Privacy under the SPOTLIGHT

The first phase of Bill C-6, the federal government’s Personal Information Protection and Electronic Documents Act, becomes law on January 1, 2001. Only Canada’s Schedule-A banks, wholly regulated companies such as Air Canada and Bell, and data gathering organizations such as Equifax credit reporting which trade in personal information over provincial and international borders must comply. The provisions of privacy legislation will not apply to the insurance industry until 2004, and may be forced to jump several constitutional hurdles over provincial jurisdiction long before then.

“Most property and casualty insurance companies will not be caught by the bill,” says Deirdre Martin, counsel for the Insurance Bureau of Canada (IBC). “This phase deals with company’s selling their data. I don’t know of any insurance company that sells any of its customer data. The nature of the business is you don’t sell your customer lists.”

Nevertheless, the reasoning behind privacy protection is solid. Businesses generally tend to claim ownership of personal information in their databank. It is not. Any personal information belongs to that the individual, even when given to a corporation for a specific purpose. “Companies don’t own information, they are merely the custodians of it,” Martin says, comparing data collection to a warehousing operation. “I rent in your warehouse for my goods. They are still my goods. You have a responsibility to take care of it in terms of our contract, but it’s still my stuff. Data is the same.”

But privacy is a matter of property and civil rights which falls exclusively within provincial jurisdiction Quebec, for example, already has privacy legislation. Other provinces, including Ontario are looking at their options. This opens the door to the potential that Canadian p&c could be overwhelmed by different (and conflicting) sets of privacy legislation. Given the limited territorial scope of Bill C-6, is the federal action an unnecessary intrusion from an insurance standpoint?

Federal bite

“There are certain aspects of the jurisdictional issues that are going to come down on the side of the federal government,” explains Martin. International data exchange is one. Some analysts suggest that it was a European Union directive banning the outflow of information to countries without protection which forced the federal government to act.

“We’ve seen a considerable amount of pressure from the OEDC (Organization of Economically Developed Countries) and international trade bodies on the type of privacy legislation that is going to be acceptable standard,” says Sean Murray, government relations for Co-operators/ Direct Protect.

IBC’s consumer information centers across Canada receive approximately 120,000 calls a year. In 1998, only 500 dealt with privacy and the majority of those were requests for information. Up to 90% of IBC members as measured by premium volume have adopted the Council’s “Model Personal Information Code” giving them a substantial head start toward compliance. Still, this is not time for complacency.

IBC code

“We formerly adopted the IBC code a couple of years ago but there is still a lot more work to be done in making sure the people in the organization understand the legislation,” explains Murray. “In some cases,” she adds, “this means returning to the field and telling people to change the way they gather information. More than anything they need to understand what the standard is going to be and make that adjustment.”

“Complacency is not the issue,” says one industry observer. “Some companies have moved very far down the road. Many companies are not sure what they have to do to comply with this law, or when to comply.” The bill is an extremely complex minefield of unknowns, and will be guided by a regulatory framework that Industry Canada is struggling to define. Even so, it is unlikely that the federal government will review the legislation before 2005, when the insurance industry will spent at least 12 months toiling under its provisions.

Early compliance

“We’re encouraging people to comply with the legislation at the earliest possible time,” Martin adds. “Although insurance companies are not accountable to the law until 2004, in order to bring your information and gathering procedures in compliance with this law you can’t wait until November or December 2003. It’s not going to work.”

Diane Scott, head of corporate communications for CGU agrees. “The document is very complex and it is written in regulatory language. We’re committed to adopting [the legislation] well beyond the required deadline.” Early compliance also makes good business sense. Canadians are becoming more sensitive to privacy issues, fuelled by media interest and the revelation that came about earlier this year that the federal government maintains a national databank containing more than 2,000 pieces of information on each citizen.

Insurers mine a lot of personal information for the purpose of delivering a quote or settling a claim. It’s just as sensitive. “Income and health data is the type of highly personal information that most individuals believe ought not to be shared.”

Canada’s major banks, which will fall under the provisions of Bill C-6 by 2001, are unlikely to hive their insurance subsidiaries while making all other divisions compliant. P&c can expect the banks to use expanded privacy practices as a selling feature. This, along with the first phase of the bill is expected to raise public awareness of privacy issues.

“From a competitive point of view, if the banks are competing with us, they can very well say that insurance companies are not living up to the same standard as we are,” says Murray. “The competitive landscape is going to change with this. We’re going to have to raise to that challenge.”

Open to interpretation

There are, however, legitimate reasons beyond marketing why the insurance industry must demonstrate diligence in the run-up to 2004. There are concerns, for example, that much of the bill is going to be left to the interpretation of the Privacy Commissioner. “A serious flaw with the bill is that a lot is going to be left to interpretation after the fact. With so many terms not defined, that makes it difficult for companies to know just what it is they have to do to comply,” Martin observes.

The centerpiece of Bill C-6 is consent. While there are narrowly defined exceptions (such as the exchange of information for a fraud investigation) insurers will not be able to collect or transfer personal data outside of the province without an individual’s consent.

Does this apply to a national p&c insurer with centralized data collection gathering information from out of province? According to Industry Canada, the answer is ‘no’. Information transferred from one department (or internal database) to another is not considered a transfer as protected by the legislation. The exception would be if the insurer was to transfer information to a subsidiary such as an investment management company, that has an entirely different type of operation. That is a cross-marketing situation that would require expressed consent.

Identifying liability

Other issues are not clear-cut. Where, for example, will liability fall between insurers and the broker channel? Certainly on the direct writing side, most companies will have a more coherent line of responsibility from the field to the head office.

Martin’s best guess is that liability will belong to the insurer, putting greater emphasis on the industry to ensure that front-line brokers are aware of the law. “We are looking at extending our website to include a section on the privacy code and putting it in plain language so that all of our brokers and policyholders can access and understand what is required,” says Scott. “At the moment we are still clearly defining in our own terms what the regulations mean and how we apply it so that everybody is 100% on how information can and cannot be used.”

It is reasonable to expect that in cases of liability that insurers’ broker practices will be placed under a microscope: what atte
mpts were made to ensure that brokers complied with the law, did the insurer provide the broker with a suggested form of consent, did the consent cover everything it needed to cover, including the use of information for the purposes of marketing. “That’s the type of thinking the Commission will be looking at during an audit,” Martin says, adding that liability will not necessarily be a one-way street. “It will be incumbent upon the insurance companies to ensure that the broker is in compliance. But it will also be incumbent on the broker to ensure that the insurance company is also complaint.”

CGU doesn’t anticipate much of a challenge in bringing brokers onside. “Brokers are very proactive in protecting their clients. As the company moves forward and takes care of what we’ve got to do, we’re confident that our brokers will assist in any way that they can,” says Scott.

To assist, the IBC has convened an ad hoc privacy group, including 14 large and small insurance companies, to recommend a standard industry information-gathering model, and draw up a draft form of consent. One of the stumbling blocks may be consent itself. By not defining the term, Bill C-6 has opened the door for written, oral and implied consent. Insurers must be careful, nevertheless.

Remaining practical

Certainly for a broker, an individual asking for a quote is a form of implied consent. So to is an accident victim calling up because their car is damaged. “There’s no serious question regarding consent. It would be a little ridiculous to suggest that your insurer go through a long complicated process before they can ask you a question related to a claim,” Martin points out.

Other situations are not so obvious, especially in cases where injured passengers and third-party witnesses to an accident are involved. “If you ask for the names of those people you are asking for third-party information. But you have to know who you’re talking to before you can elicit information,” Martin comments.

It is an implementation problem that will be sorted out in the regulatory framework expected to hold the legislation together. Industry Canada’s progress to date is mixed. The legislation allows for the collection of publicly available information, but from what sources? While a postal code is publicly available, is it also personal information. Through linked databases, a postal code can become the window on individual names and income levels.

Even more obvious is the telephone directory or information guides which may contain professional names, addresses, emails and fax numbers. With less than three months to go before Bill C-6 becomes law, Martin concedes that a lot of issues such as postal codes have gone unresolved, and corporations have received little guidance from Industry Canada (at the time of writing, Industry Canada was planning to publish draft regulations by the end of September in order to get Royal Ascent prior to January 1, 2000).

The insurance industry’s biggest victory in Bill C-6 was an amendment to permit the exchange of third-party information for the purpose of combating insurance fraud. In its original form, the bill left the industry handcuffed. Information could be gathered internally but not shared with other insurers. “Disclosure is necessary to prevent fraud rings,” Martin points out. “There’s no point collecting information if you can’t disclose it to somebody.”

The question now is disclosure to whom? The tightly controlled amendment will permit disclosure to an investigating body to be designated by the regulations. Financial industry organizations such as the Canadian Bankers Association have already applied to act as an investigating body. The insurance industry has yet to do so, although it is expected that the Insurance Crime Prevention Bureau will fill the role when the time comes.

Fundamentals

“Fraud was key,” says Sean Murray. “It is so fundamental to our business that we’re going to have a real problem is there is a patchwork approach to that in legislation.” Murray is confident that protection against fraud was not a deliberate exclusion and that once the regulators understand the need to address the problem they will be sympathetic.

Of greater concern from an industry perspective may be the enormous power contained in the Privacy Commissioner’s office. While the Commissioner will lack the authority to make regulatory changes (and the provisions of the bill appear locked in place for at least five years) the office has broad auditing power. “No doors can be shut in their face,” Martin notes. “They can walk into your office at any time. There is no check and balance, it’s all part of your review.” Ironic for a piece of legislation built on the foundation of privacy.

To what extent the Privacy Commissioner will use his “sweeping powers” remains to be seen. Insurance offices are off limits for another four years, and the traditional practice of Canada’s privacy watchdog has been to work with the industry to solve or avert problems. “I don’t think insurance companies are going to be tripped up by minor infractions if you have a solid compliance program in place and you are making every effort to comply with the law,” Martin says. In fact, one of the functions of the Privacy Commissioner will be to encourage sector codes similar to IBC’s personal information code. Compliance with such industry codes are likely to reduce the risk of a company being taken to task by the Commissioner or having to appear in federal court.

While Bill C-6 appears to have all of the necessary characteristics to protect privacy, it remains what in the long term appears to be a challenge for insurance companies as they prepare to comply. “There are some considerable gray areas,” says Murray. “In terms of various mechanisms: how the legislation is going to work, how things get bumped up to the Privacy Commissioner, there definitely needs to be some clarity.”

Clearly, the Privacy Commissioner is going to have to do a better job at closing the loops. In the meantime, IBC will do its best to guide the industry along. The council is working on a plain language version of the bill. “At this point, all we can do is indicate our best educated guess about what a specific clause means. As lawyers we have some knowledge of the subject and what the likely interpretation of a particular phrase is going to be. But there are no guarantees.”cu