Insurance companies have gathered excessive amounts of health information

7.7.2022 12.41 | Published in English on 18.7.2022 at 13.59

Press release

The Office of the Data Protection Ombudsman has investigated the procedures used by insurance companies when they request health information from insurance applicants and the insured from healthcare providers in order to determine the liability of the insurance company. Deficiencies were found especially in the appropriate limitation of information requested from healthcare services and the legality of processing the health information of insurance applicants.

The Office of the Data Protection Ombudsman started to investigate the matter based on complaints received from customers of insurance companies as well as healthcare providers.

The information requested from healthcare services must be limited and identified

The investigations of the Office of the Data Protection Ombudsman showed that in some cases, insurance companies find it necessary to request the health information of data subjects directly from healthcare services. The procedures used by insurance companies to limit data requests varied.

If an insurance company needs to request the health information of an individual from healthcare services, the request must be limited to information concerning only a specific case, illness or symptom necessary for assessing the liability of the insurance company. The insurance company must also assess the time period for which it is necessary to request information.

The provision of the Data Protection Act does not apply to the information of an insurance applicant

Insurance companies justified the processing of the health information of insurance applicants by the regulations of the national Data Protection Act, according to which an insurance company can process such health information of the insured party or claimant as is necessary to determine the liability of the insurance company.

The Data Protection Ombudsman finds that the provision of the Data Protection Act in question applies only to the processing of the information of insured parties and claimants. Insurance companies cannot process the health information of insurance applicants or request their information from healthcare services at the application stage under the regulation, because at that point, the agreement has not been made yet.

In addition, insurance companies have requested the consent of insurance applicants for obtaining health information in connection with the application. The Data Protection Ombudsman finds that health information can be processed under certain conditions if the person has given valid consent for this purpose. Valid consent requires that individuals are given a detailed explanation of what information about them is gathered and for what purposes the information is used. Therefore, requesting consent in general without identifying the information and the purposes of use does not meet the requirements of the GDPR.

Practices in processing and requesting health information need to be corrected so that they comply with legislation

The Data Protection Ombudsman ordered three insurance companies to correct their practices in processing health information to comply with the legislation as regards the processing of health information of insurance applicants as well as the limitation of requests for information sent to healthcare services. A reprimand was issued to one insurance company concerning the processing of personal data in violation of data protection legislation.

In addition, the Data Protection Ombudsman issued instructions to the insurance companies targeted by the investigation concerning the limitation of information requests sent to healthcare services.

The decisions are not yet final.

Abstracts of the decisions of the Data Protection Ombudsman in Finlex (in Finnish):

Further information:

Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766