The Code of Conduct (CoC) means a specification of legal regulations on data and consumer protection regarding the aspects of the insurance industry and based on the Federal Data Protection Act (BDSG). In 2013, the insurance industry created a specific set of rules on data protection with the CoC. Those affected - whether as a policyholder, as an insured person or as the damaged party - have a right to having their personal, sensitive data treated with care.
What does this mean now in the reality of insurance system landscapes?
The personal data collected during the submission of the affected party’s application is recorded by machine or manually by a claim handler in actuarial applications and then saved in databases. These actuarial applications include, for example, the application data pool, the partner system and the contract system. The data from the application data pool is distributed to the respective systems during machine processing. The personal data ends up in the partner system and includes data such as the salutation, last name, first name, date of birth, mailing addresses and telephone numbers or email contact data, as well as the IBAN from the bank account used to charge the premiums through the SEPA direct debit process. Tariff-relevant data such as the contribution amount or insured amount and risk properties (risk location or object or previous illnesses) is recorded in the contract system.
There is a certain degree of data protection alone through the distributed data retention. No complete conclusions regarding the entirety of the data about an individual are possible with an excerpt from only one system. The division of functions from the individual actuarial applications therefore does not just have an effect on the functional sovereignties, but rather also has advantages regarding data protection.
The collection system is only supplied with data required for the collection process. The printing system used, for example, to create the policy will only be supplied with the necessary data at the time of printing. The documents for all cases regarding an individual or a contract are normally saved in the electronic file (eFile) as a PDF or scanned document. Payments and claims may occur throughout the span of the contract. Additional systems (payment or claims systems) are fed data regarding these transactions. The disbursement system is supplied with payment information, but only with the data that is needed for the respective transactions. The data in its entirety is recorded, processed and saved according to the CoC rules. This means that the principles of transparency, the necessity of processed data as well as data avoidance and data minimization are considered in a special manner. This applies to the entire duration of this contract relationship between the insured party and the affected party.
An insurance contract also expires sometime, either at a time agreed upon with the application or through termination; it can be canceled (contract cancellation). Starting at this point in time, the affected individual has a right to their data being subject to special protection. The data must be blocked for access that was previously required for insurance purposes. At the end of the legally required retention period (for example, in accordance with the Commercial Code [HGB] 10 years after the last booking), the data must be permanently deleted.
A so-called “CoC wheel” helps ensure that data protection is enforced starting at the time of the contract cancellation. The CoC wheel reports the cancellation of a contract to the contract system. After the expiration of a grace period, the contract cancellation results in the data of all affected systems being blocked for regular access. Blocked data is only visible in a complete, unlocked view if, for example, it must be viewed for auditing reasons. Only few people are entitled to view this data and they are subject to special due diligence.
In the “locking case”, the CoC wheel informs all affected systems to lock the data for this contract - the triggering contract system. This locking can mean other steps of action or effects for every system. A concept regarding how this should be performed for the individual systems will be created for implementation. The contract system will inform the CoC wheel of permanent deletion at the end of the legal safekeeping period. The CoC wheel will first run this message by the veto authorities. The veto authorities may have objections regarding permanent deletion. These objections may, for example, be derived from open claims or legal disputes. The veto authorities are normally the collection/disbursement system and the legal department. If such objections are present, the CoC wheel will stop this process until the objections are cleared up. If there are no objections from the veto authorities, all systems will be requested by the CoC wheel to permanently delete the data in a predetermined order. The responses are also recorded in the CoC wheel.
This ensures that legally compliant data protection and the protection of data from the view of the affected party are both completely complied with. On 25.05.2018, the General Data Protection Regulation (GDPR) came into effect. This affects the insurance industry. The previous principles of data minimization and earmarking or necessity of data collection, the guarantee of data protection and the right to forgetting including the informal right to self-determination of the individual remain as they were. Changes for German companies will be, for example, with regards to the aspects of a right to data transferability, data protection impact assessments, accountabilities, messages for supervisory authorities and restrictions during processing. The implementation is supported by the guidance of the GDV (Gesamtverbands der deutschen Versicherungswirtschaft e.V.). These are represented by explanations for the insurance industry, the limitation to the relevant aspects of the GDPR and the listing of a concrete need for action. With the implementation of the CoC, an important step was made in the insurance industry. Now it is time to evaluate the aspects of the GDPR and to continue with the implementation in a timely manner.