our GDPR preparations
a comprehensive guide for advisers and employers
understanding the basics
The General Data Protection Regulations (GDPR) is EU-wide legislation designed to improve the way organisations handle personal and sensitive data, in order to better protect the rights of the public.
The GDPR must be implemented by 25th May 2018.
Ellipse has been working hard over the last nine months to prepare for GDPR. This guide explains what we’ve done and what we are doing so we are ready. As a digital business we already have a strong platform of systems, controls and processes to protect the data that we handle in the course of our business. Nevertheless, there are still a number of improvements we have made in light of GDPR.
Our legal basis for processing data
AIG Life Limited, trading as Ellipse, is the data controller of personal data.
We process personal data in order to undertake any activity relating to our policies, products and services and, where relevant, to process applications, set up and administer policies, products and services and handle any claims.
Any organisation that processes personal data must have a legal basis for doing so. As Ellipse needs to process employees’ personal data in order to provide group insurance cover for those employees, our legal basis for processing data is “legitimate interest”. For most activities relating to our policies, products and services this is the legal basis on which we will process data.
However, there are some activities where we will seek the individual’s consent. This applies when obtaining sensitive data to complete an individual assessment; when processing a critical illness or income protection claim for a member; and for email marketing communications to advisers (we do not send marketing communications to employers or employees).
Assessing whether we need the information
It’s important that we only process data items that we explicitly need in order to undertake an activity. To determine this, we have conducted privacy impact assessments for each of our key processes. These help us ensure that we are only collecting and processing the data that we need to conduct an activity, and that any alternative to processing the data has been fully explored.
These assessments will be repeated regularly to ensure our processes remain appropriate.
How long we retain data
In short, we won’t hold data any longer than we need to. In chapter two of this guide we explain in more detail how long we retain specific items of data.
For example, quotes that do not progress will be deleted after six months. Member data relating to a currently insured Ellipse policy will be retained for six years after the policy ceases. This is because a claim can be made to the Financial Ombudsman Service during this period and we are required to retain records.
Who we share data with
We will only share data with those organisations who absolutely must have it in order to deliver a service to us, which in turn is necessary for us to provide insurance cover. They may include:
- other AIG companies
- medical assessment service companies
- claims service companies
- IT service providers
- regulators and government agencies
- a member’s doctor and/or medical professional
- the member’s employer and their adviser
The information we share will depend on the activity we are undertaking and its purpose. Our privacy notices specify exactly which companies will receive personal data and in what circumstances.
Personnel responsible for Data Protection
We have appointed a Data Protection Officer and Deputy Data Protection Officer who are specifically responsible for maintaining our Data Protection policy and processes. They are also a contact point for any advisers, employers and employees who have any questions or concerns about how we process their personal data. They can be contacted at DataProtection@ellipse.co.uk.
We are also focussing our training programme for our staff to ensure our revised data protection policies and processes are fully understood and implemented across our business.
Keeping data secure is a top priority for us. We already have a strong platform of systems, processes and controls to keep data secure, with many clients using our secure website to access documents and upload data. However, there are a number of enhancements that we have made in order to further strengthen our data security.
In chapter three of this guide, we explain in more detail the measures we take to keep personal and sensitive data secure.
For more information about data retention, IT security, email marketing, supplier controls and data subject rights, please read the sections that follow.
Our privacy notices have been expanded and improved to explain to employees how we handle and process their data.
how long we hold data for
what data we hold and why
Our fundamental principle is that we will never hold data for any longer than is absolutely necessary.
We have reviewed all of our business processes to categorise the data we receive and determine how long we need to keep that data. We have designed and are implementing new automatic processes to delete documents and anonymise data after the given period.
Our quote document, and any other documents provided to us, will be automatically deleted after six months if the quote does not proceed. The data provided on which our quote is based, and all other data items held in our quote system, will be automatically anonymised after six months if the quote does not proceed.
Once a policy has started we will retain all policy documents (such as the quote, application form, policy schedule and all file notes and emails) for six years after the policy ceases. Documents will then be automatically deleted and policy data held within our systems will be anonymised. We need to retain this information beyond the lifetime of the policy as a referral can be made to the Financial Ombudsman Service at any point during that six year period and we are required to retain records in the event of such a claim.
"We've critically appraised all our processes to ensure we never hold data for longer than is necessary."
Chris Morgan, Chief Marketing Officer
We will retain accounting documents and financial records such as invoices, statements of account, breakdown of cost, direct debit details and commission statements for a period of 10 years after the policy has ceased. Documents will then be automatically deleted.
We will keep your Personal Information only as long as necessary for the purposed for which we collected it and comply with applicable law. Depending on our relationship with you, we may keep your Personal Information for a number of years after our relationship ends.
Data relating to an Individual Assessment
All personal and sensitive information provided by a member which related to their individual assessment, will be retained by us for a period of six years after the member ceases to be covered by the policy. Again, this is to ensure we have records for the Financial Ombudsman Service. All documents relating to the assessment (such as decision letter or medical files received) will be automatically deleted after this period. All data held in our system will be anonymised.
Data relating to a claim
All personal and sensitive information provided in support of a life, critical illness or income protection claim will be retained for a period of six years after the last claim payment is made. Or in the event of unsuccessful claims, for a period of six years after the claim decision is made. Our claim records will be manually deleted after this period.
Data relating to a beneficiary nomination
When an employee has used our online nomination of beneficiary service, we will retain the completed nomination document for the period in which the employee remains covered by the scheme, and for an additional three month period afterwards. The nomination of beneficiary form will then be deleted.
Data relating to an individual’s online account
We will retain data relating to an adviser’s online account for the period during which our terms of business agreement applies, or until they leave the company. After a further period of three months data will be anonymised. Data relating to any other user accounts will be retained for six years after the policy ceases, then anonymised.
What does "anonymisation" mean?
This is a process whereby personal data is altered into a form that cannot be used to identify the individual. When data is anonymised each item of data is altered into an unintelligible form. This is so that each piece of information is unrecognisable and the individual cannot be identified from either each individual item of data or all items of data combined. When we conduct this process the company name, number, address, as well as each item of employee data will be anonymised so it is not possible to identify either the employer or the employee. It is not possible to reverse this process.
We will only anonymise in circumstances where our systems require us to maintain an underlying data structure. E.g. we need to know that a policy for £X premium did exist, but we don’t know who it was for. In all other circumstances we will delete.
how we keep data secure
protecting your data
In light of the GDPR we’ve taken further steps to provide a greater degree of security to our clients.
In this section, we explain in more detail the measures we take to keep data secure.
Information Security Policy
As the information within our IT security policy is sensitive we are unable to share the policy itself, however we can provide an overview. The policy is based on four key pillars:
- Policies – documented policies that staff are required to sign
- User education – via induction training for new joiners and ongoing training for existing employees
- Hygiene factors – regular patching and security updates, as well as regular penetration testing and security scans
- Specific security tools – intrusion detection and prevention systems and firewalls to prevent unauthorised access
The information security function is managed by our IT and systems team and overseen by the IT security committee. We have two major providers to whom we outsource services:
- Northdoor plc provide all application development and maintenance services for our core systems
- NIU Solutions Limited provides all infrastructure support. They are an ISO 27001 and ISO 9001 certified provider
We take various steps to make sure that our information security management systems are in line with current best practice. The last information security audit we undertook was in the third quarter of 2017. Our IT security committee is chaired by an independent IT security expert, attended by NIU and Northdoor, and meets quarterly.
Where is personal data stored?
Personal data will be stored in our quotation, administration, customer relationship management (CRM) systems and online individual assessment tool. Underlying data is stored on Oracle databases, which are backed up each evening. Data held in CRM is hosted in AZURE, Microsoft’s cloud computing platform.
Data is stored on specific server drives that are access controlled to ensure only users with the right to access that data have permissions.
Data is not held on company devices and all USB ports are disabled to prevent removal of data via USB for the staff who have access to it.
We have eliminated all backup tapes, instead we run two concurrent data centres and all backups are performed via the network to an alternate site.
We operate as a paperless office so we do not hold physical customer data. In the rare cases that we have hard copies, we dispose of it using a specialist confidential waste provider.
Who has access to personal data?
Only appropriate staff who need access to undertake policy administration will have access to that specific data. All computer systems and folder access are therefore granted on a role specific basis. All systems are password protected and user access rights are reviewed every 6 months and documented. If a user changes roles or leaves the company then their permissions are reviewed or removed as appropriate. Permissions can only be granted or changed with the approval of a member of the executive management team.
How do we protect against unauthorised access?
All data in transit is encrypted. For our online services data is encrypted between the end user and the web servers by Secure Sockets Layer (SSL) and it is also protected in transit between the application layers using the same method (SSL).
In addition all data at rest will be fully encrypted in advance of the GDPR implementation date. Data held in our CRM system is already encrypted both at rest and in transit, this is managed by Microsoft.
As the majority of our policies are quoted for and administered online we minimise the need to transfer data via email. All incoming and outgoing emails are scanned automatically by our email security software. We also have Transport Layer Security (TLS) and content filters applied to mitigate the inherent risks of email.
We can enable TLS email encryption for a specific adviser if they want to implement it. Please contact us if you wish to arrange this.
Where we do need to share data with a third party provider we will either use a secure portal or password protect the files. As part of our GDPR preparations we are also in the process of implementing an email encryption solution to provide greater security.
We use anti-virus software to protect ourselves from threats, as well as an intrusion detection prevention system and various firewalls. This infrastructure is regularly monitored and will trigger alerts in the event of a detected threat. We also have various filters (email and web) to minimise the risk of malicious viruses. In addition, we conduct regular training and awareness sessions with staff to mitigate the risk of these threats.
This infrastructure is kept up to date by our provider (NIU). They ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches as soon as possible, with critical patches installed within one month of release.
We use independent security specialists to conduct a full penetration test on a regular basis. All priority items identified in the most recent test conducted in November 2017 have been acted upon.
Access to our office at Bermondsey Square can only be made by employees who have allocated keycards or approved and supervised contractors and the building is supervised 24/7. Our business operations in Bermondsey Square are separated from the data centres where our servers are located, managed and maintained by NIU. These managed data centres provide physical and environmental security i.e. physical security perimeter and physical entry controls. By default no one has physical access to the hosting servers.
We have a business continuity plan in place which is reviewed on a monthly basis with a formal review taking place every six months. A full disaster recovery test takes place annually, with the last one conducted in August 2017.
Risk management and controls
We have a risk management policy and any business event or incident, regardless of its origin, is recorded and tracked in the risk event log. All risk events are reviewed monthly by the Executive Management team at a risk review meeting. In the event of a data breach we will inform any clients affected within 24 hours, with reporting to the appropriate regulatory body if required.
when do we need consent
from individual employees
There are some circumstances where we need to ask employees for their consent to collect and process personal data.
This occurs when we need to process sensitive information or where we are processing data which is not required to provide the insurance cover but is used to provide our nomination of beneficiary service.
In the event that we need an individual to complete an assessment before we can provide cover, we will ask for their consent to do so as we will need to collect sensitive data about the employee’s health and lifestyle. We will also seek the employee's consent in the event that we have to obtain copies of their medical records to complete our assessment.
If an employee does not consent, then we will be unable to complete the assessment and they may not receive their full cover.
In the event of a critical illness or income protection claim we need the employee to provide their consent for us to receive and process sensitive data about their medical condition and treatment. This can include obtaining the employee’s medical records.
If an employee does not consent, then we will be unable to complete the claim assessment and we will be unable to pay the claim.
Nomination of Beneficiary service
This is an optional service provided alongside a group life policy. If the employer selects the service we will email employees a link to complete a nomination of beneficiary form on our secure website. When an employee provides information about their chosen beneficiaries, this is stored securely by us and passed to the scheme trustees in the event of the employee’s death. As the processing of this information is not required to provide the insurance itself, and storing beneficiary information is an additional service, we seek the employee's consent before they complete their nomination form.
If an employee does not consent, then they will be unable to complete and store their nomination form on our secure website. Instead, they may wish to complete a separate form and ask their employer to store it.
Where an employee provides consent in the circumstances outlined above they can withdraw their consent at any time. To do so they should email DataProtection@ellipse.co.uk.
email marketing to advisers
your communication preferences
Email marketing correspondence with advisers will be on a specific opt-in basis.
We have categorised our email marketing correspondence into five different topics so that advisers can choose to receive only the correspondence that is relevant to them:
- Ellipse Announcements - Occasional updates from our team, market or strategy announcements, personnel changes, charity updates and invitations to participate in events.
- Product and process updates - New product launches and process changes, including occasional reminders about product features.
- Research and insight - Employer and employee research reports, plus insight and thought-leadership from our industry experts. Also includes invitations to participate in our annual adviser survey.
- Training - Timely reminders, hints and tips about our products and processes to help advisers get up to speed. We’ll also send invites to regular training webinars.
- Knowledge hub newsletter - A monthly email newsletter with the latest articles from our knowledge hub.
Advisers who are already registered with Ellipse can make their choices by clicking on the link included in all our current marketing emails. After making their choices those advisers will then only receive communications relevant to the topics they have selected. If any advisers have not indicated their preferences by 25th May 2018 they will be automatically excluded from all future email marketing communications until they actively opt in.
Functionality to allow advisers to make their choices via their online account will be added in April 2018. This will then allow any registered advisers to change their preferences at any time to opt out, unsubscribe or opt in.
"We'd encourage all advisers to make their preferences, to ensure they continue to receive the content they want."
Chris Morgan, Chief Marketing Officer
We do not require consent from advisers in order to send emails concerning quotes, applications, policies, schemes, claims and underwriting and any other activity conducted in accordance with our terms of business agreement. These will continue as appropriate regardless of the email marketing preferences advisers choose.
We do not send any marketing emails to employers, but they will continue to receive transactional email regarding any policies they have insured with us.
data subject rights
and supplier controls
The GDPR provides data subjects with enhanced rights. This includes:
- the right to access the personal information held
- the right to request a change to that information
- the right to be forgotten
- the right to transfer their data to another controller (data portability)
- the right to object to any automated decision making
We have implemented new processes to allow employees to exercise these rights. Our privacy notices explain how they can do this.
We have introduced new controls and requirements for suppliers to ensure they comply with the legislation and only have access to the information that is absolutely necessary for them to carry out their function. This includes steps we are taking to anonymise data where a particular supplier may have access to data but does not need the data itself to carry out their functions e.g. IT and systems maintenance and development.
We list all 3rd parties with whom we share data in our privacy notices. We have undertaken due diligence with all these suppliers and new contract terms have also been agreed. For those suppliers who are not data processors, we will also add direct links to the privacy notices on our website as soon as they are published.
Any more questions?
If you have any more questions about our GDPR preparations, then please contact our Data Protection Officer at DataProtection@ellipse.co.uk
You'll find all our privacy notices on our website here.
Was this guide useful?
- Yes, it was very useful
- It was quite useful
- No, it was not very useful