Federal Privacy Legislation Countdown Begins

With provincial privacy legislation stalled, insurers must prepare for the federal act to come into force at the beginning of 2004, notes David Young of Lang Michener in a recent presentation to the Canadian Insurance Accountants Association (CIAA) in Toronto.

That said, there are many “gray areas” still to be worked out in terms of what will constitute personal information for the purposes of the act. “In effect, it doesn’t apply to business information,” says Young, and credit scores have also been exempted. However, most of the information on a personal insurance application would fall under the rules for collection, use and disclosure of personal information.

Companies will have to determine if existing policies sufficiently outline why information is being collected and how it will be used so that informed consent can be given by the insured. They will also have to address how long they can hold onto this information in the future. In terms of claims, one of the most tenuous areas, he recommends insurers cover their bases by gaining consent in both the original disclosure statement with the policy, and a more comprehensive statement when the claim is filed.

Among the first steps insurers should look at are designating a “privacy officer” within the company and establishing a privacy working group that represents areas such as claims and underwriting. Setting up a privacy code is only the beginning, and companies can look to the 2002 annual report by the privacy commissioner as a guide to problems encountered by those already subject to the act.