Feed up of ridiculous unfathomable car insurance price hikes? Read on to find out how to use GDPR to fight back.
Here is the scenario. A while ago my Mum picked my Dad up from hospital (nothing serious). While parked, the car got hit by a careless driver. He cleared off but luckily an ambulance driver took his reg, plus the car park had cctv, so he got caught. However, my Dads insurance with Esure went up double, I know they can do that, I don’t like, more on that later. So anyway, he moved insurance companies to a Santander telling them about the accident. All was fine. But then then Santander sent him a letter saying the details they received from Claims and Underwriting Exchange database (CUE) had different information to it than he had supplied them when he moved to them as his insurer. It said the driver at the time of the accident was my Mum. But that’s not correct is it? The car was parked and empty when hit. So that’s information about my Mum that is inaccurate, in fact it’s simply been made up. There was no driver at the time of the accident. Thus, under DPA she has a right to get it corrected. Satander agrees but says Esure need to change it, Esure say they can’t change it and that MIB who are the data Controller for CUE need to change it. They say they can’t and it has to be Esure. Hence noting is changed on CUE and the ICO are now involved at our request.
This is my take on it: –
1. CUE database – does anyone know this exists outside of the car insurance world? I had certainly never heard of it. I knew insurance companies shared data but there is no explicit mention of this or its owner (MIB) in any insurers data privacy notice I have read.
2. Inaccurate data – as you know my Mum was listed as the driver at the time of the accident. Hmm, for an unattended parked vehicle that was hit, how does that work? GDPR/DPA stipulate the need for accurate data. Clearly this is nothing like it.
3. Amending data – Getting this data amended has proved close to impossible and even now is still incorrect. Santander said they couldn’t change it, but agreed it was wrong. Esure said they couldn’t change it and said “something has to go in that field” which is nonsense and MIB said it had to be Esure that change it. Even though MIB are the data controller for CUE according to their website. Everyone points the finger at everyone else, total confusion and misinformation. No one seems to know who the data controller is who is data processor and thus who is responsible for ensuring it has accurate up to data date. Which is a DPA legal requirement.
4. Subject Access Request – my Dad (ok I did prompt him to do this bit) put in a subject access request to MIB, Esure and Satander. This process was horrific. My Dad is 81, and needed a scanner, printer and good IT skills to manage it. He struggled. Amazingly though never asked for my help, very proud. How though would most people manage this? A process I expect intentionally designed to discourage people from finding out what nonsense is held about them. He has had other information made available to him. Well I say made available, actually he can’t access it due to a complex convoluted portal that he can’t understand how to log into. I guess he will need my help on that one.
Eventually the SAR data is sent through, after a lengthy wait, guess what? The driver data has been removed. How odd, since all parties said this was impossible, and esure stating that “something needs to be in that field”. Seems the power of an SAR can make the impossible, possible.
5. Incomplete data – so after the SAR we realised that some of the fields had half finished sentences, for example, “tp hit into ph parked vehicle – my vehicle was parked an ….” Hmm, how does that sentence end? No one knows, that’s how its been left on CUE. That is incomplete data and thus breaches GDPR/DPA.
Ok so saving the best for last – All this atrocious skulduggery aside. How can it be that a hit and run against a car parked in a secure well lit hospital car park, in a legitimate space, while stationary and unattended, double the insurance premium of the victim. The insurance companies justify this by saying that if you are involved in a no fault incident then statistically you are more likely to be involved in an at fault accident. What an horrific abhorrent generalisation. There is simply too little information in the statement “has been in a no fault incident” to profile a driver as a higher risk. Ok, so I concede, if an incident was one where a driver was tailgating, and manged to just about stop in time for queuing traffic on motorway, immediately prior to being rear ended by the following vehicle, you could understand it. However the decision isn’t being made using the full information, just the “has been involved in a no fault incident” information is used. Hence, in incidents of genuine faultlessness like my Fathers, hundreds of thousands, maybe millions, of drivers are being penalised for doing absolutely nothing at all wrong. Is this not the same as the discredited excuse of the police while stopping and searching more black/asian people because they are involved in more crime statistically? It’s just plain wrong, and the insurance companies tell us there is nothing we could do about it other than suck it up. Well guess what? GDPR is here, and those days are done, it’s time to fight back.
The GDPR states –
“Organisations must tell customers about the profiling and automated decision-making they carry out, what information they use to create the profiles and where they get this information from” – none of this appears to have happened in the case of My Dad.
In addition it states –
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her” – Article 22(1). Again I haven’t heard the insurance companies offering a manual based justifiable decision based service to anyone.
Being classified as less safe on the basis on a generic one rule for all needs to end. It’s already been accepted that we can no longer apply different premiums based on gender, they had stats on that too remember? The GDPR isn’t there to cause HR and marketing managers a headache, even though it did. It’s there as a tool for all of us to use, and what better place to start then taking on the insurance companies and their immoral profiteering from unsound statistics.
If this rings a note with you? Start by sending MIB a SAR, you may be amazed by the nonsense they are using against you to hike your insurance premium.