Marsh Limited (Marsh), a business of Marsh & McLennan Companies, Inc. (MMC), strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients and individuals’ use of the Marsh websites. Marsh’s services consist primarily of risk consulting and insurance broking, which enable the consideration of, access to, administration of, and making of claims on, insurance. We may also act as a chartered loss adjuster, through our Hamilton Bond business, providing claims consulting and claims management services.
To arrange insurance cover and handle insurance claims, Marsh and other participants in the insurance industry are required to use and share Personal Data. For an overview of how and why the insurance industry is required to use and share Personal Data please see the Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the Lloyd’s Market Association (the LMA Notice). Marsh’s use of Personal Data is consistent with the LMA Notice.
During the insurance lifecycle Marsh will receive Personal Data relating to potential or actual policyholders, beneficiaries under a policy, its clients, where applicable, its clients’ employees and representatives, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this notice include any living person from the preceding list, whose Personal Data Marsh receives in connection with the services it provides under its engagements with its clients. This notice sets out Marsh’s uses of this Personal Data and the disclosures it makes to other insurance market participants and other third parties.
Identity of Controller and Contract Details
Marsh Limited of 1 Tower Place West, Tower Place, London EC3R 5BU (Marsh or We) is the controller in respect of the Personal Data it receives in connection with the services provided under the relevant engagement with its client.
Personal Information that We Process
We collect and process the following Personal Data:
- Individual details: name, address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant, images;
- Identification details: identification numbers issued by government bodies or agencies (e.g. depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s licence number);
- Financial information: payment card number, bank account number and account details, income and other financial information;
- Insured risk: information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:
- Health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol), prescription information, medical history;
- Criminal records data: criminal convictions, including driving offences; and
- Other special categories of Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation;
- Policy information: information about the quotes individuals receive and the policies they obtain;
- Credit and anti-fraud data: credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, regulators or law enforcement agencies;
- Previous claims: information about previous claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);
- Current claims: information about current claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);
- Marketing data: whether or not the individual has consented to receive marketing from us and/or from third parties and/or their marketing preferences; and
- Website and communication usage: details of your visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
Sources of Personal Data
We collect and receive Personal Data from various sources, including (depending on the service we are seeking to or are providing and country you are in):
- Individuals and their family members, online, face to face, or by telephone, or in written correspondence, including where information is submitted on your behalf (where the person submitting has your permission to do so);
- Individuals’ employers or trade or professional associations of which they are a member;
- In the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjusters, lawyers and claims handlers;
- Other insurance market participants, such as insurers, reinsurers, appointed loss adjusters and other intermediaries;
- Credit reference agencies (to the extent Marsh is taking any credit risk);
- Anti-fraud databases and other third party databases, including sanctions lists;
- Government agencies, such as vehicle registration authorities and tax authorities;
- Claim forms;
- Open electoral registers and other publicly available information;
- Business information and research tools;
- Selected third parties who provide us with details of potential customers
- Third parties who introduce business to us; and
- Forms on our website and your interactions with our website (please also see our Cookie Notice).
How We Use and Disclose Your Personal Data
In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.
These “legal grounds” are set out in the General Data Protection Regulation (the GDPR) and the UK Data Protection Act 2018, which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the GDPR (the full description of each of the grounds can be found in the Appendix below).
Read our Purpose of Processing (PDF)
- Establishing a client relationship, including fraud, anti-money laundering and sanctions checks
- Checking credit where we are taking any credit risk
- Evaluating the risks to be covered and matching to appropriate insurer, policy and premium
- General client care, including communicating with clients
- Collection or refunding of premiums, paying on claims, processing and facilitating other payments
- Facilitating premium finance arrangements
- Managing insurance claims and recovering payments on behalf of clients
- Valuation of claims, including arranging visits to assess relevant claims
- Defending or prosecuting legal claims
- Investigating and prosecuting fraud or possible criminal offences
- Contacting you in order to arrange the renewal of the insurance policy
Throughout the insurance lifecycle
- Marketing analytics, sending marketing materials and communications including data de-identification and/or aggregation
- Carrying out customer satisfaction surveys and market research
- Transferring books of business, company sales and reorganisations
- General risk modelling
- Analytics include the de-identification of personal data for the purposes of analytics
- Complying with our legal or regulatory obligations
- General client care, including communications with clients
- General risk modelling in the context of our consultancy services in order to evaluate risks and provide advice
- Analysis as part of the specific consultancy advice
- Complying with our legal or regulatory obligations in the context of our consultancy business
Government support and compensation schemes
- To administer Government schemes, assess eligibility and on-board participants and handle claims for compensation
- To communicate with you regarding any queries you raise via the website
- To monitor your interaction with the website to ensure service quality, compliance with procedures and to combat fraud
- To ensure the website content is relevant and presented in the most effective manner for you and your device
- To enable you to participate in any competition, prize draw or promotional marketing event
Please note that in addition to the disclosures we have identified in this table, we will disclose Personal Data for the purposes we explain in this notice to service providers, contractors, advisers, agents and MMC group companies that perform activities on our behalf.
Special Categories of Personal Data and Criminal Data
When we collect, use or disclose to third parties (such as insurers, intermediaries and reinsurers) Special Categories of Personal Data and Criminal Records Data for the reasons set out in the table above and for profiling as set out in the next section, we typically do so for reasons of substantial public interests, namely because it is necessary for the wide range of insurance-related activities that we undertake or because it is necessary for fraud prevention purposes.
Where we collect, use or disclose Special Categories of Personal Data in the administration of a UK Government scheme to provide compensation to industries affected by the COVID-19 pandemic, we may do so for reasons of substantial public interests insofar as it is necessary for government purposes.
Before you provide us with Special Categories of Personal Data and Criminal Records Data about a person other than yourself, you agree to notify such person of our use of their Personal Data and, if requested by us, to obtain their consent to our use of their Special Categories of Personal Data and Criminal Records Data (for example, by requiring the individual to sign a consent form).
Profiling and Automated Decision Making
Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh and other insurance market participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh and other insurance market participants may use special categories of Personal Data and criminal records data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.
Marsh and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below. To do this, we may use Personal Data we receive from clients to match against information in the models that we have created based on the behaviour of other individuals with similar attributes and to create further models.
We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models.
Automated Broking Platform
These partially automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.
Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.
We may use your Personal Data to provide you with information about products or services which we think would be of interest to you. We may also share your Personal Data with other companies in the MMC group so that they can provide you with information about their products and services. These may be sent by email or post or, in some circumstances, we may telephone you to explain this information to you.
Within the MMC group we operate under a number of brands and you may receive such communications from the following of our trading names: