Part one of this seminar covered asbestos claims. Whilst the use and handling of asbestos is highly regulated today, local authorities are having to deal with the legacy of claims that arise from a time when asbestos was not properly controlled in working, school, housing and leisure environments. The second part of this seminar focused on the General Data Protection Regulation and how will it impact insurance teams.
3. Mesothelioma claims
Represent about 80% of the cost of asbestos based
claims to the insurance industry
Mesothelioma is a type of cancer that develops in the
lining that covers the outer surface of some of the
body's organs (often the lungs). It is linked to
asbestos exposure.
5. Mesothelioma claims - what is
changing?
• 2002 – 1,600 claims
• 2006 – 2,500 claims
• 2010 – 3,250 claims
• 2014 – 3,500 claims
Recent experience shows a stable but increasing
notification trend of claims
The increases in claims notified appears to be slowing
down
6. Mesothelioma claims – what’s
changing – average costs
2002 - £69,000
2006 - £75,000
2010 - £87,500
2104 - £97,500
Inflation is running at about 3-4% per annum
Paid at nil are running at between 21% and 23%
7. Mesothelioma – what’s changing –
Claimant age at notification
2002 – 67
2006 – 69
2010 – 73
2014 – 74
Which means that you are dealing with older claims
for your authority (or a predecessor authority)
11. Mesothelioma claims – death
rates
HSE projection peaks in 2016
Other projections peak higher and later (2018)
Revised HSE projection moved back to 2015 but
peaked higher (about 1%)
12. Mesothelioma claims – what
might change
Medical advances –
longevity (40% of sufferers survive one year, 20%
survive two years)
Cure – impact on claims depends on how the cost of
the cure compares to the cost of death benefits
A double lung transplant costs £360,000,
chemotherapy cost £26,000
13. Mesothelioma claims – what
might change?
Mortality improvements – increased longevity means
more exposed lives develop mesothelioma
Exposure pattern – the long latency period means we
know little about underlying exposure from late
1970’s onwards
14. Mesothelioma – what might
change
Inflation –
Medical - costs eg drugs
Legal – court fee increases, changes to Ogden
discount rates, case law
15. Mesothelioma claims – MMI
Annual Report and Accounts for year ending 30 June
2016
“An increase in the provision for mesothelioma claims
has not been required this year as reporting
patterns for new mesothelioma claims have
stabilised”
16. Mesothelioma claims – MMI
“The Employers Liability mesothelioma account
remained stable due to slightly fewer new claims
being reported compared with the previous year, but
the very nature of these claims makes future
projection uncertain”
17. Lord Justice Brown: 2011
defending a mesothelioma case: “a lost
cause”
• Sienkiewick v Grief & Wilmore v
Knowsley MBC
18. Prescott v University of St
Andrews 2016
• Evidence of exposure to be positively proved by the
CLAIMANT
• ONLY THEN consider if exposure negligent.
19. Smith v Portswood House 2016
• Burden of proof remains with the claimant
• “substantial dust” is more than “not negligible” (FA
S63 1961)
• Expert evidence: exposure as proved v relevant
HSE guidance and standard of care
• Williams v University of Birmingham
20. Heneghan –v- Manchester Dry
Docks Ltd & 5 others 2016
• 2 stage test: “what” and “who”
• “Fairchild” exception applies to “who”
• Damages divisible = conventional apportionment
• Barker v Corus 2006 applied
21. Carder v University of Exeter
2016
• A cautionary tale……
• Lord Dyson:
“I recognise that Mr Carder has been awarded a sum
which is small when compared with the costs of this
litigation. That is regrettable. But litigation of this
kind is often necessarily factually complex.
Defendants faced with claims whose costs are likely
to be out of proportion to the damages likely to be
awarded after a trial should try to settle them early.”
22. Sanderson v City of Bradford MBC
• Cautionary tale 2….
• Genuine reason for delay
• No prejudice to defendant
• Prejudice caused by defendant
• Good case on the merits
• S33 Limitation Act applied.
• ..how to avoid?
23. Clark v Enfield Council (as successors
in title of Middlesex County Council)
and Balding & Mansell Ltd
• Claim for malignant mesothelioma in living
Claimant
• Caretaker from 1958 to 1962/3 with E
• Employed by B&M from 1969/70 to 1992/93
• Likely repeat low level exposure with both E and
B&M
24. Date of knowledge of link between low
levels of exposure/mesothelioma?
• Need for expert evidence – Occupational hygienist
• Newhouse and Thompson report (1965) published in
Sunday Times 31/10/65
• Prior to 31/10/65, concern was of link with substantial
exposure (e.g. stripping lagging from boilers)
• Claimant’s exposures not “substantial” judged by the
standards of the time – i.e. not foreseeable
• Claim has discontinued against E with B&M paying all of
C’s damages and costs.
25. Talk to us…
Matthew Harpin| 0121 237 3970
matthew.harpin@brownejacobson.com
Bridget Tatham| 0121 237 3916
bridget.tatham@brownejacobson.com
David Maggs| 020 7337 1005
david.maggs@brownejacobson.com
27. Will GDPR apply to the UK?
• Yes
• No information as to how it will apply
• Tinkering with GDPR post-Brexit?
• Favourable exemptions?
28. General Data Protection
Regulation(GDPR)
• New definitions
• New principles for Data Processing
• Data Subject Rights
• Consent
• Information to be provided to Data Subjects
• New Data Controller Obligations
• Data Processor Obligations
• Data Protection Officers
• Mandatory Breach Notification
• Increase in Liability and Sanctions
29. Aim of the Reform
• A uniform regime
• Greater rights for data providers
• Enhancing confidence in security
• Increased accountability
• Reduction in bureaucracy
30. Territorial Scope
• All data controllers and processors
– Operating within the EU – whether or not the
processing takes place in the EU
– Outside the EU that offer goods and services to data
subjects in the EU
– Outside the EU that monitor the behaviour of data
subjects to the extent that the behaviour takes
place in the EU
31. Definitions – personal data
Current
Data relating to a living individual who can be identified
from those data or from those data and other information
which is in the possession of, or likely to come into the
possession, of the data controller.
Future
An identifiable person who can be identified directly or
indirectly, in particular by reference to an identifier such
as name, identification number, location data, online
identifier or to one or more factors specific to the physical,
cultural, physiological, genetic, mental, economic, cultural
or social identity.
32. Special categories of data
• Data revealing-
Race or ethnic origin
Political Opinions
Religious or Philosophical Beliefs
Trade Union Membership
Health or Sex Life and Sexual Orientation
Genetic or Biometric data in order to uniquely identify
a person
• Processing of any/all of the above prohibited subject to
exceptions
33. Definitions – data processing
• Current – obtaining, recording or holding the
information or data or carrying out any operation
or set of operations on the information or data
including altering, retrieving, disclosing, blocking
erasing or destroying the information
• Future – any operation or set of operations which
is performed on personal data whether or not
automated including collecting, recording,
organising, structuring, storing, adapting, altering,
disclosure, erasure or destruction.
34. Principles for data processing
• Data must be processed lawfully, fairly and in a transparent
manner
• Data must only be collected for a specified, explicit and
legitimate purpose
• Data must only be processed to the extent that it is adequate,
relevant and limited to what is necessary in relation to the
purpose for which they are processed
• Data must be accurate and up to date. Data which is inaccurate
should be erased or rectified without delay
• Identifiable data should not be kept longer than is necessary
• Ensure appropriate security of the data
• Ensure compliance with the Regulations.
35. Lawful basis of processing
• Consent
• Contractual necessity
• Legal Obligation
• Vital Interests of the data subject or of another
natural person
• Public Interest or exercise of official authority
• Legitimate interests of data controller or third
party to whom data is disclosed (but not to a public
authority).
36. Consent
• Must be freely given, specific, informed and unambiguous
• Must be given by a statement or a clear affirmative action
• If written, should be distinguishable from any other
matter
• Withdrawal of consent should be as easy as grant of
consent
• Purpose limited – loses validity when the purpose ceases
to exist
• Burden of proof on the data controller to show consent
freely given
37. Data subject rights
• Data subjects can require:
Inaccurate personal data be corrected or incomplete data be
completed including by way of supplementing a corrective
statement
Personal data in a machine readable and structured format
commonly used by the data subject and allows for further
use
The data controller to delete their personal data where
certain conditions are met
38. Data subject rights: continued
Restriction of processing of personal data – so that this can
only be held by the controller and used for limited purposes
Transfer of personal data from one data controller to
another (“data portability”)
Processing of personal data not take place for direct
marketing, including profiling
Not to be subject to a decision based solely on automated
processing, such as in connection with insurance premiums
The rights of access, rectification, erasure and the right to
object must be given effect free of charge
39. Information to be provided
• Data controllers must provide the following to data subjects on
request:
Identity and contact details of data controller and data protection
officer
Intended purpose of processing and period for which data will be
stored
Existence of rights: access, rectification, object and erasure
Right to lodge a complaint internally and to a supervisory authority
Recipient or categories of recipients to whom data will be disclosed
Intention to transfer to another country or international organisation
• Information must be concise, transparent, intelligible and easily
accessible
• Must be provided in writing unless otherwise requested.
40. Controller vs Processor
• The GDPR applies to ‘controllers’ and ‘processors’
• Broadly the same as under DPA
Data controller says why and how personal data is
processed
Data processor acts on behalf of the controller
• Data processors now have direct obligations
41. Data controller obligations
• Designate a data protection officer (where required)
• Appoint a sub-processor
• Adopt policies and implement appropriate technical
and organisational measures to ensure and be able to
demonstrate compliance with GDPR
• Implement security requirements
• Deal with privacy impact assessments
• Comply with requirements of supervisory authority
• Report breaches to the supervisory authority and
affected data subjects
42. Data processor obligations
• Designate a data protection officer (where required)
• Appoint a sub-processor only with authorisation of a data
controller
• Adopt policies and implement appropriate technical and
organisational measures to ensure and be able to demonstrate
compliance with GDPR
• Implement security requirements
• Comply with requirements of supervisory authority
• Maintain a written record of all personal data processing carried
out on behalf of a data controller
• Notify data controllers without undue delay after becoming aware
of a breach
43. Non-compliance by data
processors
• Sanctions by regulator
• Damages claims from data subjects
– failure to comply with lawful instructions of data
controller
– apportionment between data controller and data
processor
• Damages claims from data controllers
44. Data Protection Officer
• Data controllers and data processors must
designate a Data Protection Officer where:
– The processing is carried out by a public authority
– The processing requires regular and systematic
monitoring of data subjects on a large scale
– The core activities consist of processing large scale
special categories of personal data
45. Responsibilities of Data
Protection Officer
• Inform and advise the data controller/processor
• Monitor the implementation and application of the
Regulations and the data protection policies
• Monitor Impact Assessments and breaches
• Point of contact for Supervisory Authority
46. Mandatory breach notification
• Notify data protection authority without undue delay
and, where feasible, within 72 hours of awareness –
reasoned justification required where timeframe is not
met
• Notify the affected data subjects without undue delay –
where there is a “high risk” to their rights and
freedoms
• Not required if breach is unlikely to result in a risk to
the rights and freedoms of individuals
• Adopt internal procedures for data breaches
47. Consequences of a data breach
• Level 1: €10,000,000 or 2% total worldwide annual
turnover
• Level 2: € 20,000,000 or 4% total worldwide annual
turnover
• Factors taken into account when determining fine:
Nature, gravity and duration of the breach
Whether breach intentional or negligent
Previous breaches by the data controller/processor
Technical and organisational measures in place.
48. Next steps
• Enforceable from 25 May 2018
• Where consent is relied upon as the basis for processing, consider
whether this is valid under the GDPR
• Review all communication and information to ensure all necessary
information is stated
• Review systems to ensure that new obligations can be met, such as
data portability
• Review processes and procedures for reviewing and reporting data
breaches, and implement appropriate policies
• Consider whether it is necessary to appoint a DPO
49. Next steps
• Consider the relationship between various parties to an
agreement, who is the data controller/processor in relation to
what personal data, and the obligations on each
• Review agreement between controllers and processors to ensure
appropriate arrangements are in place
• Consider the rights of the data subject. How will you deal with
requests for erasure?
• Consider the impact of Brexit, including which parts of your
operations are within the UK or elsewhere
• Consider where personal data of individuals within the EU and
outside of the EU is processed and how this impacts on your
obligations