Data Privacy Policy

RPSA Ltd (trading as RPS Associates) (“we”, “us”, “our”) is committed to protecting the privacy and security of personal data.

This policy explains how we handle personal data when acting as a data processor for insurer clients (the “data controllers”) in connection with insurance claims processing, investigation, and administration services.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK data protection laws.

Our Role as a Data Processor

We act as a data processor, meaning we process personal data on behalf of insurance companies or intermediaries (our clients).

We only process personal data:

• Under documented instructions from the client;
• For specified and lawful purposes;
• In accordance with the terms of our Data Processing Agreement (DPA) and applicable law.

We do not determine the purposes or means of processing personal data for insurance claims.

Types of Personal Data We Process

The personal data we process on behalf of clients may include (depending on the nature of the claim):

• Identity Data: full name, date of birth, policy number, national insurance number, and identification documents.
• Contact Data: address, phone number, and email address.
• Claim Data: details of insurance claims, policy coverage and claim status.
• Financial Data: bank account details, payment history, and transaction records.
• Incident Data: accident reports, loss details, damage assessments, and supporting evidence.
• Special Category Data: medical records, health information, or criminal conviction data (where relevant to a claim).

All special category and criminal conviction data are processed only when strictly necessary and under appropriate safeguards, as required under Articles 9 and 10 of UK GDPR and Schedule 1 of the Data Protection Act 2018.

How We Collect and Receive Data

We receive personal data:

• Directly from our insurance clients and their policyholders;
• From third parties involved in the claims process (e.g. repairers, medical experts, surveyors, solicitors, or law enforcement);
• From publicly available or verified sources when required to validate claims.

Purposes of Processing

We process personal data solely for the purpose of:

• Administering, managing, and assessing insurance claims;
• Conducting fraud prevention, verification, and compliance checks;
• Supporting client reporting, audit, and regulatory requirements;
• Providing customer support on behalf of clients;
• Performing contractual and technical services (e.g. claims data management, document storage, or analytics).
• We do not use or share the data for marketing or unrelated purposes.

Data Security

We apply appropriate technical and organisational security measures to ensure confidentiality, integrity, and availability of personal data.

These include:

• Secure data centres and encrypted data storage;
• Controlled system access and authentication procedures;
• Encryption of data in transit and at rest;
• Regular vulnerability testing and security audits;
• Confidentiality agreements and data protection training for all employees.

Sub-Processors

We may engage sub-processors (third-party service providers) to assist in processing activities, such as IT hosting, document management, or secure communications.

We ensure that:

• All sub-processors are bound by written contracts containing data protection obligations equivalent to ours;
• Clients are informed of, and may object to, the use of specific sub-processors where required;
• Sub-processors process personal data only under our instructions.

A current list of sub-processors can be provided upon request.

International Data Transfers

We primarily process and store personal data within the United Kingdom.

If data must be transferred outside the UK (for example, to a service provider in another country), we ensure that appropriate safeguards are in place, such as:

• UK-approved Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs); or
• Transfers to countries with a UK adequacy decision.

Data Retention and Deletion

We retain personal data only:

• For as long as necessary to fulfil the contractual services to the client;
• As instructed by the data controller; or
• As required by legal, regulatory, or professional obligations (e.g. for insurance or financial recordkeeping).

Upon termination of services or written instruction, we will securely delete or return all personal data to the controller, unless retention is legally required.

Data Subject Rights

As a data processor, we do not respond directly to data subject requests (e.g. access, correction, deletion). If we receive such a request, we will promptly notify the relevant data controller so they can fulfil their obligations under the UK GDPR.

If we act as a controller for limited purposes (e.g. business contact data), we will handle such requests directly in accordance with the law.

Data Breach Management

In the event of a personal data breach, we will:

• Take immediate steps to contain and mitigate the breach;
• Notify the relevant data controller without undue delay;
• Provide full cooperation and information to support the controller’s investigation and notification obligations to the ICO or affected individuals.

Accountability and Training

We maintain detailed records of processing activities under Article 30 of UK GDPR and implement data protection by design and by default across our systems.

All employees handling insurance data receive mandatory training on data protection, confidentiality, and claims-handling ethics.

Our Role as a Data Controller

In limited situations, we act as a data controller (e.g. for employee records, supplier management, or client business contact information).
In these cases, we process personal data lawfully, fairly, and transparently, and provide privacy information to those affected.

Contact Information

For any questions or concerns regarding this policy or our data protection practices, please contact:

Data Protection Officer (DPO)
Ricky Pandya
RPS Associates
PO Box 12185, Brentwood, Essex CM14 9AW
Email: rp@@rpsassociates.co.uk
Telephone: 01277 523222

If you believe that your personal data has been handled improperly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk

Policy Review

We review and update this Data Privacy Policy at least annually, or sooner if there are significant changes to our processing activities, data protection law, or client requirements.