| 2.8 Compliance
13. Compliant Data Protection | |
|---|
| 2.8.13. Compliant Data Protection: | | It is a business requirement that this busienss system conforms with all applicable laws and regulations and is able to defend its legal status with a fully documented audit trail. | | ITIL standards defined that each business application design is reviewed by qualified people to verify its compliance with generally accepted best practice, regulation and legal obligations. | | Changes shall be made to deliver a service that is decent and does the right thing, but removing anything that may be illegal, unfair or unreasonable. | | Legal obligations override all other business requirements. |
| Parties: | | 1. Client is a person or company who owns an asset (vessel,vehicle,aricraft) that deserves insurance and associated insurance products. Where the client request for insurance is accepted by insurers, the client becomes the Policyholder. | | 2. Agent is a person who acts as an agent of the client to enter certain data into the application for and on behalf of the client. | | 3. Managing General Agent is a person of company who acts as an agent of insurers with brokers. | | 4. Owner is a company who is authorized to provide marine insurance and associated insurance products to clients. Owners working together may choose to work via an MGA and/or brokers as authorized people working for and on behalf of a client. |
| Points of Concern: | | Before the business application becomes operational, the following points of concern shall be addressed: | | 1. Claims History: Only a policy holder can make a claim so a yacht cannot have a claims history. A court would not find favourably on an unprofessional company that asked for illogical data from clients. What documentation would a client expect to have that could provide verifiable claims history for an asset they have just purchased? | | 2. Captain Claims History: Only a policy holder can make a claim so a captain or skipper cannot have a claims history. |
| Data Protection: | | The Data Protection Act is a European Directive of 1995 that applies to the application and all data stored as: | | 1. data is fairly and lawfully processed. | | 2. data is processed for limited and specific purposes. | | 3. data is adequate, relevant and not excessive. | | 4. data is accurate and up to date. | | 5. data is not kept for longer than is necessary. | | 6. data is processed in line with peoples rights. | | 7. data is secure. | | 8. data is not transfered to other countries without adequate protection. |
| 1. Fairly and lawfully processed: | | Data provided by a client shall not be repackaged and sold to other parties, except for the clients express requirement for marine insurance. Each clients expectations for the use of data shall be implemented without exception. |
| 2. Processed for limited and specific purposes: | | Data is entered and recorded for the single purpose of providing marine insurance. Claims and accounting data is recorded for a persiod of at least seven years in conformance with applicable finance laws. |
| 3. Adequate, relevant and not excessive: | | Only the data needed to provide and service a marine insurance client is stored. Every data has the single exclusive purpose of providing insurance providers with adequate client information so the correct insurance service can be provided. |
| 4. Accurate and up to date: | | Data quality is maintained with the use of permitted values in drop down lists for all critical data. The user, date and time of each and every field value change is recorded so obsolete data can be automaticlaly destoyed. |
| 5. Not kept for longer than is necessary: | | No data can be lost or deleted. All insurance data is retained for a period of at least seven years in annual archives. Where insurance data has not been used or changed for a period of more than seven years, then it is automatically destroyed without any human interaction. Where client data is provided for quotation purposes only, it is only retained for three years before it is automatically destroyed. |
| 6. Processed in line with peoples rights: | | Data access control is implemented in accordance with authorized peoples assigned security role where they can generally only process their own data or have read-only access to shared data. The moment that a persons access control role is revoked, they instantly loose access to any data they they may have authored. |
| 7. Is secure: | | Client data can only be accessed by authorized people working from approved offices between certain hours of each day and for certain days of the week. Sign-in security facilities match best practice and all data access is continually monitored to identify and eliminate unusual behaviours. |
| 8. Not transfered to other countries: | | Data protection registration Z9322564 covers application data stored and accessed in the European Union, United States and Canada, but not any other country. All data is securely stored in encrypted databases in distrubuted UK data centers in conformance with PCI-DSS. |
|
|