance purpose  

 

To manage and service and answer queries about your insurance policy
(or a policy you are covered on)
PH –  To enter into or perform a contract

ND – We have a genuine business need (to manage and service insurance policies)

  • It is necessary for an insurance purpose

 

To manage any claims you make under your insurance policy
(or a policy you are covered on)
 PH – To enter into or perform a contract

ND – We have a genuine business need (to pay claims and manage the claims process)

  • It is necessary for an insurance purpose
  • To establish, exercise or defend legal rights
Using telematics data to monitor driving practices PH – To enter into or perform a contract

ND – We have a genuine business need (to monitor the driving style of drivers insured by us)

  • We will not process your special categories of information for this purpose
Using telematics data to provide theft tracking services  PH – To enter into or perform a contract
  • We will not process your special categories of information for this purpose
Using telematics data to make decisions around renewals and campaigns   PH – To enter into or perform a contract
  • We will not process your special categories of information for this purpose
Using telematics data to encourage safe driving through incentive schemes e.g. Bonus Miles
  • We have a genuine business need (to encourage safe driving practices)
  • We will not process your special categories of information for this purpose
To prevent and investigate fraud on an ongoing basis
  • To enter into or perform your insurance contract
  • We have a genuine business need (to prevent and detect fraud and other financial crime)
  • It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
  • To establish, exercise or defend legal rights
To assist in renewal pricing
  • To enter into or perform a contract
  • It is necessary for an insurance purpose
To comply with our legal or regulatory obligations
  • We have a legal or regulatory obligation
  • It is necessary for an insurance purpose
  • To establish, exercise or defend legal rights
To ensure that we consider any customers who may be in a vulnerable circumstance
  • We have a genuine business need (to ensure a consistent service to all of our customers and that all customers are treated equally)
  • It is necessary for an insurance purpose

 

To communicate with you and resolve any complaints that you might have
  • To enter into or perform a contract
  • We have a genuine business need (to send you communications, record and handle complaints)
  • It is necessary for an insurance purpose
  • To establish, exercise or defend legal rights
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys) We have a genuine business need (to develop and improve our products and services) We will not process your special categories of information for this purpose
For debt collection purposes To enter into or perform a contract We will not process your special categories of information for this purpose
Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance) We have a genuine business need (to carry out business operations and activities that are necessary for the everyday running of a business) We will not process your special categories of information for this purpose

 

For insurance administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment and costs and charges We have a genuine business need (to develop and improve our products and services) We will not process your special categories of information for this purpose
To send you marketing materials about our products and services (where we have your permission to do so) We have a genuine business need (to market our products) We will not process your special categories of information for this purpose

Who will we share your personal information with?

On occasion, we will share personal information within the MS&AD Insurance Group or with the following third parties for the above purposes:

  • The policyholder (where you are an individual named on an insurance policy), or anyone authorised to act on their behalf
  • Providers who may need your information in order to provide a service to you, including our Black Box fitting provider
  • Our premium finance provider (for instalment customers)
  • Insurers who support our products (e.g. our motor legal protection provider / providers of any optional extras purchased alongside your policy)
  • Providers of claims services (such as external claims handlers, our accident repair network, medical experts, claims investigators and private investigators)
  • The price comparison site used
  • Third party suppliers we appoint to help us to carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors
  • Credit reference agencies/debt collection agencies
  • Providers of demographic data and vehicle data
  • Financial crime detection agencies and insurance industry financial crime databases (such as for fraud prevention and checking against international sanctions) including the Claims and Underwriting Exchange (known as “CUE”), and CIFAS
  • Insurance industry bodies and databases (including the Motor Insurance Database, the MID)
  • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or professional regulators (e.g. the Financial Conduct Authority in the UK)
  • The police and other crime prevention and detection agencies
  • Our reinsurers
  • Selected third parties in connection with any sale, transfer or disposal of our business.
Sharing of Telematics Data: Once we have installed and activated the Black Box in your car, it will record and provide us with data about the driving style of all drivers of the car. It will collect a wide range of driving data such as date, time, location, speed, acceleration and braking. The Black Box also allows us to operate the Accident Alert service and to understand the circumstances relating to an accident. By assessing the data, it allows us to provide customers with advice on safer driving.

We will share driving data only in the circumstances shown below:

  • With third parties where we need to do so to manage the insurance policy or any claims (e.g. with our accident recovery partners if the car needs to be recovered following an accident)
  • Where your Black Box was supplied by Octo Telematics s.p.A., the telematics data is processed by them, as well as our Group. This generally applies to insurance policies which were purchased in 2013 or before
  • Between departments within the company and/or Group. For example:
    • to help reduce fraud, by checking if another person is making a false claim against the driver; or the driver is making a false claim against someone else
    • to encourage safer driving; by examining how various groups drive and at what time of day the most incidents happen
    • to assist in calculating tailored renewal premiums for policyholders
    • to research and refine techniques for analysing Black Box data, including looking at road safety issues such as analysis of certain roads to identify the risks they represent
  • Analytics suppliers use the data for research (e.g. to improve road safety). Any information that we share is made anonymous and does not contain any information that is classed as personal data under the data protection regulations. This means that none of the data can be linked to the policyholder.

We do not provide policyholders (or their representatives) with driving data for use in civil claims or criminal investigations and proceedings.

Sometimes the police and other regulatory bodies (such as HMRC or Department of Works & Pensions) may request that we send them information from the Black Box about journeys made in the insured car. This is so they can investigate road traffic accidents, and also work to prevent, detect and investigate criminal and fraudulent activities. We will not normally release driving data or locational data unless the policyholder gives us permission to provide that information; we are required to do so by law (e.g. where the police obtain a Court Order for the information); or we suspect fraud or attempted fraud.

As the telematics data obtained will relate to the car, not necessarily just to the policyholder, it is possible that data relating to any driver may be disclosed when sharing telematics data.

If you would like more information about any of the above uses of your personal information, see the Contact us section below.

3.3 - If you have been involved in an accident with someone covered under an insurance policy with us

(This section shows what personal information we collect about you and use if you have made a claim against a policyholder who is insured with us)

What personal information will we collect and where will we collect it from?

We will collect the following personal information from you, where relevant to your claim:

  • Individual details: Your name, address, contact details (e.g. email / telephone), gender, marital status, date of birth, nationality
  • Employment information: Your job title and the nature of the industry you work in
  • Identification details: Your national insurance number, passport information, driving licence number
  • Previous and current claims: Any previous insurance policies you have held and claims made against those policies
  • Information which may be relevant to your claim, including the name and contact details of your insurer, details about your car / property, and details about your claim (including any statements, photos / video footage, claims assessment reports, telematics data). This information may include the following special categories of information relating to you:
    • Health data: Physical or mental health factors which are relevant to your claim (e.g. where you have been injured in a motor accident and the driver is insured through us). This may include medical records relating to any injuries
    • Criminal convictions which are unspent under the Rehabilitation of Offenders Act. This includes both motoring and non-motoring offences / alleged offences which you have committed, or any court sentences which you are subject to
  • Financial information: Bank and payment information
  • Website usage, including Cookies and use of our Live Chat facility: See section 3.6 below
  • Other information: that we capture during recordings of our telephone calls, or if you make a complaint. This may include special categories of information you volunteer when communicating with us. We will only process such information to the extent necessary in connection with the incident or where in connection with legal proceedings. Any further processing will only be with your explicit consent.

We use external sources to supplement and verify information the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you
  • Demographic data: Lifestyle indicators such as income, education, and size of your household
  • Open source data: unstructured data which is in the public domain, including social media, about you, or the circumstances of any accident.
The external sources that provide us with information about you include:

  • Other parties involved in your claim, including any named individual insured through us, passengers, witnesses, or other third party claimants
  • Other MS&AD Insurance Group companies
  • Third party suppliers we appoint to help us:
    • carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors.
    • provide a service in relation to a claim (such as external claims handlers, our accident repair network, medical experts, claims investigators and, in limited circumstances, private investigators)
  • Credit reference agencies
  • Providers of demographic data and vehicle data
  • Financial crime detection agencies and insurance industry databases (such as for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as “CUE”) and CIFAS
  • Insurance industry bodies and databases (including the Motor Insurance Database, the MID)
  • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or professional regulators (e.g. the Financial Conduct Authority)
  • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media)
  • The police and other crime prevention and detection agencies
  • Other third parties involved in your insurance policy or a claim (e.g. other insurers)
  • Our reinsurers.

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following grounds:

  • We have a genuine business need to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests
  • We have a legal or regulatory obligation to use your personal information (e.g. to meet record-keeping requirements of our regulators).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • It is in the substantial public interest and it is necessary: i) for an insurance purpose (e.g. assessing your insurance application and managing claims; or ii) to prevent and detect and unlawful act (e.g. fraud)
  • To establish, exercise or defend legal rights (e.g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

We’ve shown how we use your personal information, and the legal grounds we rely on, in the table below:

Type of Processing Grounds for using personal information Grounds for special categories
To manage claims
  • We have a genuine business need (to assess and pay your claim and manage the claims process)
  • We have a legal or regulatory obligation
  • To establish, exercise or defend legal rights
To prevent and investigate fraud
  • We have a genuine business need (to prevent and detect fraud and other financial crime)

 

  • It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
  • To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations
  • We have a legal or regulatory obligation

 

  • To establish, exercise or defend legal rights
  • It is necessary for an insurance purpose
To communicate with you and resolve any complaints that you might have
  • We have a genuine business need (to send you communications, record and handle complaints)
  • You have given us your explicit consent
  • To establish, exercise or defend legal rights
To provide improved quality, training and security (e.g. through recorded or monitored phone calls to / from us, or customer satisfaction surveys)
  • We have a genuine business need (to develop and improve our products and services)
We will not process your special categories of information for this purpose

 

Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance)
  • We have a genuine business need (to carry out business operations and activities that are necessary for the everyday running of a business)
We will not process your special categories of information for this purpose
For insurance administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment and costs and charges

 

  • We have a genuine business need (to develop and improve our products and services)
We will not process your special categories of information for this purpose
Who will we share your personal information with?

On occasion, we will share personal information within the MS&AD Insurance Group or with the following third parties for the above purposes:

  • Third parties involved in the administration of the relevant insurance policy or claim. These include loss adjusters, claims handlers, private investigators, accountants, auditors, banks, lawyers and other experts including medical experts
  • Other insurers (e.g. where another insurer has previous provided you with a policy or handled a claim), and our reinsurers
  • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers
  • Insurance brokers and other intermediaries
  • Credit reference agencies
  • Insurance industry bodies and databases (including the Motor Insurance Databases, the “MID”).
  • Financial crime detection agencies and insurance industry databases (such as for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as CUE”)
  • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
  • Professional regulators (e.g. the Financial Conduct Authority in the UK)
  • The police and other crime prevention and detection agencies
  • Selected third parties in connection with any sale, transfer or disposal of our business.

If you would like more information about any of the above uses of your personal information, see the Contact us section below.

3.4 - Where you witnessed an accident involving someone covered under an insurance policy through us

(This section shows what personal information we collect about you and use if you are a witness to an incident which involves one of our customers)

What personal information will we collect and where will we collect it from?

We will collect the following personal information from you:

  • Individual details: Your name, address, contact details (e.g. email / telephone), gender, marital status, date of birth, nationality
  • Employment information: Your job title and the nature of the industry you work in
  • Identification details: Your national insurance number, passport information, driving licence
  • Claims information: In relation to any incident or alleged incident that you have witnessed
  • Photo or video data: including photos or footage recorded relating to a claim (including accident circumstances and interviews)
  • Website usage, including Cookies and use of our Live Chat facility: See section 3.6 below
  • Other information: that we capture during recordings of our telephone calls, or if you make a complaint. This may include other special categories of information you volunteer when communicating with us about the incident that you witnessed. We will only process this information where it relates to the incident itself or legal proceedings. Any further processing will only be with your explicit consent.

We use external sources to supplement and verify information the information above, and also to provide the following new information:

  • Claims assessment reports: by claims investigators, and in limited circumstances, private investigators
  • Open source data: unstructured data which is in the public domain, including social media, about you, or the circumstances of any accident.

 The external sources that provides us with information about you include:

  • Other parties involved in the incident you witnessed (such as any named individual insured through us, passengers, other witnesses, third party claimants, brokers, insurers, and the emergency services)
  • Other third parties who provide a service in relation to a claim (such as external claims handlers, our accident repair network, medical experts, claims investigators and, in limited circumstances, private investigators)
  • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media)
  • Other MS&AD Insurance Group companies.

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following grounds:

  • We have a legal or regulatory obligation to use your personal information (e.g. our regulators impose certain record-keeping rules which we must adhere to)
  • We have a genuine business need to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we will always consider your rights and interests.

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • It is necessary for an insurance purpose and it is in the substantial public interest. This will apply where: i) we are assisting with any claims under a policy (we will only rely on this legal ground if we have not been able to obtain or you have not given us your explicit consent) and; ii) undertaking any activities to prevent and detect fraud.
  • To establish, exercise or defend legal rights (g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

We’ve shown how we use your personal information, and the legal grounds we rely on, in the table below:

Type of Processing Grounds for using personal information Grounds for special categories
To investigate and manage claims made under an insurance policy
  • We have a genuine business need (to assess and pay claims and manage the claims process)
  • You have given us your explicit consent or it is necessary for an insurance purpose
  • To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations
  • We have a legal or regulatory obligation
  • You have given us your explicit consent
  • To establish, exercise or defend legal rights
To prevent and investigate fraud
  • We have a genuine business need (to prevent and detect fraud and other financial crime)
  • It is in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
  • To establish, exercise or defend legal rights
For business processes and activities including analysis, review, planning  and transactions
  • We have a genuine business need (to effectively manage our business)
We will not process your special categories of information for this purpose

Who will we share your personal information with?

On occasion, we will share personal information within the MS&AD Insurance Group or with the following third parties for the above purposes:

  • Other parties involved in the incident you witnessed
  • Other insurers (e.g. where another insurer is also involved in the claim which relates to the incident you witnessed), and our reinsurers
  • Third parties involved in the administration of an insurance policy or claim. These include loss adjusters, claims handlers, accountants, auditors, banks, lawyers, medical experts, and in limited circumstances, private investigators
  • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers
  • Insurance industry bodies and databases (including the Motor Insurance Databases, the “MID”)
  • Financial crime detection agencies and insurance industry databases (such as for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as “CUE”)
  • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority)
  • The police and other crime prevention and detection agencies
  • Selected third parties in connection with any sale, transfer or disposal of our business.

If you would like more information about any of the above uses of your personal information, see the Contact us section below.

3.5 - Suppliers & Partners

(If you are a point of contact at one of our suppliers or partners, this section will be relevant to you and sets out our uses of your personal information)

 What personal information will we collect and where will we collect it from?

In order to work effectively with you and for ongoing due diligence purposes, we will need to collect some personal information from you which may include:

  • Individual details: Your name, address, contact details (e.g. email / telephone)
  • Employment information: Your job title and the nature of the industry you work in (including potentially previous roles)
  • Identification details: Items to verify your identity, residency, marital status, address, driving licence details. All of this information will be obtained from you, but can contain special categories of information (e.g. a driving licence may show details of any motoring convictions)
  • Criminal convictions which are unspent under the Rehabilitation of Offenders Act. This includes both motoring and non-motoring offences / alleged offences which you have committed, or any court sentences which you are subject to. All of this information will be obtained from you, but may contain special categories of information.
  • Website usage, including Cookies and use of our Live Chat facility: See section 3.6 below
  • Other information: that we capture during recordings of our telephone calls, or if you make a complaint. This may include special categories of information you volunteer when communicating with us (we will not further process these without your explicit consent).

We use external sources to supplement and verify information the information above, and also to provide the following new information:

  • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you
  • Open source data: unstructured data which is in the public domain, including social media, about you or your company, as part of our due diligence checks.

The external sources that provide us with information about you include:

  • Other MS&AD Insurance Group companies
  • Publicly available sources such as the electoral roll, court judgments, insolvency registers, internet search engines, news articles and social media sites
  • Financial crime detection agencies and insurance industry databases (such as for fraud prevention and checking against international sanctions).

What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following grounds:

  • We need to use your personal information because it is necessary to enter into or perform the contract that we hold with you (e.g. we may need certain information in order to operate our business partnership arrangement)
  • We have a genuine business need to use your personal information such as maintaining our business records, keeping records of insurance policies we place and business entities we interact with, and analysing and improving our business model and services. When using your personal information in this way, we have considered your rights and ensured that our business need does not cause you harm
  • We have a legal or regulatory obligation to use such personal information (e.g. we may be required to carry out certain background checks).

For special categories of information, we must have an additional legal ground for processing. We will rely on the following:

  • You have given us your explicit consent to our use of your special categories of information
  • We need to use your special categories of information for purposes relating to managing our business relationship with you there is a substantial public interest in such use. Such purposes include preventing and detecting fraud
  • To establish, exercise or defend legal rights (g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

We’ve shown how we use your personal information, and the legal grounds we rely on, in the table below:

Type of Processing Grounds for using personal information Grounds for special categories
To enter into business relationships which facilitate and enable us to place insurance policies for our customers
  • To enter into or perform a contract
  • We have a genuine business need (to enter into arrangements with other insurance partners so that we can provide services to our customers)
  • You have given us your explicit consent

 

 

For business processes and activities including analysis, review, planning and business transactions, and applying for and claiming on our own insurance
  • We have a genuine business need (to effectively manage our business and to have appropriate insurance in place)
We will not process your special categories of information for this purpose
To carry out fraud and anti-money laundering checks

 

  • To enter into or perform a contract
  • We have a genuine business need (to ensure that we take all necessary precautions to prevent fraud
  • The prevention and detection of fraud is in the substantial public interest
  • To establish, exercise or defend legal rights
To comply with our legal or regulatory obligations
  • We have a legal or regulatory obligation
  • You have given us your explicit consent
  • To establish, exercise or defend legal rights.
Providing improved quality, training and security (e.g. through recorded or monitored phone calls to / from us)
  • We have a genuine business need (to develop and improve our products and services)
We will not process your special categories of information for this purpose
To manage and handle your queries
  • To enter into or perform a contract
  • We have a genuine business need (to effectively manage our business and respond to queries)
  • You have given us your explicit consent

 

 

Who will we share your personal information with?

On occasion, we will share personal information within the MS&AD Insurance Group or with the following third parties for the above purposes:

  • Our policyholders and other third parties such as claimants where relevant
  • Third parties involved in the administration of an insurance policy or claim. These include loss adjusters, claims handlers, accountants, auditors, banks, lawyers, medical experts, and in limited circumstances, private investigators
  • Our insurance partners such as other brokers, insurers and our reinsurers.
  • Insurance industry bodies and databases (including the Motor Insurance Databases, the “MID”)
  • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers
  • Financial crime detection agencies and insurance industry databases (such as for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as “CUE”)
  • Government agencies and bodies such as regulators (e.g. Financial Conduct Authority)
  • The police and other crime prevention and detection agencies
  • Selected third parties in connection with any sale, transfer or disposal of our business.

If you would like more information about any of the above uses of your personal information, see the Contact us section below.

3.6 - Users of our website

(This section will detail what personal information we collect about you and use if you access and use any of our websites.)

 What personal information will we collect and where will we collect it from?

We will share some website experience data with trusted third parties to help us improve the service we provide to you. This data will never be special category data. If possible this data will be irreversibly anonymised and therefore no longer attributable to you. Where data cannot be anonymised  it will include personal data shared by most web browsers such as (but not limited to) your IP address, location, operating system, web pages visited and areas of those web pages ‘hovered’ over, and will be sent only to our  providers of demographic data and data analytics. Here is a list of the providers and what they help us to do:

  • Google Analytics https://policies.google.com/privacy?hl=en-GB help us to measure the performance of your web experience and analyse usage so that we can improve your journey; information may be sent outside of the EEA but if so will be anonymised by us or on receipt
  • NCC https://www.nccgroup.trust/uk/about-us/privacy-policy/ help us to ensure our online journey moves at an effective pace. This involves using some data sent by your browser; information may be sent outside of the EEA but if so will be anonymised on receipt
  • Mouseflow https://mouseflow.com/privacy/ help us to track page sessions and create heat maps so that we can quickly diagnose and analyse any problems with usability; information is never sent outside of the EEA and is automatically anonymised
  • LivePerson https://www.liveperson.com/uk/policies/privacy help us to manage our Live Chat service, to provide you with the most effective user experience when handling your policy queries via the service; information may be sent outside of the EEA but it will be suitably secure and may be subject to anonymization.

We have provided you with links to each of their websites so that you may take the time to read up on their data protection policies yourself.

 What will we use your personal information for?

We may process your personal information for a number of different purposes. We must have a legal ground for each purpose, and we will rely on the following ground:

  • We have a genuine business need to use your personal information such as maintaining our business records, monitoring usage of our website and marketing our services and improving our business model and services. When using your personal information in this way, we have considered your rights and ensured that our business need does not cause you harm.

We’ve shown how we use your personal information, and the legal grounds we rely on, in the table below:

Type of Processing Grounds for using personal information Grounds for special categories
Communicating with you and responding to any enquiries you have
  • We have a genuine business need (to respond to any enquiries)
We will not process your special categories of information for this purpose
Monitoring usage of our websites

 

  • We have a genuine business need (to assess usage of our website)
We will not process your special categories of information for this purpose

If you would like more information about any of the above uses of your personal information, see the Contact us section below.

4 - What is our approach to sending your personal information abroad?

Sometimes we (or third parties acting on our behalf) will transfer personal information that we collect about you to countries outside of the European Economic Area (“EEA“).

Where a transfer occurs we will take steps to ensure that your personal information is protected. We will do this using a number of different methods including:

  • putting in place appropriate contracts. We will use a set of contract wording known as the “standard contractual clauses” which has been approved by the data protection authorities
  • transferring personal data only to those companies in the United States who are certified under the “Privacy Shield”. The Privacy Shield is a scheme under which companies certify that they provide an adequate level of data protection. You can find out more about the Privacy Shield at: https://www.privacyshield.gov/Individuals-in-Europe.

A summary of our regular data transfers outside the EEA is set out below:

Country of transfer Reason for the transfer Certification
United States of America To assist in the collection of information by mailshot surveys & other analytical tools Privacy Shield
United States of America To assist Mouseflow Inc. to provide the web experience service as detailed above Privacy Shield
United States of America To assist LivePerson Inc. to provide our Live Chat service as detailed above Privacy Shield
Republic of South Africa To assist BulkSMS to provide us with a service to contact customers via SMS Standard contractual clauses

If you would like more information regarding our data transfers, see the Contact us section below.

5 - Marketing

We take privacy very seriously and will only use your personal information for the purposes laid out in this Privacy Policy. Unless you have opted out, we will contact you about marketing – for example, to offer other services or to ask if you want to take part in a competition we might run.

You may have also given your permission for us to contact you when you visited a price comparison site and obtained a car insurance quote. This would be because our product featured in the top few providers with the most competitive price and you wished for us to contact you.

You are free to object to receiving any marketing material and can edit your marketing preferences at any time. To opt out of marketing communications please email unsubscribe@insurethebox.com, or click “unsubscribe” on any marketing message we send you.

Please be aware that we have a genuine business need to be able to contact you to discuss how your policy is being administered. This form of contact falls outside of your marketing preferences and must continue in order for us to be able to provide you with a policy effectively. This will never include marketing material and all information will be strictly related to your policy.

6 - How long do we keep your personal information for?

We will keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section 3 above and to comply with our legal and regulatory obligations. We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on the purpose for which we collect that information, for example:

Quotes: 15 months
Policies, including telematics data: 7 years
Claims: 7 years
Complaints: 7 years

In some circumstances depending on the nature of your policy and any claims made under it data may be retained for a further period in a ‘locked down’ system from which it is only accessed when a claim arises. It is retained for as long as a potential claim might be made under a policy.

For more information about how long your personal information will be kept, see the Contact us section below.

7 - Automated processing

Where we have to make a decision about your insurance policy then most of the time we make decisions using automated processing. The process considers the information that you provide us as well as information from other sources such as search tools (e.g. Experian) to determine whether your application for insurance can be accepted and the premium price.

8 - Your rights

Under data protection law you have a number of rights in relation to the personal information that we hold about you. You can exercise these rights by contacting us. We will not usually charge you in relation to a request.

The right to access your personal information  You are entitled to a copy of the personal information we hold about you and certain details of how we use it. We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible.
The right to rectification  We take reasonable steps to ensure that the information we hold about you is accurate and where necessary up to date and complete. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.
The right to erasure  This is sometimes known as the ‘right to be forgotten’. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent. Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a regulatory obligation to keep it.
The right to restriction of processing  In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.
The right to data portability In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party.
The right to object to marketing  You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time.  You can do this either by clicking on the “unsubscribe” button in any email that we send to you or by contacting us using the details set out in section 10. Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary.
The right to object to processing  In addition to the right to object to marketing, in certain circumstances you will also have the right to object to us processing your personal information.  This will be when we are relying on there being a genuine business need to process your personal information. Please note, in some circumstances we will not be able to cease processing your information, but we will let you know if this is the case.
Rights relating to automated decisions  If you have been subject to an automated decision and do not agree with the outcome, you can ask us to review it.
The right to withdraw consent  Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information. Please note that for some purposes, we need your consent in order to provide your policy. If you withdraw your consent, we may need to cancel your policy or we may be unable to pay your claim. We will advise you of this at the point you seek to withdraw your consent
The right to lodge a complaint with the ICO  You have a right to complain to the Information Commissioner’s Office if you believe that any use of your personal information by us is in breach of applicable data protection laws and / or regulations. More information can be found on the Information Commissioner’s Office website: www.ico.org.uk. This will not affect any other legal rights or remedies that you have.

Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn’t comply with our own legal or regulatory requirements. In these instances we will let you know why we cannot comply with your request.

In some circumstances, complying with your request may result in your insurance policy being cancelled or your claim being discontinued. For example, if you request erasure of your personal information, we would not have the information required to pay your claim. We will inform you of this at the time you make a request.

9 - How we protect your information

The protection of your personal data is important to us. We take a number of technical and procedural measures to protect personal data. For example:

  • Where we capture your personal information through our website, we will do this over a secure link using recognised industry standard technology (SSL) which encrypts data that is transmitted over the internet. Most browsers will indicate this by displaying a padlock symbol on the screen
  • We prevent unauthorised electronic access to servers by use of suitable firewalls and network security measures. We use strong internal antivirus and malware monitoring tools and conduct regular vulnerability scans to protect our internal infrastructure and also to protect communications we may send you electronically. Our servers are located in secure datacentres that are operated to recognised industry standard. Only authorised people are allowed entry and this is only in certain situations
  • We ensure that only authorised persons within our business have access to your data and conduct regular checks to validate that only the correct people have access. We promote responsible access to data and segregate who can see what data within the organisation
  • Internally in our organisation, we have password policies in place which ensure passwords are strong and complex and are changed regularly
  • We use secure email exchange where necessary for sensitive data and have monitoring on all email we send and receive
  • We schedule periodic checks of all security measures to ensure they continue to be efficient and effective, taking into account technological developments.
10 - Contact us

You may contact our Data Protection Officer if you would like to exercise the rights set out above, or if you have any questions about how we collect, store or use your personal information:

Write: The Data Protection Officer, Insure The Box Limited, PO Box 1308, Newcastle upon Tyne, NE12 2BF

Email:  DPO@insurethebox.com

11 - Updates to this Privacy Policy

We may need to make changes to this Privacy Policy periodically, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally or where we identify new sources and uses of personal information (provided such use is compatible with the purposes for which the personal information was original collected). The Data Protection Officer will ensure that this document is updated regularly or as legislation requires.

This Privacy Policy was last updated on 26th April 2018.

Download full PDF