Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

The AA CEO disagrees with the ICO

Andrew Strong - CEO of the AA, has apologised for failing to comply with my request not to receive a renewal quote for insurance from the AA but disagrees with the ICO that they failed to comply with my section 11 request.

Despite the AA hinting that they have a "legal obligation" to send me a renewal quote for my car insurance, they nevertheless assured me that they would not send it - but sent it anyway. This is why the AA CEO has apologised, because I was told that they wouldn't but they did. Obvious question, if the AA has a legal obligation to send me a renewal quote, were they not contravening that obligation by telling me that they wouldn't send it to me? Or were they simply trying to plicate me?

It's a cause for concern and I'm beginning to wonder whether the AA takes any of its obligations seriously. Apparently the AA have an obligation to send me a renewal quote but they decided to waive that. I know that they have an obligation to process personal data fairly yet according to the ICO they've failed to do that. And even Trading Standards have had a get involved; they made the AA change the wording on their renewal quote. I'll never do business with this company again.

You might be wondering what this is all about. It's simple, I don't like the fact that my car insurance provider, in this case the AA, will automatically renew my insurance after 12 months unless I tell them not to. Although I do accept that some drivers prefer to have their insurance renewed automatically, it's likely that millions of car drivers share my view. And the main reason for this is obvious - by switching your insurance provider each year it's likely that your car insurance will be cheaper. Indeed, the rise of comparison websites serves to demonstrate that annual insurance switching is common practice for many drivers.

Most of us are well aware then, that insurance providers subsidise the quotes for new customers in order to compete with other providers; in the hope that they'll be able to recoup the loss when the time comes to renew. The savvy among us therefore, will aim to switch their provider each year to take advantage of the lower premium offered to new customers. In an effort to curb the annual migration tendencies of the UK motorist, insurance companies require us to sign-up to a rolling contract that requires us to cancel the insurance to avoid having it automatically renewed after
12 months; often at a much higher premium than one could find by switching to another provider. They hope that we'll either forget to cancel or that they'll be able to offer us a better quote when we phone to cancel. Have you noticed that you can no longer contact your insurance company via a web form? You have to phone to cancel.

It's the insurance quote letter that tends to kick-off the process of migration. We will often mock the price quoted to renew the policy - some of us will simply phone and cancel, some of us will get satisfaction by phoning the provider and telling them that the price quoted is ridiculous. This is often followed by a visit to the comparison websites to get a new quote. My favourite comparison website at the moment is Comparethemarket.com because they've really improved the way in which they inform us about their marketing by adding a row of tick-boxes to the form. Anyway, I wanted to know what would happen if the insurance provider was unable to send me the renewal quote; would they still be able to renewal my insurance automatically or would they have to let it lapse? I decided to put it to the test the next time I renewed my insurance.

I opted out of direct marketing with a section 11 request when I took out my car insurance with the AA in May 2011. My specific request under section 11 not to receive the renewal quote kicked-off a series of e-mails with me telling the AA's customer service that they needed to comply with my section 11 request and the AA telling me how they were obliged to send me a renewal quote. I was informed that the matter was being escalated to their legal team and eventually I received the following response:

'This being the case, we do not view this as direct marketing but rather the provision of information in respect of the service which we are already providing the customer with.  This aspect of our service provision is also explained to our car insurance customers in the policy booklet itself under the section entitled ‘Renewing your policy’. This is in compliance with both (i) the FSA Insurance Codes of Business (aspects of which are statutory rules which we are obliged as insurance intermediaries to comply with) and which were detailed in our previous correspondence with you; and (ii) Schedule 2 of the Data Protection Act 1998 regarding the fair processing of personal data'.

They went on to say:

As you have stated that you do not wish to receive a renewal invitation I have made arrangements to stop this from being automatically issued next April.

I found this a bit confusing because they start by claiming that they have a potentially legal obligation to send me a renewal quote - 'aspects of the FSA Insurance Code of Business being statutory' but then go on to say that they won't send me a renewal quote. Why wouldn't they make the effort to clarify this with the FCA and qualify their response? Also, the comment about them not viewing it as direct marketing is unfounded in my opinion. The definition of direct marketing is clearly defined at section 11(3) of the DPA and, with respect, it's naive of the AA to suggest that a renewal quote does not constitute direct marketing.

The following April the AA sent me a renewal quote.

I wasn't happy that they had sent me a renewal quote when they specifically told me that they wouldn't send it. Also, I wasn't happy with the wording of the renewal quote letter. As I had a backlog of complaints to submit to the ICO at the time, I decided to submit a complaint to Trading Standards first; about the wording of the renewal quote. What's missing from the letter?Lightbox window How about this... where does it say on the letter that I have a right to cancel? Look how they've worded the letter to make it appear that the renewal of my policy is a done deal. It wasn't a done deal though - far from it! I was well within my rights to cancel the policy renewal so why have they not made this clear? So that pissed me off.

Trading standards told me:

'As I am sure you are aware, the whole issue of continuous annual payments or has some have coined it "inertia selling" is something that has been the subject of controversy for many years. The Office of Fair Trading has historically been critical of such practices but it has never been criminalised.'

'Whilst the use of auto renewals is accepted such terms are subject to a fairness test. It is essential that such terms give the consumer a reasonable opportunity to avoid the renewal charge. Current thinking by the Office of Fair Trading is that a consumer should be allowed to cancel the contract one month before renewal'.   

Trading Standards upheld my complaint and apparently, the AA have now changed the wording to make it clear that the individual can choose to cancel the renewal.

Eventually I got around to submitting a complaint to the ICO. Before doing so however, I contacted the AA again and received clarification that it was the Insurance Conduct of Business sourcebook (ICOBS) that they believed gave them the right to send me the renewal quote - regardless of my rights under section 11. So I contacted the FCA and asked them to clarify the status of ICOBS. The FCA said:

'ICOBS imposes regulatory rules not statutory rules on the firms we regulate. We say in ICOBS 6.1.5R that 'A firm must take reasonable steps to ensure a customer is given appropriate information about a policy in good time and in a comprehensible form so that the customer can make an informed decision about the arrangements proposed.' We then give guidance that this applies pre-conclusion and post-conclusion, it  includes matters such as mid-term changes and renewals. A firm could meet their obligations under ICOBS 6.1.5R by sending a renewal notice. We consider it good practice for firms to remind their customers that their policy will shortly renew and we think it has benefit for customers'.

So according to the FCA, ICOBS puts a regulatory obligation on an insurance provider to send me a renewal quote - not a statutory obligation. This suggests to me that the statutory right afforded me under section 11 of the DPA would supersede any regulatory right placed upon my insurance provider.

I submitted the FCA's response as supporting information for my complaint to the ICO and they agreed with me. The ICO said:

From the information you provided, it appears unlikely that the AA has complied with the DPA in the circumstances described in this case. This is because the AA has sent you an automatic renewal notice despite receiving a Notice under Section 11 of the DPA from you. If the AA disagrees with our initial assessment opinion and believes that it has fully complied with the DPA in this case, we have asked it to contact us explaining its perspective and provide detailed arguments supporting its position. For us to consider varying our assessment opinion, the AA will need to provide this to us with any counter arguments within 28 days of receiving our letter. We will write to you to let you know if we decide to vary our assessment conclusion.

I contacted the AA to obtain clarification as to whether or not they accepted the ICO's view. Mr Strong - the AA's CEO wroteLightbox window to me and told me that he did not. He also copied in the ICO. Although, he did apologise for sending me the renewal quote after I had previously been assured that I would not. The thing is, it's not clear from his letter what he actually disagrees with. Mr Strong seems to be either questioning the validity of the information that I provided to the ICO or the fact that the ICO do not seem fully committed to their view, or both. I think the ICO made it pretty clear. The fact that the ICO often makes use of the word "likely" isn't an indication that they're unsure about what they're saying. The ICO cannot make a judgement - only an assessment, and this is why they often use the word "likely". To enforce the law the ICO will forward the case to their Regulatory Action Division (RAD) as they have the power to prosecute.

I wasn't happy with Mr Strong's response so I wrote back to the AA to clarify that my complaint to the ICO was supported by information provided by the FCA. I also pointed out that the correct procedure for disagreeing with an assessment conducted by the ICO was to seek a case review. Anyway, I've just received a further apology from Mr Strong today. He said:

'We would like to offer our sincere apologies if you felt that our quoting from the ICO decision we received suggested anything with respect to the accuracy of the information you provided to the ICO. This was certainly not out intent'.

Fair enough, it's nothing personal, I just want them to respect my rights.

The situation at the moment then, is that Mr Strong has clearly stated that he disagrees with the ICO's assessment. So I expect one of three things to happen:

1. Mr Strong submits a case review to argue his point of view.
2. Mr Strong back-tracks and accepts the ICO's point of view.
3. The ICO prosecutes the AA.

If the ICO don't do anything then I'll submit my own case review asking them to seek clarification from Mr Strong. If necessary, I'll escalate the matter to the PHSO. The compelling point here is that Mr Strong has clearly stated that he disagrees with the ICO's assessment. The ICO cannot leave it at that.

Summary

Here's how I understand it...

ICOBS puts a regulatory obligation on an insurance provider to send a renewal quote. The OFT requires a renewal quote to be sent one month before renewal. However, a renewal quote is likely to constitute direct marketing because it promotes an organisation's products or services and section 11 of the DPA grants an individual the right to opt-out of ALL direct marketing from a data controller - including insurance providers. And according to the ICO, a provider's legal obligation to comply fully with the rights of a data subject cannot be negated by their civil law terms and conditions or their obligations under ICOBS.

Furthermore, a registered data controller - one that has notified the ICO about their data processing, has an obligation to notify the ICO about any changes to their data processing purposes. Failure to do so is a criminal offence. So I'm wondering why - if the AA believe that ICOBS has the power to overrule section 11 of the DPA, they didn't seek clarification from the ICO years ago. One of the data processing purposes identified by the AA is the purpose of Advertising, marketing and public relations. Personal data can only be processed for the purpose of Advertising, marketing and public relations in accordance with the DPA - including full compliance of section 11. As such, as soon as the AA's data controller became aware that something might be having an impact on their obligation to process personal data in accordance with the DPA, then I believe that they should have made the ICO aware. Instead however, it appears that the AA have simply assumed that they have a right to ignore my section 11 request. As far as I'm aware, they haven't bothered to clarify anything with the FCA or the ICO. I've had to do all the work.

Conclusion

I am of the opinion that by submitting a section 11 request to my insurance provider and specifically asking them not to send me a renewal quote, that they MUST comply with my request. And if my provider cannot send me a renewal quote then they cannot auto-renew my insurance. This is because they cannot renew my insurance without giving me the opinion to cancel. Furthermore, if they did renew the policy without making it clear how much I was paying and what benefits I was receiving etc, I would claim the money back via the small claims court and argue unfair terms in consumer contracts.

I would advise anyone who objects to the automatic renewal of their insurance to opt-out of all direct marketing from their insurance provider with a section 11 notice and specifically inform them that you do not wish to receive a renewal quote. Oh and don't forget to make a note of your renewal date as hopefully won't be receiving a reminder. If you do then you'll need to submit a complaint to the ICO.

Update 28/06/2013

The ICO has informed me that the AA will not be submitting a case review. The ICO said:

'I note that the Automobile Association Ltd (AA) does not accept our assessment decision. I can also confirm that I have been in touch with the AA who has confirmed that it will not be requesting a case review'.

Another fine example of a thorough job done by the ICO - not!

So does this mean that the AA now accepts the ICO's view or not? I need clarification and so does the ICO otherwise I'll be submitting a case review. I've provided the ICO with a number of reasons why they need to seek clarification from the AA. The first one is fairly obvious - their need to be thorough. As it stands the AA's view is ambiguous.

Another reason is that the view given by Mr Strong was unfounded as it was unsupported by a legal argument. Bearing in mind that he copied the ICO into the letter, in my opinion, Mr Strong has now informed the UK's Data Watchdog that the AA is no longer complying FULLY with the DPA. This is supported by the fact that the AA informed me that they would comply with my section 11 request by not sending me a renewal notice but did so regardless. Yet, according to section 2.3 of the Notification Handbook:

‘When any part of your entry becomes inaccurate or incomplete, you must inform us. This action must be taken as soon as practicable and in any event within 28 days of the date on which your entry became inaccurate or incomplete. Failure to do so is a criminal offence’.

The AA must comply FULLY with the rights of their data subjects. This means that the processing of personal data for the purpose of Advertising, marketing and public relations - which is one of the purposes identified in the AA's registration (Z8250996New window), MUST be carried out in accordance with section 11 of the DPA - a data subject's right not to receive advertising or marketing from a data controller. If the AA does not accept the ICO's view then the correct procedure is for them to submit a case review and qualify their point of view, perhaps with a legal argument or two. Mr Strong didn't do this though; he simply informed the ICO that he did not accept their view. In light of this, and considering Mr Strong's position within the organisation, I am of the opinion that the AA's registration with the ICO is no longer accurate. As such, the ICO should seek clarification from the AA or they should prosecute the AA for failing to remove Advertising, marketing and public relations from their registration.

Finally, the other issue that I have identified is that I have a right to take legal action against the AA under section 11(2) of the DPA. If I decide to do this then I will rely on the ICO's assessment to support my case. As it stands though, their assessment is open to interpretation by a court because the person conducting the assessment has failed to obtain clarification from the AA.

I have therefore asked the ICO to obtain clarification that the AA fully accepts that section 11 negates any obligation they have under ICOBS otherwise I'll submit a case review. Ultimately I'll submit a complaint via my MP to the Parliamentary and Health Service Ombudsman and the ICO will have to explain why they have not sought clarification from the AA. Failing this, I may have no option but to seek a court order because I'm not prepared to accept the situation as it stands - not after that letter.

I've also submitted a further complaint to the FCA and it has been passed to their Supervisory and Enforcement area for consideration. I'm keen to get ICOBS updated so that financial services companies are required to follow correct procedure when dealing with the ICO. Mr Strong's unfounded foot-stamping is a good example to support my case.

Update 02/07/2013

The ICO have responded as follows:

I can assure you that we are contacting The Automobile Association Ltd to seek their clarification on the issues raised in your complaint to the Information Commissioner’s Office.

So I'll give them some time to seek clarification. I don't believe I'm being unreasonable in seeking clarification. The moral of the story I guess is that data controllers should think long and hard before telling the ICO that they don't agree with them without bothering to qualify their view.

How to opt-out under section 11

More information about ICOBS

Added: 23.06.2013