InterResolve Customer Privacy Notice under the General Data Protection Regulation
Last updated: 21 May 2018
InterResolve Holdings Limited (hereafter referred to as “InterResolve,” “we,” or “us”) respects your concerns about privacy and, having due regard to forthcoming changes in data protection law pursuant to the EU’s General Data Protection Regulation (GDPR), seeks to be transparent in illustrating our data practices. This Notice applies to personal data we collect during the management of your personal injury claim and associated activity. The Notice describes the types of personal data we obtain, how we use the personal data, and with whom we share it. We also describe the rights you may have and how you can contact us about our privacy practices. InterResolve is the data controller in respect of personal data that we collect through claims management activity. Our contact details, as well as the contact details of our Data Protection Officer can be found at the ‘How To Contact Us’ section at the end of this Notice.
- How We Obtain Information About You
We receive personal data about you from the liable motor insurer subsequent to a road traffic accident (RTA) with one of their policyholders. The personal data received may include, but is not limited to, your first and last name, email address, postal address, mobile and home phone number(s) and insurance policy number.
We also collect further personal data about you that you choose to provide us when opting to instruct us to mediate your claim through to settlement. This may include, but is not limited to, your National Insurance Number, occupation and basic detail of previous injuries or conditions exacerbated by the road traffic accident.
- Information We Obtain
Personal data that you provide directly to us will be apparent from the context in which you provide it, for example:
- if you fill out a Medical Consent Form for the purposes of medical documents being released to supplement your medico-legal report, such as GP or X-ray records, you will generally provide your name, contact details and any other information requested by the form, such as your GP’s name and Surgery address or Accident & Emergency Department and address;
- if you are seeking to claim back losses incurred as a result of the RTA you will generally provide associated evidence, such as previous payslips or transaction receipts;
- if you are due to be compensated by way of BACs payment, you will generally provide your name as it appears on your bank account in addition to your account number and sort-code.
Each form varies in the information required and collected. In most cases, there is an indication what information is required. You may choose to provide additional information that is not required.
- How We Use Information That We Obtain
We may use personal data that you provide to us to provide you access to our service, for example to respond to an enquiry you have made, obtain necessary information for the purpose of your claim, provide updates on the progress of your claim or contact you for other reasons related to operating, offering and improving our service. We use the personal data for these purposes because we have a legitimate business interest in providing services to our customers and other interested individuals or parties that is not overridden by your interests, rights and freedoms to protect personal data about you.
In addition to the uses discussed above, we may also use the personal data you provide during the account access/setup process to:
- operate, evaluate, and improve our business;
- instruct an independent medical assessment;
- instruct treatment assessments and sessions;
- administer the system.
We use the personal data for the purposes described above because we have a legitimate interest in operating and improving our business that is not overridden by your interests, rights and freedoms to protect personal data about you.
We may also use the information to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards and regulation, and our policies and terms. We use personal data for these purposes when it is necessary to protect, exercise or defend our or your legal rights, or when we are required to do so by law that applies to us subject to jurisdiction.
- Information We Share
We do not sell or otherwise disclose personal data that you provide to us or that we collect through claims management activity, except as described here. We may share personal data you provide to us or that we collect through your claims management with:
- the liable motor insurer;
- service providers that perform services necessary for your claim, such as medical agencies, treatment providers or forensic accountants.
- We may share personal data with our affiliates for a number of reasons, including because you have requested information about our affiliates’ products and services.
All service providers have entered into legally binding agreements requiring them to use or disclose personal data only as necessary to perform services on our behalf or comply with applicable legal requirements subject to jurisdiction.
In addition, we may disclose personal data about you if (a) we are required or permitted to do so by law or legal process, for example due to a court order or a request from a law enforcement agency, (b) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (c) in connection with an investigation of suspected or actual fraudulent or other illegal activity, and (d) in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation).
We recognise that it is of the utmost importance to maintain the highest levels of security practice and logic in keeping your personal data safe and processing it in a lawful and secure manner.
We employ organisational measures designed to protect the integrity of your personal information. These involve maintaining a culture of security awareness amongst all staff at InterResolve as well as limiting access privileges so that only authorised individuals within the company access your information proportionate to the task in hand; this access is also periodically audited and monitored internally to enhance the security of your information. Employees understand the extent to which they themselves are responsible for handling personal data securely and have received training to this effect, which is itself an evolving process remaining up-to-date with industry best practices, GDPR interpretation and the Information Commissioner’s Office guidance.
We employ technical measures of both a physical and digital nature designed to reinforce the above. Concerning physical measure, access to the office premises is restricted solely to InterResolve staff and the building’s maintenance team. The office perimeter, as well as the building perimeter, is fully protected to the extent that there is 24/7 CCTV surveillance, physical locks, security breach alarms, security personnel on-site and identity key-cards. All paper documentation pertaining to your personal information is uploaded onto our case management system in order to minimise any potential risk; if it must be stored physically, it is locked securely within the office premises and if it must be destroyed then it is done so in a secure shredder.
We employ stringent and robust digital measures to protect your information online.
Your information is stored in one location managed by Rackspace who maintain 24/7 support (ISO 9001) and who are ISO 27001 certified.
Call recordings are held by ULTRA communications: on their UCMS platform:
The UCMS platform resides within Tier 1 level hosting centres in London. The hosting centres use CCTV and require prior notice for any authorised persons visit.
The UCMS platform uses enterprise level Checkpoint firewalls to control and monitor traffic in and out of the platform
The UCMS platform is penetration tested annually by an external QSA to retain PCI Level 1 compliance.
Firewalls are IP-restrictive, ensuring only users from the static office IP are able to access the system, again with appropriately minimal access privileges. The office network itself is closed with a static IP protected by Juniper SRX series next-generation firewalls. Online portal access to Aquarium is SSL encrypted and we proactively follow Article 29 Data Protection Working Party updates and guidance.
We also encourage you to seek relatable privacy policies and notices published by the above companies.
In the unlikely event of a security breach, we have rigorous procedures in place to minimise any risk of damage or distress to you as an individual (including secondary persons, where relevant) and ensure it is recoverable in such a manner as to not compromise the accuracy or integrity of the personal information thereof. Employees are trained on security incident response processes, including communication channels and escalation paths. There are also periodic reviews of these mechanisms to enhance their overall effectiveness, and any appropriate outcomes are integrated into existing mechanisms and training procedures.
- Data Transfers
We only transfer your personal data to our medical provider in order to get the medical attention you require.
You may request a copy of the safeguards that we have put in place in respect of transfers of personal data by contacting us as described in the ‘How To Contact Us’ section below.
- How Long We Keep Information
The time period for which we keep personal data depends on the purpose for which we collected it. In all cases we keep it for as long as necessary to fulfil the purposes for which we collected it. We will then delete the personal data, unless we are legally required to retain it or if we need to retain it in order to comply with our legal obligations (for example, tax and accounting purposes).
Subject to any applicable legal requirements, we typically retain personal data as follows:
- Personal data you provide to us through the management of your personal injury claim and associated activities: we keep this personal data for as long as necessary in order to manage your claim and have a lawful right to hold this data for up to three years after the date of the RTA;
- Medical data provided in the process of procuring your medico-legal report necessary for the valuation of personal injury damages and prospective provision of treatment: we keep this medical data for as long as necessary in order to manage your claim and have a lawful right to hold this data for up to three years after the date of the RTA.
Retention of personal data is for 3 years post the accident date or settlement of the claim whichever is the later date.
- Due to the fact that call recordings can be used lawfully in the event of, but not limited to, fraud or future litigation, this data is not deleted periodically and may be retained in secure storage indefinitely.
- Your Rights and Choices
If you are located in the European Economic Area (“EEA”) or Switzerland, you may have the following rights in relation to personal data that we hold about you:
- To request confirmation of whether we process personal data relating to you, and if so, to request a copy of that personal data;
- To request that we rectify or update your personal data that is inaccurate, incomplete or outdated;
- To request that we erase your personal data in certain circumstances, such as where we collected personal data on the basis of your consent and you withdraw your consent;
- To request that we restrict the use of your personal data in certain circumstances, such as while we consider another request that you have submitted, for example a request that we update your personal data;
- Where you have given us consent to process your personal data, to withdraw your consent; and
- To request that we provide a copy of your personal data to you in a structured, commonly used and machine-readable format in certain circumstances.
You may contact us by email or as described in the “How to Contact Us” section below to exercise your rights described above.
You also have the right to lodge a complaint with the data protection supervisory authority in your country.
- Updates to Our Notice
We may update this Notice periodically and without prior notice to you to reflect changes in our personal data practices or relevant laws. We will post the updated version and indicate at the top of the notice when it was most recently updated.
- How to Contact Us
If you have any questions or comments about this Notice or any issue relating to how we collect, use, or disclose personal data, or if you would like us to update information we have about you or your preferences, you may contact us:
By email at: firstname.lastname@example.org
In writing at:
Attention: Data Protection
InterResolve Holdings Limited
1 Primrose Street
By phone: 033 0635 0635
You may also contact our Data Protection Officer:
By email at: email@example.com
In writing at:
Attention: Data Protection Officer
InterResolve Holdings Limited
1 Primrose Street
A Guide to InterResolve’s Complaints Handling Procedure
InterResolve is committed to provide the best customer service possible – ensuring you receive a personal, caring and efficient service at all times. The InterResolve Complaints Handling Procedure is part of this.
We do recognise, however, that sometimes things can go wrong, so we need to know about it quickly in order to understand why and take steps to ensure that it doesn’t happen again. We value your comments and recognise that they will help us improve our service to you.
If you have something you want to tell us or want to make a complaint, you can be assured that your comments will be treated seriously and confidentially. Our aim is to resolve any problem fairly and quickly.
There are 3 easy steps:
- It helps if you can let us know of any concerns as soon as possible to nip it in the bud. Inform the person you usually deal with at InterResolve, or ask to speak to the supervisor or manager in that department. You will need to tell us whether you wish your concerns to be treated as a formal complaint, which you may do either in writing, email or phone.
- We will acknowledge. normally electronically, any formal complaint within 5 working days of its receipt, explaining who will be looking into it (wherever possible, someone who has not been involved in the matter which forms the subject of your complaint) and when you can expect a response.
- Our response will be provided in writing as soon as possible – in any event by no later than 4 weeks. If we decide that we have fallen short of the standards of service we want or ought to be providing, the response may include an offer of redress where appropriate.
We hope that this complaints procedure will provide a satisfactory resolution of any complaint you might have. However, if you are not satified with our response or if it is delayed beyond 4 weeks, you can ask for your complaint to be referred to the Director of operations, who will conduct a full review and then write to you. Wherever possible, you will receive this letter within 8 weeks from the time you made your formal complaint.
We practice what we preach about resolving problems, so where we are unable to deal with something to your satisfaction, we comply with the Directive for Consumer Alternative Dispute Resolution using independent mediation, details of which you can see at http://ec.europa.eu
We are regulated by the Ministry of Justice in respect of regulated claims management activities; our registration is recorded on the website: www.claimsregulation.gov.uk. Our authorisation number is CRM1457. You may contact them if you are unhappy with our internal complaints procedure.
Claims Management Regulator
Claims Management Regulation Unit
57 – 60 High Street
Burton upon Trent
0845 450 6858
Fraud Policy Statement
At InterResolve we take the issue of fraud very seriously.
InterResolve is committed to the prevention and detection of fraud.
We may at any time:-
- Validate customer’s identities.
- Share information about our customers with fraud detection & prevention organisations including the Police.
- Check details provided in connection with reported claims.
If false or inaccurate information is provided and fraud is identified, details will be passed to Fraud Prevention Agencies.
Police or other Law enforcement Agencies may also access and use this information.
InterResolve ensures that all its business partners & potential customers are fully aware of our attitude towards fraud and that this policy statement is brought to their attention.
The Fraud Policy is endorsed and supported by the Board of Directors & Chief Executive Officer of InterResolve.
InterResolve defines fraud as:-
- Any attempt to gain funds, information or other assets by deception or other illegal means, whether acting alone or in collusion with others.
- The provision or omission of material facts with a view to misrepresenting the true position.
- Deliberate exaggeration of claims or symptoms
We participate in Insurance claims anti-fraud initiatives & screening solutions through our membership of The Insurance Fraud Investigators Group (IFIG), Netfoil and other industry forums.
We process our customer’s information in accordance with the General Data Protection Regulation. The data is shared with relevant approved organisations for fraud prevention. For additional information, please contact our team at firstname.lastname@example.org who will be able to provide you with a copy of our Data Protection & Information Security statement.