Published in TDAN.com July 2003
Abstract: Data Ownership issues are increasingly important to insurance companies, to insurance data collection organization and to individuals. Companies face significant data quality problems,
which can be solved only if fragmented business units are able to transition from narrowly focused business process ownership concerns to an enterprise-wide data stewardship model. Data Collection
Organizations must balance the concerns of many parties who have an interest in the data they possess. Individuals have a right to privacy and confidentiality protection that to some extent is
limited by requirements for the common good to protect our safety. Business is struggling to come to terms with new realities of a world in which data is electronically available and widely shared.
This article presents ideas and concerns that were voiced at recent gatherings sponsored by the Insurance Data Management Association.
Are you a Data Owner? Do you know any Data Owners? Do you know people who think they are Data Owners when you think they are not? Just what does it mean to be a Data Owner, anyway? These questions
are on the minds of many people lately, but the answers are still being formulated.
Data Ownership was the focus of a Forum and Keynote address at the 2003 Annual Seminar of the Insurance Data Management Association (IDMA), held April 14 and 15 at the Westin Hotel in Philadelphia.
The Forum preceded the Annual Seminar and was open to all seminar attendees. Data Ownership was considered from 3 perspectives: the company, the data collection organization, and the individual.
Tracy Spadola of Teradata kicked off the Forum with a discussion of the company perspective. She made a distinction between Data Ownership and Data Stewardship. Ownership suggests that an
individual is empowered to make decisions alone, and that he can act to address the needs of his business unit. Owners design and control their own processes.
Stewardship, on the other hand, connotes a facilitation role. A steward uses a consistent, repeatable process to achieve alignment across the organization, and the needs of all areas are considered
when making decisions.
A third role is that of Custodian. The Custodian is responsible for the physical security of the data. It is a role often played by IT people who work closely with Business Data Owners. Custodians
administer the password access systems and provide backup and disaster recovery capabilities. These are people who create and enforce data standards and implement the physical data architecture.
Tracy pointed out that the way in which these roles are implemented within an organization has a big impact on the success a company will have in managing data quality. She cited statistics from
The Data Warehousing Institute and a Price Waterhouse Coopers study indicating that data quality problems are costing multiple billions of
dollars annually, but many companies are not investing in data quality improvement efforts.
Forum participants echoed Tracy’s concerns. They pointed out that data problems often arise when a data quality problem affects a downstream process that is considered out of scope for the
business owner who creates the data. When a data quality task force is established, it generally arises from within a reporting function and lacks authority to affect data collection. Data
Stewardship must replace parochial concerns of Data Ownership through recognition that the entire corporation owns the data. Data must be shared to the extent permitted based on concerns for
privacy and security. Creators must understand the needs of data users, and users must be accountable for the proper use and interpretation of data.
Tim Wisecarver of PCRB discussed Data Ownership from the perspective of a data collection organization. He cautioned the audience that his comments were not intended as to provide legal
guidance in specific circumstances, that his observations were personal and not endorsed or sponsored by his employers and that he was speaking to current practices, recognizing that circumstances
pertaining to data ownership are subject to rapid and significant change.
Data Collection Organizations (DCOs) collect data from member insurers, prepare regulatory filings supported by such data and administer specified pricing programs under supervision and regulation
by various Insurance Departments. They strive to provide as much data as possible to as broad an audience as possible without raising “ownership” concerns. DCOs commonly think about “ownership”
in a couple of contexts – who can the DCO share data with, and who must the DCO share data with?
Interests in data can arise in many contexts. Among these contexts are the following:
- Who/what is the data about? This context will be referred to here as a “confidentiality” or “privacy” interest or ownership.
- Who “created” the data by keeping, collecting and/or organizing it? Refinements of this context might include considering who kept, collected or organized the data first, most recently and/or
most substantively. This context will be referred to here as a “copyright” or “business” interest or ownership. - Who has statutory or administrative access to the data? Parties often possessed of such access include regulators, governmental agencies and courts. This context will be referred to here as a
“need to know” interest or ownership. - Who has the data? This context will be referred to here as a “possession” interest or ownership.
A given “piece” of data may have multiple legitimate “owners” or related “interests” depending on circumstances. For example, consider a Unit Statistical Report and related Individual Case
Report on a permanent total case in workers compensation insurance.
The claimant has a “confidentiality” or “privacy” interest in information that would identify him/her, the nature of their injury and treatment, and/or benefits paid or payable on the case.
The employer has a “confidentiality” or “privacy” interest in the payrolls by classification and numbers and amounts of claims incurred reported on the Unit Statistical Report. The insurer has
“confidentiality”, “business” and “possession” interests in the Unit Statistical Report.
The carrier has applied underwriting, claims, audit and/or data processing disciplines to the collection and formatting of the data. Further, the data represents a part of the book of business
competitively underwritten by the carrier. Clearly, the carrier also “has” the data in hand.
The DCO has “production”, “possession”, and “copyright” interests in the Unit Statistical Report. The DCO has applied various technical and data processing disciplines to the collection and
verification of the data, and further has developed various processes and procedures that utilize unit statistical data to promulgate rating values for employers, classifications and/or statewide
markets. Clearly, the DCO also “has” the data in hand.
The state Insurance Department has a regulatory or “need to know” interest in the Unit Statistical Report. The utility of individual reports may vary, from serving as a means of verifying
accuracy and/or completeness of broader statistical summaries to supporting market conduct examinations or examinations of DCO and insurer processes and procedures.
Various parties will approach DCOs from time to time seeking information falling across a broad continuum from general information routinely distributed at no charge to complex and unique research
projects using entire bureau databases and possibly involving integration with information obtained from other sources.
In considering such requests, “ownership” interest(s) in the data involved is one factor (but definitely not the only factor) that DCOs may weigh.
We believe that DCOs have “copyright” or “business” interests in all the data they collect, organize, analyze and maintain. While DCOs guard against inadvertent disclosure of individual claim
data, DCO records are rarely possessed of claimant-level detail of great interest for parties other than the employee, employer and/or carrier (all of whom have the DCO’s data and more already in
hand).
Under current practices, many DCOs will release Unit Statistical Reports to the employer on the theory that this data is about them and affects their workers compensation insurance pricing. DCOs
may also give this data to others with the employer’s authorization. Finally, this data is available to the current carrier of record, even if they did not previously insure the risk.
Except for regulatory inquiries, many DCOs will not distribute carrier-specific data in either detail or summary form. Where regulatory inquiries are made for this type of data DCOs will often
provide data that they have after notifying the carrier(s) involved of the request and the response that will be given. DCOs routinely prepare and disseminate summaries of large numbers of Unit
Statistical Reports (i.e., by risk classification, policy year, hazard group, etc.) These summaries assist various marketplace decisions without violating “confidentiality”, “copyright” or
“possession” interests of the various entities arguably associated with the individual Unit Statistical Report components of such summaries.
DCOs may also provide broad access to a variety of employer-specific data deemed helpful and/or necessary for the efficient operation of the market (i.e., employer name, address, classification(s),
experience modification, effective date of policy) and not sufficiently sensitive as to invoke “confidentiality” concerns.
If and when our own DCOs have any question about the sensitivity of disclosure of selected data, we seek legal counsel and/or authorization, or at least acknowledgment of the regulator, before we
proceed with any responsive disclosure.
DCOs maintain a “copyright” interest in all applications, presentations, compilations and derivative works created from the unit statistical data reported to them by carriers. They generally
don’t disclose sensitive detail for specific cases or about specific “owners”, and guard against unauthorized copying or downloading of replicas of all or significant parts of their (i.e., the
DCOs’) aggregate data bases.
A discussion followed in which forum participants expressed concerns about the variety if attitudes among states and regulators relative to protecting the confidentiality of information submitted
to regulators by data collection organizations. There was also concern about the difficulty in protecting the business interest of the data collection organization that has developed considerable
expertise in assuring data quality.
Sara Schlenker of Allstate Insurance Company introduced the third perspective – that of the individual to which the data pertains. One important responsibility of a data owner is to control access
to sensitive data. Several pieces of legislation impact how certain types of sensitive personal information must be treated. Sometimes the intent of the legislation is to protect individual
privacy, and as such it reinforces the notion that the information is the property of the individual. The insurer is granted limited permission to use the data and must act accordingly. Other
legislation is intended to protect society and requires the insurer to use data in a manner that wouldn’t necessarily be condoned by the individual. In either case, the legislation can require
insurers to significantly change their business processes.
A brief list of legislation that impacts how personal data can or must be used is as follows:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the protection of the privacy of medical records. It puts stringent limits on which records an
insurer can access to verify the validity of a claim. Both insurers and medical providers have found it difficult to comply with this legislation.
The Gramm-Leach-Bliley Act of 1999 requires protection of non-public personal information. Companies must inform customers what information of this type they collect and with whom
they might share it. Customers have a right to withhold permission for the company to share the information with others.
Office of Foreign Assets Control is part of the Treasury Department- It operates under 9 basic statutes. Here are some of the salient points:
- The Specially Designated Nationals and Blocked Persons List contains over 5000 variations of names of people, organizations, and vessels with which an insurer can’t do business.
- An insurer is also prohibited from covering an entity that will provide coverage to someone on the list (e.g. An insurer can’t even issue a workers compensation policy to an entity that
employs someone on the list.) - Large fines and jail time are provided for some violations.
- An insurer is not permitted to issue new policies to individual list, but the list is updated daily, so an insurer might have issued a policy to someone who is added to the list. Insurers
should work with OFAC if they have issued a policy that covers someone added to the list. - Designating a Compliance Officer and establishing an audit procedure is recommended. It is expected that insurers will keep current with list changes.
USA PATRIOT Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (Oct. 25, 2001)
HR 3162 RDS
- P&C carriers are exempted, but Life insurers are not.
- Know your customer – The law requires not only that an insurer has correct information about its customers, but that it detects patterns of suspicious activity.
Information security is a growing issue, both because of this legislation and as a response to the increasingly open environment of shared information. Several issues come to mind concerning the
implementation of the security needed to protect personal information.
- Application vs. data content basis for applying security – Traditionally password security has been implemented on an application basis, but it might be more appropriate to consider the
information content. - Security classification – It is natural to define classifications such as ‘public’ or ‘restricted’ based on data content, but context can be important as well.
-
- Ownership carries obligations relative to safeguarding information, but the scope of the ownership obligation is increasingly difficult to determine.
- Who owns what data?
- How do you insure consistency of treatment across multiple owners?
- Can information be safeguarded when external communication is required?
The discussion that followed focused primarily on the difficulty of complying with OFAC requirements. One difficulty arises both from the fact that the list itself is constantly changing and does
not provide definitive match criteria. One must separate the true individuals of concern from the false positives. The second difficulty arises because of the sweeping scope of the implications.
Claim payments as well as policy issuance are affected, but insurers are not released from their obligations to make timely claim payments. Escrow accounts must be established to hold payments to
individuals suspected of being on the list.
The Keynote Address presented at the IDMA Annual Meeting served to reiterate many of the ideas discussed at the IDMA Forum on Data Ownership. In her address, Sara Schlenker drew parallels between
Data Ownership and Vehicle Ownership. Ownership implies both privileges and responsibilities. Data Ownership considerations are not intuitive for most people, but they can become more
understandable when related to vehicle ownership, which is second nature for most of us. To view the text of Sara’s talk, see the IDMA website at www.IDMA.org.
The Insurance Data Management Association (IDMA) is a not-for-profit professional society devoted to promoting the data management profession within the insurance industry.