Claims Handling Privacy Notice
Effective date: 1 August 2020
Your privacy is important to us. At Crawford we routinely collect and use personal data about individuals, including the policyholder, claimants (or their representatives) and business partners. We are aware of our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable privacy and data protection laws.
Crawford & Company Adjusters (UK) Ltd and our affiliated entities, (collectively, “Crawford & Company”, “Crawford”, “we”, “our” or “us”) provide claims management, claims handling and related legal administrative services to our clients related to claims submitted by policyholders and claimants. Crawford & Company is a service provider acting on behalf of your insurance provider for your claim - our client. The claims handling services involves the collection, use and disclosure of personal data in order to process the claim. Our role depends on the services we are providing and the circumstances. Crawford & Company may be acting as a data controller for the personal data processed as part of the claims handling services or as a data processor engaged to perform claims handling services on behalf of and subject to the instruction of our client depending on the nature of the services we are providing to our client. As part of our services, we may make available tools or platforms so you can submit information, documentation, video and images related to your claim and view the status of your claim, contact information and other related information.
Scope of the notice
In connection with the processing of your claim and our claims management services to clients, we may collect and process personal data about you including where submitted through claims portals or other platforms made available to you as directed by our clients. This Privacy Notice (the “Notice”) explains Crawford & Company’s handling of the personal data that you submit through the portal on behalf of your insurer. This Privacy Notice does not apply to the privacy practices of your insurer who is responsible for providing you with required privacy notices on their own behalf.
As a part of our claims management services, we process claims and handle administrative functions for insurers, such as receiving notices of claims, administering forms and documentation requests and proving support-related services to policyholders and claimants. We also help insurers evaluate, assess and establish their liability for claims and make recommendations related to the settlement of claims, including payments, repairs and replacements. We process personal data during the course of providing our claims management activities to insurers.
Personal data we collect
When you are making a claim under a policy, we will collect basic contact details together with information about the nature of your claim and any previous claims. If you are an insured person we will need to check details of the policy you are insured under and your claims history.
We will only use your information in ways we are allowed to by law, which includes only collecting as much information as we need. In processing the claim and as part of our claims handling services, we may collect personal data directly from you and from other sources where we believe this is necessary to manage the claim (such as public registers, databases managed by credit references agencies, government agencies and other reputable organisations).
We may also collect information from third parties related to you or linked to the claim such as witnesses and persons representing you, where you are the subject of a third party claim. Additionally we may collect information to conduct background checks or identity verifications related to you and others to the extent permitted by law and to investigate and protect ourselves and our clients from fraud. We also perform sanctions screening and anti-money laundering checks, as required and permitted by applicable law.
The personal data collected will vary depending upon the claim type and related circumstances but may include name, address and contact information, identification information (date of birth, government identification numbers and social security numbers), policy and claim details (descriptions, documentation, reports and photographs of loss or damaged property), health and medical information (where relevant to the claim), financial information (account information, transaction details, purchase history, invoices etc) and other information that is related to the claim that you have submitted.
We may also collect certain information automatically using log files, cookies and other mechanisms including IP addresses, the date and time of visits, the referral URL and information about your browser, cookies and online identifiers.
Purposes and legal grounds for our use of personal data
The information described above is used to initiate, handle, review, assess, validate, settle and otherwise administer your claim on behalf of your insurer and is processed for the legitimate business interests of Crawford & Company when acting as the controller under the following lawful bases.
Necessary to prepare for or perform a contract with the data subject (e.g., at the data subject’s request, in preparation for a claim settlement agreement), including:
- To initiate, handle, review, investigate, assess, validate, settle, finalise and otherwise administer claims;
- To communicate with claimants and related third parties regarding claim; and
- To verify the identity of claimants.
To comply with our legal obligations, including:
- Record keeping and retention of claim data in accordance with applicable legal and regulatory requirements;
- Fraud detection and verification purposes and protecting others from fraud, error and other harm;
- Responding to audits and fraud investigations and completing regulatory reporting or similar obligations;
- Responding to data subject requests; and
- Otherwise complying with legal obligations under UK and EU law, such as responding to regulatory obligations, judicial proceedings, court orders, law enforcement requests, or other legal process.
Necessary for our legitimate interests (or those of third parties) where these are not outweighed by the interests of the data subjects, including:
- To initiate, handle, review, investigate, assess, validate, settle, finalise and otherwise administer claims;
- To communicate with claimants and related third parties regarding claim;
- To verify the identity of claimants;
- For reporting, auditing and analytics purposes, for ourselves and our clients to improve services including to manage and administer our contracts with our clients and our business partners including the provision of reports on claims and for quality control and auditing of our services;
- To improve the claims handling services and operations involved in claim management and related services;
- For forecasting, modeling and trend reporting; and
- To provide training to relevant personnel, vendors and providers.
We may process sensitive personal data about you which includes “special categories” of personal data including medical information, treatment details and disability information and criminal record data, where necessary for the processing and handling of your claim. We will only process such data:
- Where its use is necessary for the purposes of establishing, exercising or defending our legal rights;
- Where you have provided your consent;
- Where the processing is necessary in the substantial public interest for insurance purposes; or
- Where it is in the substantial public interest for preventing and detecting fraud.
If you provide your explicit consent to permit the processing of sensitive personal data you may withdraw your consent at any time but if you do withdraw your consent we may not be able to process your claim.
Information relating to the claim and other claims may be aggregated and anonymised for research, analytics and related purposes.
Claims data processed by Crawford & Company and other Crawford group companies who perform services or provide support relating to the services may also be disclosed to third parties as below:
- Adjusters, assessors, experts, claims fulfilment providers and service providers engaged by the data controller to perform services or functions related as part of the claim handling services;
- Insurers, brokers, insurance intermediaries, risk managers and related parties which are involved in the underwriting and administration of the policy under which your claim is being handled by Crawford;
- Subprocessors and service providers who perform services for the data controller or the data processor including those providing IT and back office systems such as data centres, consultants, technology providers, call center support etc; and
- Other third parties where necessary to comply with the law, a judicial proceeding, court order or other legal process, such as in response to a court order or a subpoena, in any jurisdiction worldwide (even in jurisdictions, like the U.S., whose laws do not offer a level of protection of privacy equivalent to the one enjoyed in the EU).
Where your insurer is acting as a data controller they may at any time receive access to and/or a copy of any and all of your personal data.
Where do we transfer your data to?
We are a global company and the data that we collect from you may be transferred to, accessed or stored in, and subject to requests from law enforcement in, jurisdictions outside of your home jurisdiction, including the United States, the Philippines, Australia, Canada, the European Union and other jurisdictions in which we or our service providers operate. Some of these jurisdictions, including the United States and the Philippines, may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements.
If you are in the European Economic Area (EEA) and we process your personal information in a jurisdiction that the European Commission has deemed to not provide an adequate level of data protection (a “third country”), we will implement measures to adequately protect your personal information, such as putting in place standard contractual clauses approved by the European Commission or another measure that has been approved by the European Commission as adducing adequate safeguards for the protection of personal information when transferred to a third country. You have the right to obtain a copy with details of the mechanism under which your personal information is transferred outside of the EEA; you may request such details by contacting us below.
Retention of your personal data
Steps will be taken to ensure that personal data is accurate, complete and where necessary, up-to-date and to avoid the retention of unnecessary or duplicative information. In general, claims data may be retained for up to ten years or longer where required under applicable law, as necessary for tax or accounting purposes, as necessary to ensure we would be able to defend or raise a claim, or to otherwise exercise, establish or defend our legal rights.
You have certain rights under data protection laws to receive written information regarding the personal data that is included in the claims data:
Access - you can ask us to confirm whether we are processing your personal data and provide you with a copy of that information together with certain other details.
Correction - You can ask us to correct inaccurate personal data, in which case we may seek to verify the accuracy of the data before correcting it.
Erasure - You can ask us to delete your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable).
Restriction - You can ask us to restrict (i.e. store but not use) your personal data in certain circumstances, such as where its accuracy is contested and we are taking steps to review or verify its accuracy. We can continue to use your personal data following a request for restriction, where necessary to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person.
Portability - You have the right, in certain circumstances to obtain your personal data you have provided to us in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.
Objection- You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing without providing any reason. We will then cease the processing of your personal data for direct marketing purposes
Withdrawal of Consent - where processing is based on your consent, you may withdraw your consent however we may not be able to process or claim if you do so.
You may exercise any of your rights set out above by contacting us below.
Contacts and complaints
The primary point of contact for any enquiries, complaints or questions regarding this Notice including requests to exercise any of your rights is our Data Protection Officer.
Crawford Group Data Protection Officer
Global Privacy Office
Crawford & Company Adjusters (UK) Ltd
The Hallmark Building
106 Fenchurch Street
If we are not able to deal with your inquiry you also have the right to lodge a complaint with the Information Commissioner’s Office.
Information Commissioner’s Office
Helpline number: 0303 123 1113