I’ve insured a vehicle every year since December 1989, but I tend to dislike the process of obtaining car insurance. Specifically, I don’t like being locked into a rolling contract, receiving over-inflated quotes to renew an existing policy, or having to make a phone call to cancel a rolling contract; where I am often subjected to the customary nonsense of trying to “find me a better deal”. It’s a matter of trust, and the simple fact is, I don’t trust people that work in the motor insurance industry.
Take the No Claims Bonus (NCB) feature for example. You may have noticed that different providers seem to have differing NCB limits. As I have 30+ years NCB, there’s an obvious desire for me to choose a provider that will take all of these years into account, and some providers do allow us to select 20 or even 30 years NCB when filling out the application form. However, when I asked the Financial Ombudsman to investigate this issue in 2016 (Ref: 17901539) they forwarded me the response that they received from the insurance provider that I had complained about. The insurance provider said:
Although I accept that the process is potentially flawed as some consumers do have 20 or 30+ years NCB, it is the same across the industry which is overseen by the FCA who seem quite happy with the current process. Leading insurers will generally (although I can’t speak for them all) only accept a maximum of 6-9 years as a maximum; I have worked in insurance for nearly 10 years and I don’t know of any insurer that will currently accept more than 9 years as maximum.
This response suggests that 9 years is the maximum NCB that will be considered by a provider. I also note that one of the comparison websites has guidance suggesting that 5 years is likely to be enough to qualify for the maximum NCB. There seems to be a lot of confusion over this issue, and I have to question why this has been allowed to happen. Are insurance providers habitually using dirty tricks to dupe us into using their services and if so, why hasn’t someone done something about it?
So, if you’re able to select more than 9 years NCB in a dropdown when you’re in the process of obtaining a quote or applying for insurance, then you might want to question whether that provider is being honest with you.
Introducing ICOBS
The Financial Conduct Authority (FCA) is responsible for regulating insurance providers. My understanding is that those businesses that arrange or advise on insurance policies – insurance brokers, as well as those businesses that effect and carry out contracts of insurance – policy providers, are required to comply with the FCA’s Insurance Conduct of Business Sourcebook (ICOBS). Here’s how the FCA described ICOBS to me:
‘For clarity firstly, ICOBS within the FCA handbook is a collection of rules & guidelines we’ve set, which we expect firms to follow – it is not legislation itself. General rules, specialised rules and listing rules are made under the Financial Services Market Act (please see the readers guide to the handbook). Most rules create binding obligations on firms. If a firm contravenes such rules, it may be subject to enforcement action and action for damages. Within the specific ICOBS sections you may also see, next to certain rules or guidelines, reference to UK or EU legislative material. There is not one overarching piece of legislative the whole section is based on. If you have a specific rule in mind, we may be able to provide a more detailed response.
Our rules as such are not always based on legislation however, for the firm to conduct regulated activities in the UK, we expect them to follow our rules – by doing so they’re able to operate.’
As I understand it, the FCA is granted powers under the Financial Services and Markets Act 2000 (FSMA) to create and maintain ICOBS, and that some of the rules are binding based on legislation, some are binding FCA Office rules, and some are just guidance. If you view ICOBS online, you have the option to filter the various types of rule. However, ICOBS as a document, is not a piece of legislation, so the argument that “ICOBS” will supersede primary data protection law is an unfounded argument.
If challenged therefore, I would reasonably expect an insurance provider to quote the actual Act or Regulation that a particular ICOBS rule relates to, rather than quote an ICOBS rule, or as you’ll discover later, ICOBS in general. Moreover, ICOBS Schedule 6 stipulates that most of the rules contained within ICOBS can be waived, pursuant to Section 138A of the FSMA:
‘As a result of section 138A of the Act (Modification or waiver of rules) the FCA has power to waive all its rules, other than rules made under section 137O (Threshold condition code), section 247 (Trust scheme rules), section 248 (Scheme particular rules), section 261I (Contractual scheme rules) or section 261J (Contractual scheme particulars rules) of the Act’.
It would appear that upon application, the FCA has the power to waive or modify nearly all of its ICOBS rules for a particular insurance business, apart from those rules that relate to particular sections of the FSMA. This is significant, because it serves to demonstrate that compared to our statutory data protection rights, ICOBS is merely a toy. If most of the rules can be waived, then I fail to see how they can possibly impact in our statutory data protection rights. Yet, my concern is that some insurance providers and even their lawyers, like to give the impression to their customers that ICOBS is all powerful. Like I say, I don’t trust people that work in this industry.
The renewal notice
ICOBS Rule 6.5.3 is relevant to this case, as it’s the rule that obligates an insurance business to communicate the cost of renewing an existing policy to us:
(3) The firm must provide to the consumer the following information in good time before the renewal:
(a) the premium to be paid by the consumer on renewal;
(b) in a way that is consistent with the presentation of (a) so that they can be easily compared.
If you’ve held vehicle insurance for at least 12 months, then you will likely be familiar with the policy renewal notice.
To clarify, Rule 6.5.3 places a lawful obligation on a controller to target its policyholders with a renewal notice. However, A renewal notice will constitute direct marketing because it contains advertising and marketing material – the cost of renewing the policy, and we all have a right to opt-out of all direct marketing from a particular controller. So, there appears to be a conflict in the law. If I am opted out of all direct marketing from the insurance provider, pursuant to Article 21(2) GDPR, should this GDPR right supersede the FSMA or the IDD – a European Directive?
In situations like this, the FCA and the ICO should be working together in my view. For me, upon receipt of an Article 21(2) GDPR opt-out request, I would deem it reasonable for the insurance provider to ask me whether the opt-out of all direct marketing should include the renewal notice. Normally, I would object to a controller questioning my right to opt-out of all direct marketing but in this case, asking me whether I still want to receive the renewal notice seems a reasonable compromise. Of course, I always stipulate that I do not want to receive the renewal notice, so it makes no difference to me.
An agreement on this issue could easily be agreed between the FCA and the ICO because they’ve publicly announced that they have a Memorandum of Understanding (MOU) between the two Offices: https://ico.org.uk/media/2614342/financial-conduct-authority-ico-mou.pdf. So, they have this MOU, where the FCA and the ICO have agreed to work together to resolve any potential conflicts, there’s an obvious conflict here, it likely impacts on the rights of millions, yet no one has done anything. There’s not a single paragraph in ICOBS to explain that the DPA and GDPR will supersede all ICOBS rules, and there appears to be no process at the ICO to escalate these potential conflicts to a policymaker.
Preventing a rollover of the policy
These days we’re usually able to take out an insurance policy by completing an online form, but when it comes to ending a rolling contract, insurance providers still require us to cancel over the phone, so that they get the opportunity to “handle” us and hopefully retain us as a customer. As I don’t like being manipulated by sales staff, my main objective is to cancel a rolling policy after 12 months, without having to phone the insurance provider. Here’s how I do that.
A personalised quote will constitute direct marketing – period. This is because the purpose of a quote is to advertise the cost of undertaking work or providing a service to the data subject, with the aim of obtaining or renewing their custom and ultimately making a sale. It is pointless therefore, to argue that a personalised quote to renew an insurance policy does not constitute direct marketing. I accept that an insurance provider may have a lawful obligation to target me with a renewal notice, but that communication will still contain advertising and marketing material and it is being directed at me.
ICOBS Rule 6.5.3 obligates an insurance business to target their policyholders with the premium to be paid by the consumer on renewal. Such a renewal notice will contain a personalised quote and will therefore constitute direct marketing.
A few years ago, I started opting out of receiving the renewal notice, by formally opting out of all direct marketing from the controller: Section 11 DPA98 prior to May 2018, Article 21(2) GDPR, post GDPR, and currently Article 21(2) UK GDPR. The theory is, that if I am opted out of all direct marketing, my insurance provider cannot send me the renewal notice because it constitutes direct marketing. Of course, if they cannot send me the renewal notice, then they will not be able to comply with ICOBS 6.5.3, and this should prevent them from rolling over the policy. Instead, as they are unable to satisfy ICOBS 6.5.3, the provider will have to end the policy after 12 months, and I won’t have to be involved in that process – I won’t have to make a phone call.
That’s the theory, so how does this work in practice? Well, two previous insurance providers had complied with my formal direct marketing opt-out request. In both cases, I had specifically informed them in writing that I did not want to receive the renewal notice. In both cases, instead of providing me with the renewal notice, they sent me a non-promotional letter to inform me that my policy would expire, when it would expire, and that it would not be renewed. Fantastic! This is just what I wanted to happen. I didn’t receive a bloated renewal quote or have to phone to cancel the policy and be subjected to that nonsense.
Once I had the policy expiry date, I was able to arrange insurance with another provider. Amazing, eh? Us humans have evolved to the stage where we are able to receive notification of a policy expiry date and actually coordinate the start of a new policy ourselves, without having to rely on a rolling contract. My insurance has remained seamless.
So far so good. Two insurance providers had not sent me a renewal notice and as such, they did not renew the policy. This is exactly what I expected to happen. I suspect they simply treated my request as a request not to renew the policy.
The Course of events in this case
Aware that two insurance businesses had previously complied with my formal direct marketing opt-out request: 2016/17 and 2017/18, this was going to be my third consecutive opt-out. I contacted my 2018/2019 car insurance provider, “the Insurer” on the 6 June 2018 to opt-out of all direct marketing. This was about four months after the policy had started. Here’s what I said:
I don’t like automatic renewals, so I wish to opt-out of all direct marketing from you in accordance with Article 21(2) GDPR:
[Here I copied and pasted Article 21(2) GDPR]
My understanding is that your organisation will not be able to target me with a quote to renew the service if I am opted out of all direct marketing and as such, you won’t be able to process the auto-renewal. If you disagree with this view, then you need to let me know so that I can seek advice from the ICO.
Note how I’ve specifically mentioned the renewal notice in my opt-out so that there’s no misunderstanding. Eventually, the Insurer’s customer service person responded to my opt-out as follows:
I have reviewed your email and I can confirm that although we will invite you to renew at least four weeks before they are due, we will not automatically renew your policies. Upon receipt of our renewal invite letters please contact us to make payment if you wish to renew.
Despite my clear instruction, it would appear that they had cancelled the rollover of the policy, but they were still going to target me with the renewal notice. Err, I don’t think so. I sought further clarification, and another customer service person replied as follows:
I would like to confirm that a renewal reminder is not marketing material. As your broker we have a duty of care to inform you when your renewal is due. I can confirm that all other forms of marketing material from the [the Insurer] have been suppressed.
Err, a renewal reminder will fall under the statutory definition of direct marketing, and I have opted out of all direct marketing from this controller. Furthermore, this is the second time that a member of staff working for an insurance provider has informed me that they have a duty of care. A duty of care, seriously? So, if I were to get caught driving my vehicle without insurance, can I sue my previous provider because apparently, they have a duty of care to ensure that I am insured? This kind of nonsense underpins my dislike of the insurance industry – they’ll say anything to mislead their customers.
I replied to inform the customer service person that they were misunderstood, and that a renewal notice will clearly fall under the statutory definition of direct marketing. It all went quiet. A while later I followed-up and this time, a more senior member of their customer service staff contacted me. She said:
I think it is important to start by offering my apologies on behalf of [the Insurer] that you have been put to the trouble of contacting us again. I can confirm that your car insurance will lapse at one minute past midnight on 8 February 2019 and as requested no reminder will be issued.
That’s exactly what I wanted to hear and it’s what they should have told me in the first place. It remains unclear however, why this issue was not passed to the controller’s DPO? As far as I was concerned, the matter was resolved, and it looked like the process was going to work three years running. Unless of course, she was blatantly lying to me.
Unfortunately, shortly before the policy was due to expire, the controller sent me the renewal notice by post. This was really frustrating. I contacted the Insurer again and this time I received the following reply from their DPO:
As I understand it, you are unhappy that you have received our notification that your [the Insurer] Insurance is due for renewal. As we have explained previously, we have an obligation to remind all customers when their policy is due to expire, particularly in the case of motor insurance as it is a legal requirement to have this in place.
This is incorrect, I was unhappy because I exercised a key right, this right was initially rejected, eventually accepted, and subsequently ignored. Yet, there’s no mention of this from the DPO. In my view, a decent DPO should identify the key arguments and explain why my arguments are superseded by theirs. This DPO should explain why Article 21(2) opt-out was ignored. At least she didn’t use the duty of care phrase. She continued:
My colleagues have confirmed to you that your policy will not renew automatically as per your request, but we have sent the reminder that the cover is due to close and an explanation of what you need to do should you wish to continue your policy with us.
Err, okay, it would appear that their DPO is misunderstood. She seems to think that I had been sent a letter to inform me that my cover is due to close, rather than a renewal notice. But this is not true. To be clear, I received a standard renewal letter containing a personalised quote for renewing the policy – not a letter to inform me that my policy would expire and would not be renewed. Actually, they sent me three separate quotes to renew – the same renewal notice letter sent to me three times, which I suspect was a system error but perhaps not. I still have the letters.
So, is it possible that the customer service staff not only lied to me when they assured me that I would not receive a renewal notice, but they have also lied to their own DPO about the nature of the communication that I received? I made their DPO aware that I definitely received a personalised quote to renew the policy and sought further clarification. She replied as follows:
‘Whilst I appreciate that you had requested we do no send you a renewal reminder, I am satisfied that it was explained to you that this is our process and we have an obligation to let you know when your policy is due to expire and what you need to do should you wish to continue cover with us. The documents sent to you are not marketing communications’.
Again, it wasn’t just a request, was it? They responded to my request and informed in writing that they would comply. It seems that the customer service staff are still not being honest with their DPO. Oh, and their DPO is of the view that a communication will cease to constitute direct marketing if they have a legal obligation to send it to me. Why will it cease to constitute direct marketing?
Needless to say, at this point, the Insurer’s contention was that the renewal notice was an essential service communication and as such, it did not constitute direct marketing. Whereas I was of the view that essential communication or not, what constitutes direct marketing is defined by law. So, while I accept that the FCA, the FSMA or some other statute, regulation or directive might supersede the statutory definition of direct marketing, it won’t erase the statutory definition of direct marketing, will it? The renewal notice will still constitute direct marketing – by law. What they should have argued is that the FSMA or whatever, allows them to target policyholders with specific direct marketing in the form of a renewal notice, not that the renewal notice does not constitute direct marketing.
I was confident that the Insurer or their lawyers would not want to present their nonsense argument to a judge, but I decided to submit a complaint to the ICO first.
What the ICO had to say
I have a theory about the ICO – that incompetent case officers will take every opportunity to deliberately find in favour of a controller in an Assessment. Providing that the Assessment appears to make sense, the ICO relies on the fact that members of the public are so lacking in their understanding of data protection law to realise that it’s utter nonsense. And by always supporting the controller, a case officer has less chance of being challenged, for example, by the controller’s lawyers, so less chance of being exposed as not being fit for purpose. It also means that the ICO’s decision to prosecute a particular controller is likely to be in the hands of incompetent office administrators, which should concern. How fair is the ICO’s prosecution process?
Don’t take my word for it, let’s see how the ICO dealt with my complaint.
This case was assigned to a lead case officer rather than a case officer, so my complaint was assessed by someone who should have more experience than a case officer. Before she carried out the Assessment, the Lead Case Officer asked me to provide her with further supporting evidence, which included the email where I was assured that I would not receive the renewal notice. Here’s a transcript of the Assessment (RFA0851298):
We have considered the information available in relation to this complaint and we are of the view that the Controller has complied with their Data Protection obligations. This is because [the Insurer] have applied a legitimate condition for processing personal data and therefore no infringement.
The GDPR requires organisations to ensure that personal data shall be processed: Lawfully, Fairly; and in a transparent manner. For processing to be lawful an organisation must also be able to identify at least one lawful basis for processing (Article 6).
[The Insurer] has confirmed that it has not sent direct marketing to yourself. The document you refer to as a renewal notice is actually an annual car insurance renewal notice. This is a standard and important customer service document, which is sent by all insurance companies to their customers at the end of the car insurance policy year, and is one which is required by Financial Conduct Authority (FCA) regulation.
This is an important duty of care communication given that car insurance is required by law and to enable the proper functioning of the car insurance market. The renewal notice contains important information, including the date of expiry of the policy, what a customer would need to do to remain covered, how much the premium will be if they wish to renew on the same terms, what they paid last year for the policy (for transparency and comparison purposes), details of any applicable no claims bonus, and details of certain information impacting the quoted policy premium. A copy of the new terms and conditions and proposed schedule of insurance are also included. The notice does not market or advertise any products or services. The FCA’s Insurance Conduct of Business rules (see rules 6.1.5R, 6.1.6G, and 6.5.1R in particular) oblige the Controller to send this communication and the renewal notice aims to ensure customers have full and appropriate information on which to base insurance renewal decisions.
Therefore [the Insurer] can apply as outlined in GDPR (Article (6)(1)(b)) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
As the Controller are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply.
On the basis of the information provided it seems the Controller is likely to have complied with the DPA. We tend to agree with their requirements for processing would apply in the circumstances and that the fairness requirements of this principle were met because it was not unreasonable to assume that data would be processed in this way.
From the information you have provided to us it does not appear that the Controller has breached the DPA/UK GDPR, for reasons I hope I have explained above, and the issue you have raised does not suggest any wider concerns about their information rights practices.
Wow! Just look at how biased this Assessment is towards the controller. There’s no mention of my key right to opt out of all direct marketing, and no mention of the fact that I had been assured that I would not receive the renewal notice. Let’s review.
1. Firstly, as confirmed by the FCA, ICOBS is not a piece of legislation. Yet, this Lead Case Officer has accepted that ICOBS will supersede our statutory data protection rights – the rights that she is supposed to uphold, without question. She’s even quoted their ‘duty of care’ nonsense. Why didn’t she require the controller to provide the actual piece of legislation that they were relying on? In my view, this case officer is likely selling out our rights on a daily basis because she lacks the competency to challenge a controller. Welcome to my world. I have to reject almost every single ICO Assessment due to incompetence. I also reject most of the case reviews as incompetent. I’ve been rejecting the ICO’s assessments and case reviews regularly since 2008.
What should have happened in this case, is that the ICO should have a process in place to deal with any suspected conflict of interest cases. Following that process, the Lead Case Officer should have asked the controller to provide the actual legislation that they are relying on to support their argument. Had this information been provided, the apparent conflict in the law could then be reviewed by the ICO’s policymakers, an understanding reached, guidance published, and ICOBS updated – in accordance with the Memorandum of Understanding that exists between the ICO and the FCA.
2. The Lead Case Officer ignored direct marketing guidance published by her Office, which specifically references contract renewal notices. The ICO’s published guidance on direct marketing states:
‘However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply’.
Once again, this is another serious failure by a Lead Case Officer. The view of the IC in relation to renewal notices is published, she’s opted to ignore the published view of the IC because she had already decided that she was going to side with the controller. However, ICO case officers do not have the authority to adjudicate, so it’s critical that all Assessments objectively reflect the view of the Information Commissioner (IC), as published on the ICO’s website, and not the subjective view of an incompetent, biased, and in some cases, deceitful case officer.
To clarify, at the start of her Assessment, the Lead Case Officer used the phrase, ‘We have considered’, to give the impression to me that the Assessment reflects the objective and lawful view of the IC’s Office and not her subjective and unlawful view. However, because the Assessment is entirely subjective, she’s giving me the impression that her view reflects the view of the IC when it clearly does not. This makes the Assessment unlawful in my view. I shall be taking the ICO to court to argue this point in 2022.
Had the Lead Case Officer bothered to objectively apply the IC’s published guidance to the facts of the case, then she should have concluded that the communication constitutes direct marketing and as such, that the controller could not rely on the fulfilment of a contract condition to negate Article 21(2) GDPR.
3. In the first paragraph she states that the controller has a legitimate interest and therefore ‘no infringement’. This is drivel. Just because a controller has a legitimate interest, it doesn’t mean that they will automatically satisfy the three-part test to determine legitimate interests, will it? Yet, there’s no mention of the three-part test by this case officer. Moreover, was the legitimate interest defined in the Insurer’s privacy notice? There should be a legitimate interest to stipulate that ‘our statutory right to opt-out of all direct marketing will not apply to a renewal notice’. I’ve checked and it didn’t and doesn’t exist so that’s another infringement that she’s failed to pick-up on.
You know, all Assessments should start with a simple Q&A process to ensure that case officers are not being subjective. First question – what condition for processing is the controller relying on. If the answer is the legitimate interests condition, then the case officer should be instructed to obtain details of the legitimate interest pursued, obtain details of the three-part test having been undertaken, and determine that the legitimate interest exists in the controllers privacy notice. It’s so easy if one has competency.
Note too, how she then switches from the legitimate interests condition to the fulfilment of a contract condition and says that I should have reasonably expended to receive the renewal. It’s comical. Which brings us neatly to point 4.
4. The Lead Case Officer ignored material evidence – that the controller assured me in writing that they would not send me the renewal notice. Why would I expect to receive the renewal notice when I had been assured that I would not? Wouldn’t this assurance constitute a written amendment to the terms of my contract with the provider, and wouldn’t it cause the three-part test to determine legitimate interests to fail?
This Assessment is typical in my experience. It is so utterly one-sided, that I have to reasonably conclude that the Lead Case Officer deliberately sided with the controller because she doesn’t have a clue. And by siding with the controller, there’s no prospect that the controller will be further investigated by the ICO, so no prospect of prosecution.
I obviously objected to the assessment and sought a Case Review. For me, a Case Review should check to ensure that the Assessment was lawful – that it was carried out in accordance with agreed processes, and that it reflects the objective view of the IC.
The Case Review
The Case Review (RCC0863814) was carried out by an ICO Team Manager. Here’s what the Team Leader said:
I have considered the points you have raised and have also reviewed the relevant information that we hold about your data protection concern. I am satisfied that [the case officer who] dealt with this matter appropriately and in line with our case handling procedures. However, after further consideration it is my view that the renewal notice sent to you by the Controller did include direct marketing, therefore the incorrect assessment was reached.
In this case [the LCO] explained the reasons for her decision in her letter of 19 July 2019. Having reviewed the matter, I agree that the Controller did have legitimate grounds to contact you to inform you that your policy was due to expire, and this is in line with the Article 6(1)(b) of the UK GDPR. However, because you had opted out of direct marketing and this letter also contained a renewal notice and instruction to ‘call us to renew’, this constitutes direct marketing and is therefore a breach of the legislation.
As such, I have asked [the LCO] to contact the Controller to inform them of our view and to provide advice regarding their contact with customers who have opted out of receiving direct marketing, to ensure that any contact does not contain marketing material.
Wow! How can this Team Leader reasonably hold the view that her subordinate had handled this case in accordance with procedure, when she ignored the IC’s direct marketing guidance and ignored material evidence? And, if that wasn’t bad enough, she blindly accepted everything that she was told by the controller and in doing so, she sold out our statutory rights for an Office handbook. This evidences that incompetent case officers are being protected by their line managers.
Fortunately, the Case Review had no option but to overturn the Assessment on this occasion because I had a clear case to take to the PHSO. However, most of the time, a Case Review will back the incompetent view given in an Assessment. As the Case Review overturned the Assessment on this occasion, the Lead Case Officer wrote to the Insurer as follows:
After further consideration and policy advice it is our view that the renewal notice sent to [the data subject] by [the Insurer] did include direct marketing. We are now of the view that [the Insurer] has not complied with its obligations under data protection law in this instance and have revised our original assessment made on 19 July 2019 to reflect this.
Although the [the Insurer] did have legitimate grounds to contact [the data subject] to inform him that his policy was due to expire, and this is in line with the Article 6(1)(b) of the GDPR. However, because [the data subject] had opted out of direct marketing and this letter also contained a renewal notice and instruction to ‘call us to renew’, this constitutes direct marketing and is therefore a breach of the legislation.
Therefore, in future in cases where customers have opted out of direct marketing, these renewal notices cannot include a renewal notice or information directing the customer to ‘call to renew’. As such, this would be a breach because [the Insurer] have sent direct marketing to an individual who has previously opted out. Please ensure that any contact does not contain marketing material in the future.
To clarify, after carrying out the nonsense Assessment, the Lead Case Officer wrote to the Insurer to inform them that they had likely complied. Now, she had written to them and tell them that they had likely not complied, which makes the ICO look incompetent, which of course, they largely are. To be fair, if I were the Insurer, I’d be concerned about the ICO’s mixed message.
Another cause for concern is the ICO’s prosecution process. Virgin Media were prosecuted by the ICO as the result of a single complaint submitted by a member of the public. In that case, the case officer seemed to carry out a competent Assessment, and as such, the matter was deemed suitable to be passed to the ICO’s lawyers. So, what happens with all the incompetent Assessments? Is it fair to say that the ICO is prosecuting some controllers because they were unlucky enough to have their case handled by one of the few competent case officers, while other controllers are being protected from prosecution due to incompetency? Would a committe of MPs deem this to be a fair and lawful process?
Pre-action conduct in preparation for a compensation claim.
I started preparing to take the Insurer to court. I checked back with them to see whether they had accepted the view of the ICO. I also informed them that I had submitted a complaint to the Financial Ombudsman. The Insurer replied as follows:
Thank you for your email, we have received communication from the ICO and are corresponding with them directly. At this time, our position remains unchanged in respect of our renewal process and the documentation we are required to send. We will await communication from the Financial Ombudsman Service in due course.
See what I mean? Due to the mixed messages from the ICO, the last communication that I received from the Insurer in relation to the ICO, is that their view remains unchanged. I checked back with the ICO to see whether there had been any developments and they replied as follows:
I can confirm that [the Insurer] did challenge our view on your case. In response we reiterated our position.
As the Insurer refused to admit fault, and as the ICO didn’t want to discuss it further, for obvious reasons, I filed a claim for compensation. After a prolonged negotiation with their lawyers, we settled the claim without having to attend a court hearing. They had a perfect opportunity to argue their point of view before a judge, so why didn’t they? And why did they insist that I agree to a non-disclosure clause? It’s because they never had a case and they didn’t want to get inundated with claims for compensation.
The investigation by the Financial Ombudsman was a waste of time and I wouldn’t bother again. Although they seemed really keen to help, it dragged on and on and I had to keep asking for an update.
Changes to the rules on loyalty penalties
Citizens Advice describe the loyalty penalty as follows:
Across essential services, customers are being penalised for their loyalty – from telecoms to financial services. Huge numbers of customers are on uncompetitive deals, paying far more for a service than a new customer would.
In October 2021, changes to the rules obligate insurance providers to provide value to all of their customers, including loyal customers that renew. However, the opening paragraph of an article on the FCA’s website, dated August 2021, states:
Too many firms are not fully meeting the FCA’s standards. In addition, many firms are likely to be unprepared to meet new enhanced rules on product governance, which come into force on 1 October 2021. These new rules are part of a wider package of remedies introduced by the FCA to tackle the loyalty penalty and ensure that firms focus on providing fair value to all their customers.
It seems that some insurance providers are failing to tackle the loyalty penalty, so for the foreseeable future, I shall continue to opt-out of receiving the renewal notice.
Conclusion
On a plus note, my current provider for 2021/22 – the RAC, has just sent me a letter to inform me they were ‘unable to obtain a quote’ so they will not be renewing my policy. They’ve informed me this because they’ve complied with my opt-out. A round of applause for the RAC! As it stands then, apart from this single case, all of the providers since 2018 have complied with my request not to receive the renewal notice.
You can draw your own conclusions but hopefully, you’ll get some insight into the ICO. I blame the ICO’s management because I suspect that they relied too heavily on the competency of case officers from Day 1. I suspect that they allowed case officers to give their own subjective views in Assessments instead of creating the policies and processes that would have required them to reference the approved view of the IC’s Office every time. In the early days, when there was a low turnover of staff, this method probably worked but as experienced case officers started to move into the private sector, it likely created a skills vacuum just as the workload was increasing. Due to the lack of processes and polices, the ICO continued to rely on increasingly incompetent case officers to give their subjective views in Assessments.
It’s this kind of case that makes me happy that I understand data protection law and have a working knowledge of the small claims court process. This article demonstrates just how open to abuse an average member of the public is – not just by controllers, but by the ICO’s incompetent, biased or deceitful case officers. What would have happened if I didn’t understand data protection law? The Insurer would have got clean away, and I would have been misled by an incompetent case officer.
Finally, watch out for comparison websites telling you that they have to provide you with a renewal notice when you have opted out of direct marketing, as this is likely to be a scam. They want to get around your direct marketing out-outs by claiming that they have a lawful obligation to send you the renewal notice. They don’t have that obligation as far as I’m aware, it’s only the controller that you have the rolling contract with that is obligated.