September 30, 2007 by Craig Harris
Hardly a month goes by without a news report of a major privacy breach at a retailer, bank or even insurance firm. There have been several high-profile cases of privacy violations ranging from the organized and targeted — such as hacking retailer computer systems to obtain credit card numbers — to the merely sloppy and negligent — such as old customer files found in garbage bins or on used computer hard drives. Clearly, companies want to stay out of the headlines, but these situations show that major privacy breaches can and do occur.
“If anybody thinks in this day and age they can dispose of old claims files in the dumpster, they are sure to end up on the front page of a newspaper,” Jim Eso, chairman of the Canadian Independent Adjusters’ Association (CIAA) privacy committee, says. He cites a recent example in the U.S. of an adjusting firm that did not properly destroy old claims files due to a miscommunication with its cleaning company. Sure enough, the files were found and the story ended up on CNN.
Confusion surrounding privacy
With the heightened media attention on protection of personal information and consumer concerns about identity theft, it is no surprise that insurance adjusters and companies were somewhat skittish when federal privacy legislation came into effect Jan. 1, 2004 for all private sector firms. In fact, some say the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) caused overreaction and confusion in an industry with a solid history of safeguarding privacy.
“In the early going, we were sort of on our heels about this,” Fred Plant, president of the CIAA, says. “With some insurers, they went as much over the top with this as they did with Y2K. Clearly, some companies went overboard.”
Sue Collings, president of the Canadian Association of Special Investigations Units (CASIU) noted companies were concerned about sharing any information with others.
“When it (PIPEDA) first came out, everyone panicked, as in ‘don’t share anything with anybody,'” Collings says. “It was almost like companies were saying, ‘we are now a steel vault and we can’t release anything under any circumstances.'”
Since then, many industry sources say things have settled down as adjusters and insurers become familiar with the legislation and have adopted a practical approach to protecting personal information. The message for many seems to be calm down, understand the legislation and develop common sense procedures to ensure privacy rules are followed.
“There has to be a good balance between protecting privacy rights and allowing business to proceed,” Eso says. “We knew that right from the start of PIPEDA a big challenge was going to be to continuing to be able to manage business, not just claims, but how it applies to our company operations as well. And we have encouraged members to find that balance.”
CIAA privacy manual
That is exactly what CIAA has done for its members, according to Eso. It developed a privacy manual through its privacy committee for all members and created standard consent forms in dealing with claimants. The committee also looks at broad privacy issues that may be of interest to members and consults with the relevant privacy commissioners if clarification is required. For example, the initial model consent form was amended after it was discovered that it asked for information on both property and injury claims — potentially gathering information that was too broad for the stated purpose. Now, there is a separate consent form for property and injury claims.
“A lot of CIAA member firms are smaller operations and they have made good use of both our privacy manual and our consent forms,” Eso says. “However, we do caution that the privacy committee of CIAA is not a substitute for each member’s requirement to meet their obligations under privacy legislation.”
Investigative body status
On balance, PIPEDA is neither catastrophic nor insignificant. It is important legislation that requires the industry to rethink several aspects of the way it does business. In a nutshell, the federal law requires organizations to ask a person’s permission anytime they collect, use or share his or her personal information. If the information is needed for a use other than the originally stated purpose, permission must be obtained for each additional use.
PIPEDA also requires personal information to be properly stored, managed and safeguarded. It grants individuals certain rights, such as accessing their personal information, challenging the accuracy of the information and making a complaint about an organization’s privacy practices. In all, there are ten principles of privacy outlined in PIPEDA, ranging from accountability to consent to openness to client recourse.
There are still, however, areas of confusion or lack of consensus related to privacy legislation, such as how insurers and adjusters should handle investigative body status, video surveillance, third party claims and access to information.
Federal privacy legislation contains a section that sets out the allowed exceptions to the general consent rule, known as Section 7. Disclosure of personal information can be made without consent under Section 7(3) (h.2) if it is “made by an investigative body for reasonable purposes related to investigation of breach of an agreement or the laws of Canada or a province.” In other words, those with “investigative body” status can disclose personal information without consent in the case of, for example, a fraud investigation.
As of Mar. 31, 2004, independent adjusters were designated investigative bodies as a “class,” meaning that to qualify adjusters had to be incorporated or operate as a partnership and be licensed pursuant to their enabling legislation. Investigative body status was also extended to private investigators and insurance company claims and special investigation units, with certain qualifications.
For insurance companies, there is some misunderstanding of the implications of investigative body status, according to Norman Groot, a lawyer with Warren McKay Groot and counsel for CASIU and the Council of Private Investigators.
“Insurers are generally working well on the consent side of personal information transfers,” Groot says. “It is the non-consent, reliance on section 7 and the investigative body designation that need attention.”
Collings concurs there are several shortcomings to how insurance companies have interpreted this section of the legislation.
“I could go to another company, demonstrate in writing why I need that information, indicate that I have investigative body status, and they still say ‘no, I am not going to give you anything.’ In other words, they overreact,” she says. “If you are investigating fraud, you have the grounds to get specific information related to that purpose.”
Groot notes this must be done in a certain way.
“Insurers should be sending formal request letters to each other when they are seeking to transfer the personal information of an individual without that individual’s consent,” he says. “The letter should state the grounds for their reliance on the s.7 investigative body status, the name of the individual, and the names of the insurer requestor and the insurer disclosing. Ideally, the person collect
ing and the person disclosing are on designated investigative body lists held by the vice president of claims of the respective insurers.”
These steps are not necessarily being taken, which should be a cause for concern amongst senior managers of insurance companies, according to Groot.
“My own experience and the information I have received from the industry is that insurers have not implemented creating formal investigative body lists within their organizations, such as is done in the banking industry,” he says. “This remains the message I continue to broadcast to the industry.”
Applicability of provincial or federal jurisdiction
Another wrinkle in privacy legislation, as it relates to investigation, is the applicability of provincial or federal jurisdiction. The general rule is that existing provincial privacy legislation will apply if it is “substantially similar” to PIPEDA. The federal government has ruled privacy legislation in Alberta, British Columbia and Quebec is substantially similar. However, there is no “investigative body” status assigned in provincial legislation. Instead, the right to investigate and disclose non-consent information is put in the provincial legislation by the type of matter being investigated, not by the person doing the investigation.
Insurance Bureau of Canada (IBC) is in favour of scrapping the investigative body status designation and adopting the approach taken by Alberta and British Columbia. The association filed its recommendation to a statutory review of PIPEDA conducted by MP Tom Wappel. A report issued by the Standing Committee of the House of Commons on Access to Information, Privacy and Ethics in May 2007 recommended that PIPEDA be amended to replace investigative body designation with a definition of “investigation” similar to that found in Alberta’s and British Columbia’s privacy legislation. The recommendation is pending the outcome of the full PIPEDA review.
For adjusters, Eso says that “we are not seeing a lot of use of the investigative body status. Our impression is that the category of investigative body became quite watered down due to the sheer volume of applications.” To date, there about 75 bodies with investigative status.
Gathering evidence using video surveillance
Another issue involving PIPEDA and privacy issues is video surveillance, a tool for gathering information that is frequently used by adjusters, insurers and private investigators. Federal privacy commissioner Jennifer Stoddart has ruled that videotaping a person is a collection of his or her personal information for the purposes of PIPEDA. Thus, the usual rule for obtaining consent for all collections of personal information applies, unless there is an exception in section 7.
Since gathering of consent for video surveillance would defeat the purpose of using it for an investigation, many adjusters and insurers have taken a more measured approach to using it. Courts have generally seemed to favour the reasonable use of video surveillance through decisions in several cases.
In Ferenczy v. MCI Medical Clinics (2004), a private investigator was used to gather information by video surveillance. The plaintiff commenced an action against her doctor for medical malpractice in the treatment of removing a cyst form her wrist. The defendant sought to admit video surveillance evidence showing the plaintiff holding a cup of coffee for a period of time in her left hand. Ontario Superior Court Justice Dawson ruled the surveillance tape could be admitted and that is was relevant evidence.
In doing so, the Justice followed several interesting lines of reasoning in his judgment. First, he held that the videotaping was not a commercial activity because the private investigator was an agent of the doctor who was collecting information to defend himself against the lawsuit. PIPEDA applies to commercial activity only.
“Clearly, the federal privacy law applies between an insurance company and its insured in, for example, a disability policy or a property policy because there is a direct commercial relationship,” Fraser says. “However, it is not clear if PIPEDA applies at all in the third party claims process. In a third party claim, the heart of the matter is the relationship between someone who is allegedly injured and somebody they are suing. The person being sued represents the insurance company, but the relationship between the plaintiff and the defendant is not a commercial one.”
Justice Dawson also determined that even if PIPEDA did apply, the plaintiff had given implied consent to the collection of personal information by starting a lawsuit. And finally even if there was no implied consent, the exception provisions under PIPEDA applied, which permitted the collection of personal information without consent if “for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.”
Another case, Milner v. Manufacturers Life Insurance Co., also related to videotape evidence and was heard by the Supreme Court of British Columbia in 2005. The plaintiff allegedly suffered from chronic fatigue syndrome, but the defendant, Manulife, contended that Milner was not totally disabled within the meaning of the policy. Manulife authorized video surveillance of Milner in various locations, including her house. The plaintiff claims for aggravated damages for the manner in which Manulife had dealt with her and further damages for the breach of her privacy as a result of video surveillance.
Justice Melnick concluded that Manulife had “a lawful interest in conducting surveillance of Ms. Milner considering the nature of her claim and the credibility issues her conduct raised. Weighing this lawful interest against what is in my opinion Ms. Milner’s reasonable expectation of privacy, I conclude that Ms. Milner was not entitled to an expectation of privacy in the circumstances.”
These (and other unreported) decisions on videotaping seem to fall in favour of insurers’ ability to investigate claims. “The Milner case is helpful for insurers in that it indicates that in certain circumstances, people who commence actions have lowered their expectations of privacy, “Karen Weslowski, an associate with Miller Thomson law firm in Vancouver, says.
Others are not so sure these recent court decisions are benign developments.
“While the insurance industry may have breathed a sigh of relief, for privacy advocates, this decision is likely a cause for concern,” Anne Uteck, an associate in the Law & Technology Institute at Dalhousie University, notes, referring to the Ferenczy decision.
Still others hold there is no “black letter law” that makes these cases precedent-making for all provinces or even to federal or provincial privacy commissioners.
“We don’t have any determinative decision that applies across Canada with respect to all of these matters, and I think some insurance companies have taken the view that, just out of an abundance of caution, they won’t do things like video surveillance,” Fraser notes. “They either want to avoid the risk or they think they cannot do it anymore, other companies are proceeding as though nothing has changed, I can see the rational reason for taking both decisions.”
Fraser says there are some emerging “best practices” in video surveillance for insurer investigations, including only using it when necessary and if other means of gathering information prove fruitless, documenting the reasons for the decision in a claims file and consulting with legal counsel before the decision to videotape.
“I like to think we already were pretty reasonable in how we approached investigations and video surveillance,” Eso says. “As adjusters, I don’t think many of us like to spend private investigation dollars on useless fishing trips. We generally have some suspicion or facts that have come to light that lead to a conclusion that there is genuine information that needs to be documented and will assist in the defence of a claim. And that is
the thrust of what the courts have said.”
Sharing and disclosing of information relating to third parties
Plants says his take on what the courts have said about the collection of information is that PIPEDA legislation was brought in to give people a sense of protection and curb the activities of those who may “unscrupulously” use information gathered for one purpose or another.
“Given that was the end goal of the legislation, the courts have said, ‘okay, as long as we have people that are playing by the rules, we are not going to handcuff them by this legislation, we are going to allow them to do their jobs,'” Plant says. “The Canadian p&c industry is a pretty conservative lot. When you are that conservative and you are pushed back into the corner a bit further by legislation, you play by the rules. If legislation says, ‘you should do this nine times,’ we are likely to do it ten.”
Another key issue for claims adjusters and insurers in light of privacy legislation is the sharing and disclosure of information as it relates to third parties.
“One area that has come up is release of statements or items from claims files where personal information of other parties may be revealed,” Eso notes. “If an adjuster takes a statement from someone who witnessed a car accident, that statement might identify personal information about the witness’s friend or driver of the vehicle. In this kind of case, we have to be very cautious about releasing that statement to other parties without first blocking out that information or simply refusing to release it at all.”
There are limitations, however, to the access an individual has to information under the privacy legislation.
“The privacy legislation does give the individual right of access to their own personal information that is in the custody or control of someone engaged in commercial activity,” Fraser notes. “So you have a scenario where a plaintiff says, ‘I want access to your claims files because I have a right under privacy legislation.’ There are some limitations to that, and one is the restriction that you can’t hand over third party information. You have to sever or block it from the record.”
Concerns about requests for access to information are particularly important in light of a trend Fraser says he has witnessed recently.
“We are seeing many people using this (PIPEDA) access as a pre-litigation discovery tool to find out what information an insurance company may have about what happened,” he observes. “The claims examiner’s comments on that claim file may in fact be that person’s personal information. He or she would be able to find out before the litigation has commenced, before hiring a lawyer. Companies need to be mindful of when people are making these access claims, but also of when they are creating these records in the first place.”
Fraser adds another trend he has seen is plaintiffs using privacy legislation as a tool for settlement. “In trying to get a settlement out of an insurance company, sometimes plaintiffs will threaten complaints to the privacy commissioner of Canada as part of their claim. They would look for recovery as part of the settlement in order to get a release with respect to concerns they have under privacy law. It is certainly used as a negotiation tool.”
With all the talk about legal interpretation, compliance and internal procedures, breaches of PIPEDA could come down to the simple factor of human error — someone forgetting to shred paper documents or neglecting to “scrub” data from an old computer hard drive or outsourcing file disposal to a negligent third party contractor.
For Eso, the resulting penalties, fines or even lawsuits of such breaches do not represent the real costs or even represent the proper deterrent for improperly managing personal information.
“The biggest cost is the loss of customer confidence,” he concludes. “If your company is the one on the front page of The Globe and Mail, the cost to your business reputation can be horrendous. That is the message that companies need to hear, this is not about getting slapped on the wrist by the privacy commissioner’s office or getting sued by somebody for releasing confidential information. It is the loss of business reputation that can result. That is the big penalty.”