The Chartered Insurance Institute (CII) has published new guidance to support insurance and personal finance firms in managing data relating to customers in vulnerable circumstances.
The Data Privacy for Customers in Vulnerable Circumstances guide clarifies in practical terms how customer vulnerability-related data can be managed in compliance with UK data protection requirements and the Financial Conduct Authority’s (FCA) Consumer Duty.
The guide contains key guidance relevant to health and protection insurance market including dealing with health conditions, vulnerability data and life claims and detecting economic abuse.
It emphasises there are three distinct and interconnected purposes for processing vulnerability data:
- to provide appropriate support and to prevent harm,
- to meet reporting requirements,
- to drive product and service improvements.
Dyslexia and life insurance
In two sections the guidance highlights one example for dyslexia, in particular with regard to life insurance.
First it points out that a label such as dyslexia has little operational value on its own.
According to the guide, firms need to identify the specific harm a customer is susceptible to because of their circumstances and use that understanding to ensure communications are clear and not misleading, and that products and services remain suitable.
For example, instead of simply recording ‘customer has dyslexia’, it recommended the firm should use a more tailored approach:
- Circumstance: Dyslexia (moderate severity)
- Potential harm: Misunderstanding complex terms and conditions
- Support: Dyslexia-friendly communication formats, extra time to review documents, verbal explanation of key points, follow-up confirmation calls
“Recording ‘what’ without ‘why it matters’ and ‘what helps’ fails to deliver effective support,” it said.
As a further step, it gave an example of designing a dyslexia-friendly approach for life insurance, where an insurer undertakes analysis for a specific product.
Step 1 Data analysis: Life insurer analyses target market data and discovers above-average levels of dyslexia among their customers.
Step 2 Product redesign: Creates dyslexia-friendly format option for all customers.
Step 3 Embed in customer journey: Makes this format available throughout customer journey, using appropriate communication channels, without requiring the customer to repeatedly disclose their condition.
It said this would give several benefits including that customers with disclosed dyslexia were more likely to benefit, those who have not disclosed were also more likely to benefit.
Furthermore, everyone should benefit from clearer communication and there should be reduced complaints and increased satisfaction across the customer base.
Domestic abuse
Where domestic abuse is suspected during a call, the guide calls on firms to record the disclosure and the indicators of risk.
It should apply appropriate account protections, such as suppressed communications and a separate communication channel.
In these instances the firm should share data with and coordinate with internal specialist teams or appropriate external services.
By way of follow-up, firms should inform the customer of what has been recorded once it is safe to do so and document the rationale including the at risk indicators, why consent could not be sought, the protective purpose and the substantial public interest justification.
Processing special category data
Where specified categories of special category data need to be processed without consent for an insurance purpose, the guide gives the example of a life insurance policy and where a customer is asked about their medical history.
At this point they disclose they are being treated for high blood pressure and were diagnosed with breast cancer four years ago, but are now in remission.
In this instance, firms should use the data solely for the insurance purpose and issue a privacy notice explaining how the data will be used.
Mental health
The guide also made clear that mental health data can be recorded where the customer is vulnerable to making rash decisions or missing important communications.
The guide added these customers should be supported with regular proactive monthly check-ins, simplified communications and be offered payment flexibility during mental health episodes.