[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Case study 7: Allianz requesting excessive personal information at quotation stage [2011] IEDPC 7 (2011) URL: http://www.bailii.org/ie/cases/IEDPC/2011/[2011]IEDPC7.html Cite as: [2011] IEDPC 7

[New search] [Help]

Case study 7: Allianz requesting excessive personal information at quotation stage [2011] IEDPC 7 (2011)

In May 2011 I received a complaint from an individual in relation to what she considered to be the excessive level of personal information requested by Allianz when she contacted them by telephone seeking a pet insurance quotation.

The complainant informed us that during the call to Allianz the agent asked her to provide her date of birth and her mother's maiden name. The complainant informed the agent that she was not a policy holder with the company and that she was only seeking a quotation. The agent then informed the caller that it was a requirement under the Data Protection Acts, as a security measure, to ask such questions. 

Our communications with Allianz concerned two issues, the first one being the use of information from a birth certificate as a security question. Allianz informed us that it introduced three ID security questions consisting of date of birth, mother's maiden name and place of birth. It stated that these questions were introduced to ensure that it was keeping its customer's personal information safe and secure and to prevent any unauthorised disclosure. As previously outlined in my 2009 Annual Report it is our view that the use of questions such as date of birth and mother's maiden name for the purpose of ensuring security of data is not an adequate safeguard against disclosure to a third party. Such questions may in fact be a security vulnerability as this type of information is publicly available upon payment of a fee to the General Register Office and is therefore of limited value on its own as a security feature.

The second issue concerned excessive data collection in the context of a quotation. We informed Allianz that there was no requirement under the Data Protection Acts for it to collect date of birth, mother's maiden name and place of birth data when a person phones for a quotation – especially for pet insurance! The Acts provide that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed. We told Allianz that to suggest to a person who phones for the first time to seek a quotation for insurance that the collection of such information is a requirement under the Acts was both false and misleading and was a misrepresentation of the requirements of the Acts. When
queried, Allianz confirmed to my Office that a quote reference number is provided over the phone so that a customer could note it for further reference. It also confirmed that unless the caller indicated that the quote was, for example, too expensive or that they were no longer interested, a quote pack would usually issue to the customer containing a quote reference number. It was our view that confirmation by a caller of the quote reference number in a follow up call would adequately meet any data security requirements the company may have at quotation stage.

Following our intervention, Allianz confirmed its intention to cease using its ID verification screen at quotation stage. In future, it undertook to not seek information at quotation stage regarding a caller's date of birth, mother's maiden name and place of birth.

The use of ID verification questions is common practice among companies in order to ensure the safety and security of personal data of their customers or policyholders and to prevent against unauthorised disclosure. This is a practice which we of course encourage in relation to the protection of customer personal data in appropriate circumstances. However, verification of a caller's identity can be easily achieved without asking questions that are bordering on invasive or which might cause upset to the caller. In addition, we discourage the collection of unnecessary personal data at quotation stage, such as in the case outlined above in relation to pet insurance. If the caller decides, having obtained the quotation, to take out a policy, it would be acceptable then to seek personal data which might be used for ID verification on subsequent calls concerning the policy.