Data Protection Act 1998
Who does the Act apply to and what does it say?
The Act applies to data controllers, which are persons (which includes organisations such as companies) that control the manner in which, and the purposes for which, personal data is processed. Personal data is information that relates to a living individual from which that individual can be identified.
Persons that process personal data under the control of a data controller are known as data processors. The Act stipulates that data controllers must impose terms on their data processors that ensure the security of personal data that is processed on the data controller's behalf. Any breach of the Act committed by a data processor is primarily the liability of the data controller of the personal data concerned.
How does this affect insurers and repairers?
Where a customer of an insurer is referred to a repairer, it is likely that the agreement between the referring repairer and the insurer states that the insurer is only to use the details of the customer for the purposes of the work to be undertaken pursuant to the referral. This would mean that an insurer that uses the Audatex system is a data controller in respect of the personal data on records created in relation to the referral by that insurer.
It is however possible that there will be details of other individuals on the repairer's system who will not have come to the repairer as the result of a referral from an insurer. In those circumstances, the personal data on those records that relate to the repairer's own customers will be controlled by the repairer. It is also entirely possible that there will be details of one person in different records controlled by different insurers; this situation would arise, for example if an individual owned different cars insured by different insurers that had both undergone repairs at the repairer's workshop.
Data controllers must take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. "Appropriate measures" are measures appropriate to the risk of the data subjects of disclosure, weighed up against the cost of implementing protection measures and the technology available.
In the circumstances where an engineer were to access the personal data of another data controller held on the Audatex system, the repairer, the insurer that employed the engineer and the insurer that controlled the data that was accessed by the other insurer's engineer, would potentially be liable under the Act.
What can you do to manage this situation?
AudaEnterpriseGold enables filters to be set-up which limit the view of work to a specific work provider. Audatex recommends that this functionality is utilised in order to reduce the risk of inadvertently disclosing personal data.
Setting Up Filters in AudaEnterprise
From the Main Index select a parameter to filter on, where it says "Show Assessments where". The parameters in the drop down list are the list of columns that you have showing (with the exception of date or monetary fields).
Enter the text you wish to search for or filter by. In the example above, the filter applied shows all assessments where the Registration Number begins with "FG." This could similarly be applied to all assessments relating to a particular work provider.
The filter will remain in place when you move through folders, and to see all assessments in a folder the client side filter should be cleared using the Clear button. The last used filter parameter will always be displayed, and the system remembers this when moving between the User and Administration tab, and when logging on/off of the AudaEnterpriseGold system.
As well as limiting the view of assessments to work from a particular Work Provider, client side filtering may be useful when you want to find a particular assessment when there are many assessments in a folder or should you want to view assessments assigned to a particular user.
Best Practice Guidelines
An important point to note is that the rules pertaining to the DPA apply to all personal data held on any system, including bodyshop management and dealer management systems. Steps should be taken to secure personal data in all cases and, as a best practice procedure, users of any system located in an unsecured area should log-off from the system or use the software lock when they are not present for any given time.