to think that this is bloody well GDPR wrongness?

[GastonHaugh]

Some details changed to protect the innocent but anyways

My brother had an accident and went off sick. His injuries are pretty shocking, including some brain trauma which wasn’t obvious initially. He’s been on long term sick ever since and his company (massive construction) have a policy they use which covers a portion of his income whilst he is off.

The insurance company they use rrgaularly reviews his claim and he’s not getting better any time soon. His solicitor suggested getting a Subject Access Request on the insurer to see what they were thinking long term and it turns out he’s been under surveillance. I think that the contact with the surveillance company should have been included in the disclosure but it hasn’t been and the insurer is saying that it’s their data, not his. But how can that be? They’ve disclosed who he is and the case in order to commission the surveillance!

Am I right? Is this a breach?

If the person carrying out the surveillance is under contract, it will be covered under the original privacy statement.

It really depends what you mean by “the contact with the surveillance company”. You’re probably correct but it massively does depend on the content of the communication.

Assuming that the contact was “Bob lives at 101 High street, hightown, hightownshire, HT1, 1HT. Please observe his movements for three days.”

My brother got the video data in its unedited form and it shows him going about his business.

So they must have given them his name and address at the very least.

This was absolutely an external company commissioned because the cost of it is on the notes in the disclosure.

Wow I had no idea insurance companies could do this, yes I’m inclined to agree OP - unless he consented to his personal information being shared with the surveillance company, did they disclose the reason for the surveillance, eg his injuries etc, isn’t that personal data too?

Insurance companies do this more than you'd think for ones where they suspect it will be a long-term claim (as it sounds like it will be), purely to check that people are telling the truth before they work out how much they are going to need to reserve.

Sadly there are just too many people putting in exaggerated / dodgy claims. Especially in industries like construction where there are lots of accidents, some of which will be worse than others and where due to the nature of the work the attraction of not bothering to work and just living off insurance money for several months creates higher moral hazard.
By the very nature of the investigation, they can't let the subject know they are doing it because anyone who is swinging the lead would simply lie low while they knew they were being watched. There was a case very recently where someone was claiming they couldn't walk every again and the surveillance found them playing 5-a-side football twice a week...

It's nothing to do with GDPR as the surveillance company are contracted to the insurers,, and they have been given that data for a specific purpose as per the terms of their engagement and they will have to protect the data they are given like anybody else

I appreciate it feels invasive, perhaps even a violation of privacy, but surveillance actually quite standard practice in long-term insurance claims and you have nothing to fear as it sounds like the claim is indeed genuine - and I wish your brother as swift a recovery as possible.

Exactly @Technosaurus

It's nothing to do with GDPR as the surveillance company are contracted to the insurers,, and they have been given that data for a specific purpose as per the terms of their engagement and they will have to protect the data they are given like anybody else

I understand but doesn’t that mean that the insurer, post surveillance and under SAR, should disclose who the the surveillance company are, and what was shared with them? They have as I say, already shared the raw data/video with my brother.

And of course this is all standard in claims management/fraud avoidance but it’s the data sharing we are asking about.

I think you're being unreasonable. The surveillance/private detective industry would shut down overnight if companies couldn't tell them who they wanted investigated! Obviously insurance companies should have the right to investigate potentially fraudulent claims.

I don't understand why it makes a difference that you want to know who the company is afterwards?

Maybe I’ve not worded it properly. He’s not objecting to fraud investigations or even to surveillance - but the insurer should share what they said to the surveillance company, and who they are.

I'd imagine your contract with the insurers covered something along the lines of "and to share information with our partners for the purpise of processing your claim..."
If you think about it logically, if they got in touch to ask for your permission to engage surveillance, it kinda gives the game away. I've not looked in great detail at my home contents or car insurance but I bet there's a clause in there somewhere for just that.

It's an ongoing claim. It's likely they may be protected by exemptions .

GDPR isn't as all sweeping and powerful as people think it is.

But if you have concerns you can go to the ICO.

Overall though of course it's fine that insurance companies investigate. It's fairly common practice and I am surprised people didn't realise this.

I'm sure they're allowed to share the info, but surely that doesn't exempt them from the requirement to share all the data they hold about a person under a subject access request? i.e. the email or whatever they sent to the investigation company to commission the work?

I guess they could share those details by phone or something to avoid having anything written down about the person possibly.

I think here, and its something I often see , you are attempting to use GDPR as some kind of all powerful tool. When surely what you actually want is a decision from the insurance company and a pay out. And all the GDPR requests in the world won't deliver that - follow the insurance company's normal complaints procedure or take some legal advice perhaps if you feel they should have paid by now

Clearly a lot of people have either intentionally or unintentionally misunderstood what you’re asking OP. Is it possible that they commissioned the surveillance in person or via an unrecorded phone call?

Similar to when the DWP watch claimants they think are on the fiddle!

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/what-other-exemptions-are-there/

You might find the above useful, OP. There are quite a lot of exemptions meaning that when you make a SAR you won't necessarily get everything they hold about you. Obviously crime detection (including fraud) would be one example.

Yes, legitimate interest being another. Consent (or not) isn't a trump card....

Yes this exactly. And why can they disclose the raw video in SAR but not the company who supplied it, and the wording of the commission.

Thankyou I’ll have a look. They’re already paying out and have been for years and he isn’t going to recover but they’re looking for anything to get out of paying.

You will have to ask them . But it may come down to anything that reveals their methodology for fraud investigation etc is covered by an exemption.

They should have given you the details to request an internal review. Failing that, you can ask the ICO. Mumsnetters will only be able to speculate

But ultimately if you are wanting to get resolution on this claim then I think you are barking up the wrong tree.

You will have to ask them . But it may come down to anything that reveals their methodology for fraud investigation etc is covered by an exemption.

They should have given you the details to request an internal review. Failing that, you can ask the ICO. Mumsnetters will only be able to speculate

But ultimately if you are wanting to get resolution on this claim then I think you are barking up the wrong tree.

Sorry to hear that he won't fully recover, OP, and hope he is able to make his peace with that somehow. It must be a worrying time.

Someone I know had an insurance company do this. Someone actually tailed him to his counselling appointment. He went into James Bond mode and gave them the slip on the bus. Unbelievable and very stressful for him. But totally legal apparently. I'm so sorry to hear about your brother's injuries and wish him the best.

Thanks, I appreciate your candour. When you say “barking up the wrong tree” what do you mean? As in, how would you go about it?

They are doing all they can to dislodge the claim, it is of long-standing and he has previously been under surveillance so this is not a new thing, but the SAR had several holes and this is just one of them.
(another for example says things like “see attached report” and then there’s no attachment etc.)