In this article we examine some of the duties on insurers under the General Data Protection Regulation ("GDPR") and Data Protection Act 2018 ("DPA") in the context of pre-action personal injury claims.

Insurers must be careful to meet their duties under the GDPR/DPA. There are different duties depending on whether the insurer is considered a controller or processor with a controller being subject to the most onerous level of compliance responsibility. GDPR seeks to protect people with regard to the processing of their personal data. Personal data is:

"Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

The GDPR and DPA require personal data to be processed, lawfully, fairly in a transparent manner and on the basis of the data subject's consent or another specified basis. The term 'processing' includes sharing the data with independent legal advisors/loss adjustors or disclosure in a proposed civil claim.

Insurers must identify and keep a written record of the lawful basis which is relied upon before that data is processed. The processing of data must be in a targeted and proportionate manner to achieve the purpose.

Article 6 of GDPR sets out six specified 'lawful bases' for data processing and at least one must apply in order for the processing to be carried out. The three most relevant lawful bases in the context of personal injury pre-action protocol are:

  • Article 6.1(a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Article 6.1(c) Processing is necessary for compliance with a legal obligation to which the controller is subject; and
  • Article 6.1(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection for personal data, in particular where the data subject is a child.

Article 6.1(a) Consent

The basis involving 'consent' may well be chosen in a straightforward case where only data relating to the claimant needs to be disclosed by the insurer direct to the claimant's solicitors and consent has been given for that specific purpose. Consent must be 'valid' and can be withdrawn.

Article 6.1(c) – Compliance with a legal obligation

A 'legal obligation' includes one which comes from statute or common law.

It goes without saying that there is no 'legal obligation' to seek legal advice and so this lawful basis would not apply to the disclosure of personal data by insurers to independent solicitors of personal data.

This basis does not definitely apply to disclosure at the pre-action stage either. Existing case law makes it clear that disclosure in civil litigation is covered by the Civil Procedure Rules 1998 ("CPR") (rather than the Data Protection Act 1998). Rule 31.6 of the CPR places on the defendant a duty to disclose any documents on which that party relies, as well as any documents which adversely affects his own or another party's case or one which supports any other party's case.

The pre-action protocol requires disclosure of documents which are 'material' and their scope is generally considered to be limited to a list of documents contained at Annexe C. Some uncertainty might arise in a case in which disclosure is made of a document falling outside of that specified list.

Further uncertainty may also arise because technically speaking the legal obligation of disclosure rests with the defendant party (i.e. the policyholder), not the insurer.

Article 6.1(f) – Legitimate Interests

The defence of a civil claim in which an insurer has a financial interest clearly constitutes a legitimate interest pursued by that insurer.

However, as it is clear on the wording of Article 6.1(f) above, any processing has to be balanced against the rights of the data subject. Many of those rights are found in Articles 12 to 23 of the GDPR.

One of the data subject's rights is to object to processing of data. Article 21(1) states:

"The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6.1, including profiling based on those provisions.The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims".

However, if the Legitimate Interest basis is applicable, the right to object to processing is removed because Article 21 is a 'listed GDPR provision' for the purpose of paragraph 5 of Schedule 2 of the DPA.

That states:

"(3) The listed GDPR provisions [i.e. the right to object] do [does] not apply to personal data where disclosure of the data—

  1. is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
  2. is necessary for the purpose of obtaining legal advice, or
  3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights, to the extent that the application of those provisions would prevent the controller from making the disclosure".

Article 9 - Special categories of personal data

In some cases, the processing of special categories of personal data will be required. This includes data relating to health, race, ethnicity or religious beliefs. Such processing is prohibited except in certain circumstances, such as where consent is given or where processing is necessary for:

"the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity".

There is also a relevant "insurance derogation" in relation to these special categories of data. Schedule 1 paragraph 20 of the DPA states that:

"This condition is met if the processing [i.e. the special categories of personal data are permitted to be processed]—

  1. is necessary for an insurance purpose,
  2. is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and
  3. is necessary for reasons of substantial public interest..."

An insurance purpose includes:

  1. advising on, arranging, underwriting or administering an insurance contract
  2. administering a claim under an insurance contract, or
  3. exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law".


The new GDPR / DPA regime does not change the breadth or extent of documents which are subject to disclosure and inspection in personal injury claims. However, on a case by case basis insurers should take care to consider which lawful basis applies to such disclosure and to keep a written record as evidence of its decision to ensure compliance with the DPA.

If an insurer is ever in doubt in relation to disclosure of documents to another party, there is always the option of requiring the claimant to apply to the court for an order to compel disclosure, most usually by way of a pre-action disclosure application – the costs of which can be negotiated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.