BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Excessive data sought on penalty points [2009] IEDPC 8 (2009) URL: http://www.bailii.org/ie/cases/IEDPC/2009/[2009]_IEDPC_8.html Cite as: [2009] IEDPC 8 |
||
[New search] [Printable RTF version] [Help]
Excessive data sought on penalty points [08/04/2010]
In November 2008, my Office received a complaint against X Insurance regarding the amount of information sought when an individual requested a quotation for motor insurance. The complainant stated that, during a phone call to X Insurance in November 2008, in which he sought a quotation for motor insurance, he was asked for information on any penalty points he had received on his driving licence during the previous five years.
Section 2(1)(c)(iii) of the Data Protection Acts, 1988 and 2003 provides that personal data obtained by a data controller shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed. In October 2002, the Minister for Transport announced the introduction of penalty points for speeding offences for all drivers under the Road Traffic Act, 2002. Other offences were added to the penalty points system since then. Under the Act, penalty points remain on a person's driving licence for a period of three years.
My Office contacted X Insurance and raised our concerns that potential customers for car insurance were being asked to provide details of penalty points for the previous five years while the applicable legislation states that such details should be kept on a driver's licence for only three years. X Insurance responded to my Office stating "In underwriting a motor policy, and assessing the risk involved, we require information from the proposer on the convictions and or penalty points obtained on their licence in the previous five years. The risk may be assessed differently depending on the offence type, the number of points and whether or not there was a driving ban imposed - for example, the rating for careless driving will be different to speeding. We do not rate solely on the number of points but require this information in deciding on the severity of the offence for assessing the policy."
My Office expressed its dissatisfaction at X Insurance's reasons for seeking information on penalty points for the previous five years in circumstances where the statutory obligation for the retention of penalty points on a driver's licence was three years. We requested that it cease the practice of seeking such data immediately. X Insurance in response stated that its quotation process would be revised to ensure that details on penalty points would only be requested for the previous three years rather than five years as had previously been the case.
This case clearly demonstrates how important it is that data controllers satisfy themselves, on an ongoing basis, that information sought from customers is not excessive. Unless there is a clear basis for requesting certain categories of personal data, data controllers should exercise restraint when seeking personal data and they should ensure that only the minimum amount of personal data necessary is processed. This is particularly the case where the data sought relates to matters such as offences.
