Data Protection and Privacy Policy

Who Are We?

Iprism is a trading name of Iprism Underwriting Agency Limited. Iprism is authorised and regulated by the Financial Conduct Authority (FCA) and our permitted business is for the provision of regulated products and services, assisting in the administration and performance of a contract of insurance. FCA firm reference number: 460209. Registered office address: 6th Floor, John Stow House, 18 Bevis Marks, London, EC3A 7JB. Company number: 05604278.

Iprism is the "data controller" of your client(s)’s information you as the broker provide us with. This term is a legal phrase used to describe the person or entity that controls the way information is used and processed.

As part of compliance under the Data Protection Act 2018, Iprism is registered with the Information Commissioner’s Office (ICO) in the UK. ICO registration number: Z9688124.

Why we collect your client’s data

We collect data for the purposes of:

• Providing insurance quotations;
• Underwriting insurance policies;
• Managing insurance policies; and
• Processing insurance claims.

The nature and depth of this data varies from case-to-case but constitutes the data required to ascertain risk and provide the relevant service you have asked us to provide to safeguard your client(s), shaped by insurance industry best practice.

Processing is limited to what is necessary and is carried out lawfully, fairly and transparently.

Lawful Basis for Processing Personal Data

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Iprism processes personal data only where a lawful basis applies. In the context of insurance, these lawful bases include:

• Performance of a Contract – where processing is necessary to provide insurance quotations, underwrite policies, administer insurance contracts and process claims
• Legal and Regulatory Obligations – where processing is required to comply with FCA rules, financial crime legislation, record-keeping requirements, or other legal obligations
• Legitimate Interests – where processing is necessary for the legitimate interests of Iprism or the wider insurance market, provided those interests are not overridden by the rights and freedoms of the data subject.

Our legitimate interests include:

• Risk assessment and underwriting
• Fraud prevention and detection
• Claims validation and loss prevention
• Reinsurance and market placement
• Statistical analysis, pricing models, and long-term risk management
• Improving products, services, and operational efficiency

Where legitimate interests are relied upon, appropriate balancing assessments are undertaken to safeguard your client(s)’ rights.

Consent

Iprism does not generally rely on consent to process personal data for core insurance activities, as such processing is necessary for the performance of an insurance contract, compliance with legal obligations, or our legitimate interests.

Where consent is required by law or for optional services, it will be obtained clearly and separately and may be withdrawn at any time, subject to legal or regulatory constraints.

What do we do with your client’s data?

We use your client(s)’s data to determine the premium and terms applicable to the insurance proposal – producing a quotation or range of quotations for the insurance you have asked us to provide. Our systems are designed to ensure that only people directly involved in the insurance chain have access to your client(s)’s data.

In order to complete the proposal, create and maintain the policy or process a claim from your client(s) we may need to share certain parts of the data with other secure data controllers within the insurance industry. We keep such transactions to an absolute minimum and all parties are authorised and regulated to the same standards as ourselves.

We will never pass on your details to other organisations for the purposes of sales or marketing.

How long do we keep your client’s data?

We keep the data indefinitely for the purposes of statistical analysis and the tracking of long term liability claims. Access is always restricted to the essential people in your insurance chain.

Where data is used for statistical analysis (e.g. loss ratios, claims or pricing analysis), it is processed under our legitimate interests and is aggregated and anonymised wherever possible.

Security, storage and access to your client’s data

We store all the data in the UK in encrypted form on equipment we fully own and control. Access to the data is strictly controlled by layers of security and our infrastructure and applications are regularly subjected to penetration testing by third party data security professionals.

Managing your client’s information (including Subject Access Requests)

Your client(s) is/are perfectly within their rights to ask us whether we hold information about them and if so, for us to give your client(s) certain details about that information and/or the information itself. This right is commonly known as a Subject Access Request. Certain exemptions and conditions apply to this right, principally that it should be in writing and that you give us reasonable details about the information required.

We will respond to all such requests, having first verified your identity. If the request is of a complex, vexatious and/or repetitive nature, we reserve the right to make a charge for fulfilling the request which will be purely based on the administrative overhead involved your Subject Access Request.

We reserve the right to refuse to comply with any enquiries or requests we receive about the information we collect, where we may lawfully do so. For example, if we have reason to believe that a request is malicious, technically impossible, involves disproportionate effort or could be harmful to others.

Your client’s Right for Rectification

To reduce the chances of an error or misunderstanding, we need to keep the information we gather about your client(s) accurate and up-to-date. If you or your client(s) have reason to believe any of the information we hold about your client(s) is inaccurate, you can request for it to be rectified.

Your client’s Right to Erasure

If your client(s) withdraw their lawful basis where applicable, terminate a contract with us or believe the personal information is no longer necessary for the purposes for which it was collected, your client(s) may request the data to be deleted.

If your client(s) exercise their Right to Erasure we will securely erase the personal data from our systems in an appropriate timeframe and manner. However, this will need to be balanced against other factors, for example there may be certain regulatory obligations which mean we cannot comply with your request.

Right to Object

Where we process personal data based on legitimate interests, your client(s) have the right to object. We will consider any objection and cease processing unless we can demonstrate compelling legitimate grounds or the processing is required for legal reasons.

Further information about your client’s Privacy Rights

You can find more general information about your client(s)’s rights on the website of the Information Commissioner’s Office (ICO) who regulate data protection and privacy matters in the UK.

If you are still unclear about the information we might hold on your client(s), what we use it for, their Privacy Rights or if you wish to make a complaint you can email us at complaints@iprism.co.uk.

Updates to this Privacy Notice

We review the ways in which we use your client(s) information regularly and in doing so, we may change what kind of information we collect, how we store it, who we share it with and how we act on it. Consequently, we will need to change this Privacy Notice from time to time to keep it accurate and up-to-date.

Iprism reserves the right to change this Privacy Notice in line with regulatory requirements and a link to this page is available from the policy wording. That way, you can check to see if you and your client(s) are still happy and if, following any changes, we do not hear to the contrary, we will assume that you agree to those changes.

For any queries relating to Iprism’s Privacy Notice, please email us at dpo@iprism.co.uk