Artificial intelligence, the cloud, personal data and health-related data – an introduction to data-compliant implementation by insurers
Processing customer requests and claims on time and diligently is a daily challenge for insurers. The constantly growing generation of ‘digital natives’ expects fast and convenient service, preferably provided via digital platforms. An increasing number of insurers are therefore turning to artificial intelligence, with a view to meeting customer expectations more effectively and increasing efficiency.
Omni:us (a brand of Qidenus Group GmbH) provides support here with its experience and expertise as a specialist service provider. In some cases, an insured person’s personal data must be processed for the best results. Using cloud services for scalable computing and storage capacities is also the standard today. To ensure that insured persons and their data are protected, requirements for using and sharing personal data are laid down by law. These are explained in this paper.
The framework conditions under data protection law are regulated by the EU General Data Protection Regulation (EU GDPR), which came into force on 25 May 2018, as well as by the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). When using health-related and social data, special requirements apply due to the high risk involved with respect to the rights and freedoms of the insured person. These are set out in further detail in the German Civil Code (SGB X).
The following checklists explain the most important legal requirements for implementing the specified applications in a way that complies with data protection:
Artificial intelligence is specifically covered for insurance policies in Section 37 BDSG, according to which data protection law provisions do not have to be complied with in the event of partially automated decision-making to provide services or in cases where a claim has been approved in full.
If, by contrast, decision-making is fully automated for insured persons, e.g. if claims are rejected, these decisions are contestable and insured persons must be informed of this right. Data concerning health may be processed as well.
When sharing personal data, there is a ‘processing relationship’ under Article 28 of the EU GDPR. The conditions for sharing health-related data are set out in further detail by SGB X, due to the high need to protect insured persons.
Accordingly, sharing is permitted if disruptions might occur in the course of business or if service providers are able to offer significantly cheaper prices for contracted services.
In accordance with the principles of the GDPR, due care must be taken to ensure that the personal data used – especially data concerning health – is limited to what is necessary and additional protection is possible by using pseudonymisation. Data protection law provisions do not have to be complied with in the event of full anonymisation or if fictitious test data is used.
If such tests permit data concerning health to be shared and processed by a service provider, a contract processing agreement must be concluded with such a service provider, which sets out the intended use and the technical and organisational measures to be implemented pursuant to the GDPR.
Before commencing work, it must also be ensured that the insured person is informed of the fact that their personal data is shared and processed as set out in the contract processing agreement, and that they have agreed to this.
If the AI service provider uses a cloud service to store personal data, this also constitutes a contract processing relationship between the AI service provider and the cloud service provider. The AI service provider also has to ensure that personal data stored with the cloud service provider is protected pursuant to Article 28 EU GDPR.
If the insurer’s personal data is stored by the AI service provider’s cloud provider, this must be included in the contract processing agreement between the insurer and the AI service provider.
If the AI service provider processes personal data on-site using the insurer’s systems (on-premises), this also constitutes contract processing under Article 28 EU GDPR and the same requirements outlined above apply. The risk to the rights and freedoms of the insurer is still lower because its personal data is not shared with another processor.
To meet the high standards of security with respect to processing personal data, omni:us is implementing an information security management system (ISMS) in line with the international standard ISO 27001. The omni:us ISMS is currently in the introductory phase and will soon be certified by an independent certification company. Auditing for this has already begun. Certification is expected by the end of July 2019. Special requirements for insurers are also complied with and implemented in accordance with contract processing agreements.
Omni:us works with the cloud service providers (Amazon Web Services) and Google (Google Cloud). Both providers guarantee compliance with the EU General Data Protection Regulation. The scope of the omni:us ISMS includes these cloud service providers as well, which also helps to ensure secure processing.
As such, Qidenus Group GmbH and thus omni:us meets all of the data protection law conditions for insurers processing personal data and health-related data.
The white paper was prepared in collaboration with TÜViT SeCom, a TÜV NORD GROUP consultancy and services company for information security and data protection.
‘We implemented the ISMS consultancy project for omni:us and consider the approach described for customers and the insurance industry to be a secure way to meet data protection law requirements while also being able to use the potential of innovative applications.’
Head of Information Security & Data Protection at TÜViT SeCom