PRIVACY POLICY
At Lancashire we are committed to protecting and safeguarding your privacy whenever we are handling your Personal Information. This privacy notice is part of this commitment and aims to provide you with an overview of how and why we might collect, use, or disclose your Personal Information. It also provides information about your rights and choices when it comes to your information when it is in our care.
About this notice and us
This notice was last updated on January 8th 2025 and is effective from February 1st, 2025.
Lancashire are a provider of global specialty insurance and reinsurance products operating in Bermuda, London, the U.S. and Australia. This notice covers all lines of business and legal entities that make up the Lancashire group of companies. In this notice, references to “Lancashire”, “we”, “our” or “us” are to the entity within the Lancashire group of companies that uses your Personal Information.
This notice applies to any individual about whom we may collect and use Personal Information for insurance business (including reinsurance) and compliance purposes. Normally, when we do this, Lancashire will be the controller of your Personal Information, meaning we are responsible for determining how your information is used by us and accountable for following applicable privacy and data protection laws when we do so.
All privacy queries are handled centrally by:
Lancashire Insurance Services Limited, 20 Fenchurch Street, London, EC3M 3BY, UK.
You may also contact us by email at privacy@lancashiregroup.com
If you are both a United States resident and either have a policy underwritten by Lancashire Insurance Company (UK) Limited or are a Business Contact, you should also refer to our US privacy notice, which can be found at: https://us.lancashiregroup.com/privacy
The types of Personal Information we collect, use and disclose and why
To enable us to operate our (re)insurance businesses and deliver our services, we may collect, use or disclose the following categories of Personal Information about you:
- individual details (such as name, address, contact details, gender, date of birth);
- identification details (which may include IDs issued by government agencies or bodies);
- financial information (such as bank and payment details, payments);
- policy administration details (such as quotes and risk details relevant to a prospective or contracted insurance policy);
- current and previous claims (which may include Sensitive Personal Information such as physical or mental health information);
- Sensitive Personal Information (see definitions section at the end of this notice)
- credit or anti-fraud data (including sanctions or financial crime related information from shared fraud databases)
- preferences, for how we contact you or permissions for marketing; and
- other transactional information (such as your interactions and communications with us or use of our services).
Our policy is to follow the proportionality or data minimisation principles common to most privacy and data protection laws, by only collecting or using the least amount of Personal Information necessary for the processing purpose.
For the purpose of quoting for or setting up insurance cover, we may collect, use or disclose:
- individual details;
- identification details;
- financial information;
- policy administration details;
- current and previous claims;
- credit and anti-fraud data;
- preferences; and
- transactional information.
For the purpose of administering an insurance policy, we may collect, use or disclose:
- individual details;
- financial information;
- policy administration details;
- current and previous claims;
- preferences; and
- transactional information.
For the purpose of renewing an insurance policy, we may collect, use or disclose:
- individual details;
- policy administration details;
- current and previous claims; and
- preferences.
For the purpose of processing insurance claims (or defending or prosecuting legal claims) we may collect, use or disclose:
- individual details;
- identification details;
- financial information;
- policy administration details;
- current and previous claims;
- Sensitive Personal Information (physical or mental health including disability, criminal convictions or offences, or protected characteristics);
- credit and anti-fraud data; and
- transactional information.
For the purpose of complying with legal requirements and regulatory obligations we may collect, use or disclose:
- individual details;
- identification details;
- financial information;
- policy administration details;
- current and previous claims;
- credit and anti-fraud data; and
- transactional information.
For the purpose of monitoring, developing, improving and safeguarding our business services or securing our systems we may collect, use or disclose:
- individual details;
- identification details;
- financial information;
- policy administration details; and
- transactional information.
Your rights
Under privacy and data protection laws we must identify the ‘lawful basis’ for our processing (also known as condition for use) of your Personal Information. Which lawful basis we rely on for each purpose (as listed in the next section) may affect your rights as set out below.
You may have certain rights as an individual, which you can exercise for Personal Information we hold or plan to hold about you. If you make a request to exercise any of your rights, we reserve the right to ask you for proof of your identity, including asking for Personal Information such as your name and customer or policy number to compare against our business records. To exercise your rights, please contact us using one of the contact methods given in the ‘About this notice and us’ section above. We aim to acknowledge your request as soon as possible and to address your query within one month from your request.
We offer you the following rights:
Your right to access (request to know): You are entitled to a confirmation to how we are processing or using your Personal Information, a copy of your Personal Information, and information about the purposes we are processing or using it for, who we disclose it to, whether we may transfer it abroad and how we protect it if so, how long we keep it for, what rights you have, where we get your data from and how you can make a complaint.
We may have to decline a request due to legal restrictions. This could include, but is not limited to:
- the information is subject to solicitor (or attorney) client privilege;
- providing the information would reveal Personal Information about a third party; or
- providing the information could compromise the investigation of a claim.
Your right to rectification (request to correct): If you believe the Personal Information we hold about you is inaccurate or incomplete, you can request for it to be rectified.
Your right to erasure (right to be forgotten, request to delete or destroy): You have the right to ask us to erase your Personal Information in certain circumstances, for example, if you believe it is no longer needed for the purposes for which it was collected. However, this will need to be balanced against other factors that require us to retain Personal Information. For example, there may be certain legal or regulatory obligations that may prevent us from completing your request.
Your right to data portability: If you provided us with Personal Information, you can ask us to transfer that Personal Information to another third party of your choice.
Your right to restrict and/or object to processing (or block): You have the the right to restrict and/or object to the processing or use of your Personal Information in certain circumstances. For example, where the processing relies on our legitimate interests as the lawful basis for processing or condition for use, you also have an absolute right to block your Personal Information from being used for direct marketing.
The right to human intervention: If we are processing or using your Personal Information to make decisions concerning you that are fully automated, you may have the right to request that this automated decision is reviewed. You have the right to make this request, but there is no relevant activity currently undertaken by us of this nature.
The right to withdraw consent: If we are processing or using your Personal Information under your consent, you can withdraw consent for any further communication or use of the information collected, assuming it is no longer needed for the purposes it was collected.
The right to complain: If you are unhappy with how we have responded to you exercising any of the rights listed in the notice, you have the right to complain to the applicable supervisory authority. See the ‘How to complain’ section of this notice below.
Our lawful bases for the collection and use of your Personal Information
The lawful bases (or conditions for use) that we rely on are described below:
Consent: you have been supplied with all the relevant information and given or indicated your permission - the standard of consent required may vary depending on which privacy and data protection laws apply to our relationship with you (e.g. based on your country of residence or where processing takes place and whether this involves the use of Sensitive Personal Information).
Contract: we have to collect or use the information so we can enter into or carry out a contract to which you are a party.
Insurance purpose: where necessary for insurance purposes to the extent permitted by applicable privacy and data protection laws.
Legal obligation: we have to collect or use your information to comply with the law (and our associated regulatory obligations) or as otherwise legally permitted.
Legitimate interests: we are collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone (or in a way that might prejudice the rights of the individual). We list what the legitimate interests concerned are for each purpose listed in this notice below.
For each purpose listed in this notice, the lawful bases we rely on are as follows:
Quoting for and setting up insurance: Consent, contract, legal obligation, legitimate interests (assess risk to determine correct price and product; collect or refund payments or debts; communication with clients, beneficiaries, claimants and Business Contacts; detect or prevent fraud, financial crime, anti-money laundering, sanctions).
Administering or renewing an insurance policy: Consent, contract, legitimate interests (managing policy; communication with clients, beneficiaries, claimants and Business Contacts; collect or refund payments or debts).
Processing claims: Consent, contract, insurance purpose, legal obligation, legitimate interests (validate, quantify and pay claims; defending or prosecuting legal claims; detect or prevent fraud, financial crime, anti-money laundering, sanctions).
Legal and regulatory obligations: Consent (where needed); legal obligation.
Operating and securing our business services and systems: Legal obligation; legitimate interests (security of our systems and electronic communications; communication with clients, beneficiaries, claimants and Business Contacts; investigate and respond to complaints; defending or prosecuting legal claims; business analysis, marketing and development).
Where we get Personal Information from
For the purposes described in this notice, Personal Information may be collected by us either:
- from you directly (including in your capacity as a Business Contact);
- concerning a relevant individual* from: your legal representative, your employer, the Named Insured or their representative (such as an intermediary, broker, or another insurer); or
- other sources: from government agencies, social networks or other publicly available sources (where necessary and to extent legally permitted).
[* Note: If a Named Insured or their representative wishes to provide us with Personal Information about another person for the purposes of a claim made under an insurance policy, they should ensure that the person has been made aware of the content of this privacy notice.]
Who we disclose to or exchange Personal Information with
We may disclose the above categories of your Personal Information for any of the uses or business purposes described in this notice with:
- nominated third parties (for example, intermediaries, third party administrators, or managing general agents), in the course of running our business and administering your policy;
- our processors or service providers, who help us to operate, review and provide our services or provide us with professional services or advice (we contractually require all such organisations to respect the confidentiality and security of any Personal Information they are given access to and check their compliance);
- regulators, law enforcement, or government bodies (to the extent such disclosures are legally permitted or obliged); and
- other entities within the Lancashire group (who assist in the above purposes).
We do not sell and only disclose your Personal Information to processors and third parties to enable us to deliver our services and not for them to be able to use your information for their own purposes (unless they have a separate agreement with you). Your Personal Information is not used by us for other purposes (not listed in this notice) without your knowledge and agreement.
How we store your Personal Information
Your Personal Information is securely stored and protected by appropriate administrative procedures and technical controls, in line with industry practices. This includes the application of access controls and encryption or de-identification techniques, with due consideration being given to the sensitivity of the data concerned. The controls are monitored, and subject to review at least annually.
How long we keep your Personal Information will be determined by what information is collected and the purpose or purposes it was collected for (in accordance with this notice). The factors to be considered include how long it is needed:
- to deliver our contracted services;
- to comply with our legal, accounting, and regulatory obligations;
- to further satisfy required periods set (or as permitted) by law or as recommended by our regulators; and
- to defend or protect our legal rights.
Our policy is to follow the storage limitation principle common to most privacy and data protection laws, meaning that when your Personal Information is no longer needed for the above considerations, it will be securely removed or erased.
If you would like to know more about how long your information will be retained, please contact us using one of the contact methods given in the ‘About this notice and us’ section above.
International transfers of information
Due to the global nature of our business and the technologies we rely on, your Personal Information may be transferred, stored, or otherwise processed outside of the country of origin by and between us, our processors, or service providers for the purposes set out in this notice. All such transfers are conducted in accordance with the relevant legal requirements and safeguards for the transfer and adequate protection of Personal Information outside of the UK or the originating jurisdiction, as applicable.
If you would like to know more about such transfers, please contact us using one of the contact methods given in the ‘About this notice and us’ section above.
How to complain
If you have any questions or concerns about our use of your Personal Information or if you would like to appeal any of our decisions in response to one of your requests, you may contact us by writing to:
Group Data Protection Officer, Lancashire Insurance Services Limited, 20 Fenchurch Street, London, EC3M 3BY, UK or email privacy@lancashiregroup.com.
You also have the right to complain to an applicable supervisory authority (regulator) if you remain unhappy with how we have used your data or responded to your rights request.
In the UK:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, UK
Website: https://www.ico.org.uk
In Australia:
Office of the Australian Information Commissioner, GPO Box 5288, Sydney, NSW 2001, Australia
Website: https://www.oaic.gov.au/privacy/privacy-complaints
In Bermuda:
Office of the Privacy Commissioner for Bermuda, Maxwell Roberts Building, 4th Floor, 1 Church Street, Hamilton, HM11, Bermuda
Website: https://www.privacy.bm/report-a-concern
Glossary of Terms
Business Contact – an individual about whom we may collect Personal Information (including contact and other personal details as necessary for maintaining a business relationship) in the process of quoting, arranging and administering insurance policies.
Named Insured – the Named Insured shown in your Policy (and any other person or organization qualifying as a Named Insured under your Policy or as defined in your Policy documentation).
Personal Information - information that relates to or describes an identified or identifiable individual, where that individual is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Sensitive Personal Information – is subset of Personal Information that describes certain types of information that are more sensitive in nature and which generally require greater protection - by security and specific conditions for processing or use of such data being needed for it to be lawful (for example, your explicit, prior consent or a legal obligation).
Under UK privacy and data protection law (and similarly under Australian law) the types of Sensitive Personal Information would be:
Special categories: racial or ethnic origin; political opinions; religious or philosophical beliefs; professional affiliation or membership; genetic information; biometric information; health (physical or mental including disability); sex life; sexual orientation plus criminal convictions or offences.
For Bermuda this would mean Personal Information relating to:
an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.