January 1, 2004 by Craig Harris
By now, most people have heard of the Personal Information Protection and Electronic Documents Act (PIPEDA). Or have they? PIPEDA, or Bill C-6, first came into effect January 2001, applying initially to all federally chartered businesses, such as banks and telecommunication companies. As of January 1 of this year, the sweeping but vague legislation extends to all private sector organizations.
Some hold that the build-up to PIPEDA compliance comes close to the hype around the millennium bug. “We are prepared, but we don’t want this to become a Y2K situation, where entire industries thrive on people’s fear,” says Dan Danyluk, chief executive officer of the Insurance Brokers Association of Canada (IBAC).
As Vivian Bercovici, vice president of legal and public affairs at the Dominion of Canada General Insurance Co., states, “PIPEDA was not designed to put anyone out of business. It is instead an opportunity for us to sharpen our information handling practices.”
And yet several observers are surprised by the lack of awareness and misunderstanding around PIPEDA. Ian Turnbull, director of the Canadian Privacy Institute, a consulting group specializing in compliance and business-related issues, says “I also compare this to Y2K, but the main difference is that everyone over five-years-old was aware of the date change. I think there are still a lot of people who have never even heard of PIPEDA.”
“I’m quite surprised there is still significant ignorance out there about PIPEDA, but not necessarily in the insurance industry,” says Keith Edwards, director of adjusting firm McLarens Toplis Canada. “One of our adjusters recently attended a conference with several lawyers and other professionals presenting. When someone asked the panel about PIPEDA, there were more than a few blank looks.”
One poll done by the e-content institute, an independent research firm, in December 2003 found that 7% of organizations said they were already compliant with PIPEDA, 20% indicated they will be ready January 1, 53% stated they needed to learn more about PIPEDA and 20% responded by asking “What’s PIPEDA?”
Ignorance of the new privacy legislation is difficult to grasp, given that the federal government provided a long preparation period for private sector firms. It is also hard to ignore some major privacy breaches in the financial services industry that have hit the public spotlight.
In January 2003, a computer hard drive containing personal information from clients of the Co-operators Life Insurance Co. disappeared from a contractor’s facility. Sensitive data about pension clients and individual life insurance policyholders were at risk after a computer services supplier, Information Systems Management, reported the drive missing from a secure area at its premises in Regina.
In another incident, old computers from the Bank of Montreal were sold with customer financial information still on their hard drives, including bank balances and credit card numbers. The computers, sold to a 26-year-old North York resident in September 2003, were almost put up for auction on eBay.com. A third-party contractor, Ecosys Canada, had not properly erased the data on the computers.
It is these types of incidents, particularly the use of technology subcontractors and other third parties, which can cause problems for companies and consumers. One of the gray areas in PIPEDA involves “transfer versus disclosure” of information – in other words, whether a first party is merely passing information through a third party or whether that third party is actually using the data. Under PIPEDA, the organization that first collected the information is responsible for what happens to that information, even if a breach is the fault of a third party.
On balance, PIPEDA is neither catastrophic nor insignificant. It is important legislation that will require the industry to rethink several aspects of the way it does business. In a nutshell, the federal law requires organizations to ask a person’s permission anytime they collect, use or share his or her personal information. If the information is needed for a use other than the originally stated purpose, permission must be obtained for each additional use.
PIPEDA also requires personal information to be properly stored, managed and safeguarded. It grants individuals certain rights, such as accessing their personal information, challenging the accuracy of the information and making a complaint about an organization’s privacy practices. In all, there are 10 principles of privacy outlined in PIPEDA, ranging from accountability to consent to openness to client recourse.
Several sources say the property and casualty insurance industry has a solid track record on privacy protection issues. “If you look at a broker, one of his or her main assets is the book of business. That book is essentially a collection of personal information. Brokers have to be careful about that because it represents their business. And that is why we never do certain things, like sell personal information,” says Danyluk.
The national broker association has developed broker guides for the use of PIPEDA compliance tools, a handbook, model privacy brochure and templates of personal information client agreements and consent forms.
The purpose of the legislation is to ensure that someone is not profiting from the improper use of personal information and that organizations are not being careless about how they collect and disclose data, says Danyluk. “I don’t think either of those apply to brokers, but the process of complying with PIPEDA allows us to pull the stitches a little tighter in terms of our policies and procedures.”
“This industry has always safeguarded personal information carefully,” says Bercovici. “The legislation won’t change things much in that regard, but it will require some review of internal issues among insurance companies, such as staff training, client communication, policies and procedures, a centralized privacy contact for customers – the whole ball of wax.”
Bercovici chaired an Insurance Bureau of Canada (IBC) privacy working group, which developed a model privacy notice. These notices explain to clients a company’s purpose and use for collecting information, and may also provide “implied consent” on the part of customers for routine fact gathering. Several insurers adapted some form of the model notice and sent these to policyholders before January 1. “Knowledgeable consent” is a buzzword in the legislation, meaning that consumers need to know why their information is needed and for what purpose.
“PIPEDA is not overly detailed in telling you what to do; nowhere in the legislation does it state, ‘you have to send this or that out,'” says Bercovici. “But you do have to demonstrate that your organization has procedures in place for the collection, use and disclosure of information.”
Adjusters are similarly prepared for PIPEDA, says Jim Eso, president of the Canadian Independent Adjusters Association (CIAA). “We are fully ready to go, in terms of complying with the legislation,” he says. In addition to sending out regular privacy bulletins to member adjusting firms and updating a members-only section of its website, Eso notes the CIAA has created both claims handling and office management manuals on PIPEDA. It worked with IBC on a joint committee to review claims management practices. A resource document for senior claims personnel is expected this January, detailing several possible scenarios in which the interpretation of PIPEDA may be unclear.
The CIAA has also applied for investigative body status, which grants exemptions for obtaining client consent in specific situations. One of the p&c industry’s initial concerns was whether the legislation could potentially act as a shield for fraudulent and criminal activities. Industry Canada has granted investigative body status to two organizations to date, the Investigative Services Division of the IBC and the Bank Crime Prevention and Investigations Office. CIAA is still awaiting word on its stat
us, and hopes to hear in the next month or two, according to Eso.
There are other gray areas in the privacy legislation. One is the notion of “implied” versus “express” consent. In most standard auto and property insurance forms, there is implied consent – the client agrees to disclose certain information when applying for insurance. But consent is not always clear-cut. For example, for the collection of virtually all health or financial personal information, express consent must be obtained.
“Consent can be open to interpretation,” says Edwards. ” We will have to see how the courts calibrate their terms and definitions in interpreting PIPEDA. If the emphasis is on implied consent, we will likely have less stringent rules. If, however, express consent is the standard, there will be more concerns and more work needed.”
Danyluk says that challenges could exist for brokers in areas such as integrated financial services – does consent for one product imply consent for a range of services? Similarly, when putting additional insureds on a policy, is implied or express consent required? “We think there should be a common sense approach,” says Danyluk. “Sometimes, the more forms we require and the more choices consumer have, the more of a challenge it is to ensure compliance and get customers to send their signed documents to us.”
Another issue is the transfer of information within the industry. In p&c insurance, data is often moved from broker to insurer to adjuster and even reinsurer. It will have to be clarified whether these parties are in an “agency” relationship. Edwards makes the analogy of a bank using an external cheque clearing center as an agency relationship, or pure “transfer” of information, rather than a full disclosure to an external third party. If no agency relationship is determined to exist in the p&c industry, the rules will be much tighter for sharing of personal information.
But the biggest gap in interpreting PIPEDA may come in the area of claims handling. Edwards says there is not much of an issue in standard first-party losses, but the situation becomes more complicated if there is, for example, a break-and-enter or arson claim where the insurer suspects potential fraud. “In that scenario, adjusters often need to get things like income information, employment records and credit reports,” Edwards says. “That is a lot of information that gets collected and disclosed. Did the adjuster get express and informed consent from the client?”
Edwards says even something as simple as a witness statement, in which someone may be passing along information about the state of another person or event, can be construed as personal information. Each party in the claims context – insureds, claimants and witnesses – has privacy rights in their personal information and every personal information transaction requires consent, or at least an exception to consent found in PIPEDA.
The issue becomes even fuzzier when third-party claims are considered. In many cases, insurers have no contractual relationship with a third party and consent may be difficult to obtain. Third parties also have greater rights to obtain information, particularly if a claim has gone to litigation.
“There are issues related to the disclosure of file material to third party claimants prior to or during litigation,” says Eso. “Some of our member firms have already received requests from third party claimants, who, under PIPEDA, are seeking access to file material. We are working our way through some of these issues.”
Eso adds that another claims concern is PIPEDA’s “grandfathering” of information collected. “For adjusters, we want to know about information that was gathered prior to PIPEDA coming into effect,” he says. “What is the status of that information on our files?”
It is clear that Industry Canada will be reviewing broad or unclear aspects of the legislation when it comes to compliance, a process Eso says has already begun. Another ambiguity is precisely how PIPEDA will interact with other forms of provincial legislation, including privacy laws in Quebec, Alberta and British Columbia. The general rule is that provincial legislation will apply if it is “substantially similar” to PIPEDA. The privacy commissioner has ruled that Quebec’s law is substantially similar, but there has been no statement to date in the case of Alberta or B.C.
Quebec surprised many observers when it filed a court challenge to the constitutionality of PIPEDA in late December. The province has long maintained that the federal statute represents an incursion into exclusive provincial rights. Its legal challenge, which is likely to begin in the Quebec Court of Appeal in 2004, could work its way to the Supreme Court of Canada.
With all the talk about interpretation, compliance and internal procedures, breaches of PIPEDA could come down to the simple factor of human error – someone forgetting to shred paper documents or neglecting to “scrub” data from an old computer hard drive.
In these cases, it will be up to the federal privacy commissioner to decide if an audit of company practices is necessary. Jennifer Stoddart, former Quebec privacy commissioner, is the new federal privacy commissioner, following the public resignation of George Radwanski last year amidst allegations of over-spending and questionable activities. Stoddart, who has a reputation as an activist commissioner, can conduct an investigation and issue a public finding about a certain company. But the commissioner’s office has no binding authority or capacity to set punitive measures. It can, however, refer matters to the Federal Court of Canada, which can issue fines up to $100,000 and other penalties.
While these options are real, others, like Ian Turnbull, argue that a strict focus on compliance with the legislation may result in missed opportunities for private sector firms – or diminished reputation. A recent Harris Interactive poll for the Privacy and American Business Study suggests there is a growing public intolerance for privacy violations. The survey found that even if customers had no intention of revealing personal information to a business, 83% would take their business elsewhere if it were found to have improperly used personal information. Turnbull says it is dangerous for companies to look at privacy protection as merely a regulatory issue.
“Those companies thinking of opting out or doing the bare minimum may be setting themselves up as targets,” he says. “PIPEDA is a complaints-driven process and every complaint, no matter how trivial, needs to be investigated. This has to be seen as a business issue and the fallout could be in the areas of lost clients or a tarnished public image.”