Recent experience with arranging insurance for a young driver led me to reflect on the data protection risks of black box insurance. Black box insurance is a type of car insurance that uses a device installed in the vehicle to monitor the driver’s behaviour and adjust the premium accordingly. The device records data such as speed, distance, time, location, acceleration, braking and cornering. The data is then transmitted to the insurer, who uses it to calculate the risk profile of the driver and offer discounts on premium or incentives for safe driving.
Black box insurance offers many benefits for both drivers and insurers. For drivers, it can lower the cost of insurance, especially for young or inexperienced drivers who typically face high premiums. It can also encourage safer driving and reduce fuel consumption and emissions. For insurers, it helps them price the policies more accurately, reduce fraud and claims, and increase customer loyalty and retention. However, black box insurance also raises data privacy issues that need to be addressed.
Data Collection and Processing
The data collected by the device reveals a lot of personal and sensitive information about the driver, such as their whereabouts, habits, preferences, health, and lifestyle. For example, the data may indicate where the driver lives, works, shops, socialises, travels, and visits.
The data is used to assess driving behaviour and risk level, and to set a fair and personalised premium that reflects actual driving performance.
However, the data collected by the device is personal data, and people i.e. those insured have the right to know and control how it is used. The UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and other data protection laws require insurers to comply with certain principles and obligations, such as:
- Obtaining consent before collecting and processing the data, and informing individuals of the purpose, scope, and duration of the data collection and processing;
- Collecting and processing only the data that is necessary, relevant, and proportionate for the purpose of providing the insurance service, and not using the data for any other purpose without the person’s consent or other legal basis;
- Ensuring the data is accurate, up-to-date, and kept for no longer than necessary, and deleting or anonymising the data when it is no longer needed;
- Respecting individual’s rights to access, rectify, erase, restrict, object, or port data, and responding to requests within a reasonable time and without undue delay;
- Implementing appropriate technical and organisational measures to protect the data from unauthorised or unlawful access, use, disclosure, alteration, or destruction.
Data Security and Breach Management
The data collected by the device is transmitted via wireless networks, such as mobile phone network, Wi-Fi, or Bluetooth. The data is then stored and processed by the insurance company or by a third-party service provider. The data transmission and storage represent a data breach risk whether from hacking, interception, theft, loss, or misuse. A data breach compromises the confidentiality, integrity, and availability of the data, and risks causing harm or distress to customers and could potentially lead to identity theft, fraud, blackmail, discrimination, or facilitate harassment and stalking.
Companies need to:
- Encrypt the data during transmission and storage and use secure and reliable networks and servers;
- Limit the access to the data to authorised and trained personnel, and use strong authentication and authorisation mechanisms;
- Monitor the data activities and systems and detect and prevent any anomalies or threats;
- Report and notify any data breaches to the relevant authorities and customers affected without undue delay and take remedial actions to mitigate the impact and prevent recurrence.
Data Accuracy and Fairness
The data collected is used to calculate a risk profile which may lead to premium adjustments. The data can also be used to investigate and settle claims or to provide feedback to improve driving skills. Accuracy and fairness can affect the quality and reliability of the insurance service.
Insurers should:
- Make sure they make it easy for people to correct or update any errors or discrepancies;
- Ensure the data is representative and unbiased, and avoid any discrimination or prejudice based on characteristics such as age, gender, race, religion, or disability;
- Provide people with the opportunity to review and challenge the data and the decisions made based on the data and explain the logic and criteria behind the data analysis and processing.
Ethical and Social Issues
The way the data collected by these devices is processed can have implications for the driver’s autonomy, dignity, and freedom, as well as for the society and the environment. It can create new forms of discrimination, inequality, or surveillance and risks loss of trust.
Insurers need to make sure they:
- Respect the driver’s dignity, autonomy, and freedom, and do not interfere with their personal or professional life, or impose any undue pressure or influence on them;
- Promote the driver’s wellbeing, safety, and security, and not causer them harm, distress, or disadvantage, or expose them to any danger or risk;
- Contribute to the social and environmental good, and not cause any harm, damage, or nuisance to the society or the environment, or violate any human rights or social norms.