FILE RETENTION: PROFESSIONAL INDEMNITY INSURANCE AND GDPR
Under GDPR there is no general right to hold and process personal data
The General Data Protection Regulation (GDPR) has comes into force on the 25 May 2018. Under GDPR there is no general right to hold and process personal data. Any such gathering, processing and retention must now be justified under one or more of six bases specified by the regulation.
A consequence of GDPR is therefore that where retention of personal data cannot be justified, the data must not be held ie it must be deleted or otherwise destroyed.
This has led to concerns whether GDPR requirements conflict with Professional Indemnity (PI) Insurance requirements.
The issue of retention of data from the PI insurance perspective is not new in any event, and a regularly occurring question from practitioners is – how long should we keep files for PI purposes?
Claims handling experience “on the ground” can provide a substantial steer in answering this question.
It is very difficult to defend a PI claim in the absence of a file; the claimant can rewrite history, and in the absence of evidence to the contrary, it can be very difficult to prove what actually happened.
At best this increases claims costs. At worst it may be prejudicial to the insurers and the PI insurance response to the claim may be affected. Some insurers therefore have stringent conditions relating to the preservation of records within their policy wordings, although it should be noted that an insurer does not need an explicit condition to claim prejudicial behaviour.
As such retention of information can be looked at in the context of statutory limitation periods for professional liability claims, and as a firm can be liable for hidden issues up to a long stop of 15 years, generally firms should be considering file retention from the perspective of a 15 year period, rather than shorter limitation periods such as 6 years under negligence and simple contracts.
Whilst practice and advice around GDPR is still crystallising, it would seem that this same perspective can feed into consideration of personal data retention under GDPR. In fact, there is not a conflict between PI requirements and GDPR, and the PI concerns potentially provide required justifications under GDPR.
Personal data will be needed in terms of maintaining a firm’s file regarding work that it has performed, and as noted above this is of immediate relevance in defending a claim of negligent provision of professional services against the firm.
As such there is potentially justification under 3 of the bases for processing personal data as follows:
- Article 6.1 (b) (Performance of a Contract)
The firm needs to maintain the data in order to perform its obligations under a contract (ie the engagement with the client for those services)
- Article 6.1 (e) (Task carried out in the Public Interest)
Arguably a professional firm meeting its responsibilities in the event of a client having a genuine claim is in the general public interest (i.e. society as a whole is worse off if professional firms do not financially repair the consequences of bad advice or poor provision of services, because their PI insurance didn’t respond, in turn because they prejudiced their PI insurer’s position by deleting information)
- Article 6.1 (f) (Legitimate Interests)
The firm is entitled to defend itself against claims made against it, and requires the data in order to assess and defend such a claim
In considering the above, a firm should be careful that it does not take too broadbrush an approach to different types of personal data held by the firm. GDPR requires analysis of what is held, and then specific justification in respect of different sets of personal data. As such, it should be noted that the above justifications will not apply to personal data which does not form part of client files.