Privacy legislation: INDUSTRY COMPLIANCE

New marketing technologies and rising consumer concern of “information exploitation” by financial service providers has created a challenge for the insurance industry. Faced with new federal legislation under Bill-6, which affords information protection to individuals, insurers and their financial services counterparts will have to comply with specific legal requirements by set target dates over coming years. What does this mean for insurers, as well as organizations such as the IICC which compiles critical claim research data for the industry? In response, the IICC has embarked on an extensive project to ensure early compliance and advise its members on establishing “best practices” within their operations toward achieving this end.

The new Federal Privacy Act (Bill C-6) required all federally regulated companies engaged in the selling/bartering of personal information to meet basic data privacy protection measures from the beginning of this year. The legislation will also require that all “personal health information” be protected by the beginning of 2002.

In general, the insurance industry has until January 2004 to meet compliance. At this point, the new legislation will apply to all commercial activities involving flows of personal information, even within a province, unless the province has substantially similar legislation. Although most insurers already subscribe to the Insurance Bureau of Canada’s (IBC) privacy code, all within the industry should take this “window of time” to clearly and publicly demonstrate their privacy policies and procedures. In this regard, the Insurance Information Centre of Canada (IICC) has undertaken its own privacy compliance process.

Broad definition

Personal information is not specifically defined in Bill C-6, but is described as information about an identifiable individual. In simple terms, this could mean a person’s name, address, birth date and even driver’s license number. However, in examining the meaning of “about an identifiable individual”, we must consider other pieces of information which, on their own, are not personal at all, but combined with other information can identify an individual.

Consider the following example. As the industry’s prime data source, the IICC collects insurance policy numbers and claims numbers from insurers. Although it is possible that the linking of a policy number with other information could produce information that is undoubtedly personal (e.g. name and address), the policy number by itself does not identify an individual. Except for some limited cases, IICC does not have other information in its possession that would allow it to link the policy number to obtain information that is personal. IICC may ask an insurer to verify or correct data fields and identify an incorrect transaction by its reported policy number, but IICC’s policies and procedures restrict this communication to verification of the described data fields and for no other purpose.

IICC role

IICC has a longstanding role as the collector and analyzer of insurance information and is the statistical agent for automobile insurance in provinces where insurance is provided by the private sector, and for commercial liability insurance in Ontario. IICC collects more than 200 million transactions annually from insurers. In some cases, this policy and claims data contains personal information. IICC uses this data to compile statistical information (i.e. aggregated and anonymous information) that can be used by insurers and regulators. IICC also uses and discloses data, including personal information, to insurers, government and organizations such as the investigative services division (ISD) of the IBC, and other authorized insurance service providers. It is also involved in partnerships with government agencies. This information is used to set rates, settle claims, enforce the law, detect and prevent insurance fraud, identify uninsured vehicles and improve public safety.

Although information that IICC handles flows across provincial and sometimes international borders, IICC’s services could be considered part of the commercial process of providing insurance to the public. Even though commercial activities fall under the new privacy requirements for 2004, IICC decided to respond as if it were applicable in January 2001.

Except in limited situations, such as the administration of the “Canadian Standard for Vehicle Theft Deterrent Systems”, IICC does not deal directly with the public in the collection, use and disclosure of information. Uses or disclosures of personal information by IICC must conform to insurers’ and IICC’s defined purposes. IICC confirmed that its members understood and consented to the nature of their interactions with IICC by sending a CEO bulletin to all its customers last November.

Industry compliance

Insurers, brokers and adjusters should become familiar with the regulatory requirements of the new privacy legislation and establish a privacy policy as a common reference point for everyone in their organizations. The policy should address the fundamental principles of accountability, identifying purposes, consent, limiting collection, use, disclosure and retention, accuracy, safeguards, openness, individual access and challenging compliance. Remember that privacy is more than security – although security is an important element of privacy. It is therefore critical that a well-defined information and system security policy is in place. A secure firewall may prevent an intruder from penetrating your system, but it does not prevent your own staff from misusing personal information. More than two-thirds of security and privacy breaches are “inside jobs”.

Taking steps

There are several legal compliance steps that should be taken:

Privacy audit. All insurers, brokers and adjusters should perform a privacy audit in preparation for developing privacy policies and procedures, examining how your organization collects, uses and discloses personal information. The audit should assess current and future business practices, products and services, and all the ways information is handled – including paper files, “old technology” or legacy systems, websites, e-business transactions and call centers. The audit should include answers to questions such as:

What personal information is being collected and why?

How is it obtained – directly from the customer or from third parties?

How is it used? Who has access and why?

How is consent obtained?

What security safeguards exist for protecting personal information?

“In the course of conducting business, personal information is shared between insurers, brokers and adjusters, so each must ensure it is compliant with the legislation in order for the industry to be compliant,” says Steven Lingard, senior counsel with the IBC. “It’s important to make sure there’s no disconnect among those involved in the insurance service.”

Privacy team. The key to successful implementation of a privacy plan is commitment at the highest levels of the organization. A team consisting of senior managers such as vice presidents of claims, underwriting and marketing should be designated to develop privacy policies and oversee the audit.

Brokers and adjusters should develop policies and procedures in consultation with their insurance companies. Insurers may decide to have written agreements that specify how their brokers and adjusters will handle personal information because if personal information is mishandled, the new legislation says that the company is responsible.

“If a company or broker is privacy compliant before 2004, that fact could be used as a competitive edge over those who haven’t completed the process and can’t offer the assurance of privacy protection to their customers,” Lingard notes.

Chief privacy officer. Each insurer must designate a chief privacy officer (CPO) from its management team who is accountable for implementing the organization’s privacy policy. The CPO will play a vital role in resolving future issues of how personal information will be used and disclosed. Ideally, the CPO shou
ld not be responsible for the organization’s technology, or for selling its product or services but rather have an oversight role.

Communication materials. Prepare customer and public communication materials, such as a privacy brochure, to help those who want access to the personal information you have about them. Publish a summary of your privacy policy on your website. It is important for the industry to be seen to be accessible about privacy issues.

Employee training. In the case of the IICC, a corporate privacy charter has been finalized and integrated into a code of conduct, which is being signed by all employees and contract staff. All employees have attended training on the policy.

Future trends. Finally, in examining the implications of privacy legislation, the industry must look ahead at emerging trends and address them proactively.