New privacy regulation requires “mature” corporate governance: Lawyers

With the increase in data flowing over electronic networks, insurance firms need to take heed to a privacy management document released earlier this year by regulators, two lawyers suggested at a recent industry event. 

A guidance document, titled Getting Accountability Right with a Privacy Management Program (PMP), was the topic of discussion by panelists at the annual Regulatory Affairs Symposium, held Oct. 24 by the Insurance Bureau of Canada.

Paul Krpan, assistant general counsel for Northbridge Insurance, said he was “a little alarmed” when he first looked some of the requirements of PMP, released in April and developed by the Office of the Privacy Commissioner of Canada and the offices of the information and privacy commissioners of British Columbia and Alberta.

“If there is a privacy complaint, if there is a privacy audit, this is the first thing they are going to ask you to produce,” he said during the event in Toronto. “But the reassuring thing, however, is you probably have a lot of the elements of a privacy management program in place. If you have a privacy officer … appointed by senior management, if you have certain privacy processes, protocols, if you have done privacy education and training with your staff and if you regularly include privacy provisions in your contracts with outside service providers, then you’re a good way there towards having a privacy management program.”

Krpan noted that “practically every major function” in an insurance business, including claims, underwriting and billing, involves the handling of personal information.

His co-panelist, Heenan Blaikie lawyer Adam Kardash, noted that with new information and communications technologies, there is a “very very rapid implementation” of new programs with “complex data flows,” where the data is kept on more than one computer server.

“For a series of new types of data transactions there are many more custodians or intermediaries of the data, “ he said. “The number of companies involved when you factor in the companies that do analytics, and all the service providers just to support the web environment that is referred to as the digital ecosystem, is remarkable, and it creates challenges because most, if not all those parties, do not have direct privy, a direct relationship with the end user.”

He added the evolution of privacy law in Canada means there is “a very robust set of obligations” requiring a “fairly mature approach” to corporate governance.

“Ten years ago it was a checkbox approach,” he said. “Do you have a poor soul appointed as the privacy officer? Check. Is there a privacy statement, which by the way just recited basic principles and didn’t talk about what they were doing? Check. And do you have carefully drafted consent? Check.”

Who is responsible for the privacy role?

He suggested the PMP does not indicate an actual statutory requirement for someone to have the role of privacy officer as their primary role.

“Sometimes it’s the general counsel (who) assume that role,” Kardash said. “For some reason that’s not entirely clear to me, often it’s the head of HR who gets put in that role and it’s sort of a legacy position but it doesn’t really matter as long as there’s someone who could satisfy the role in a meaningful fashion.”

He added clients of his have been the subject of complaints and investigations that arose because “people within the organization did not even know who the real privacy officer was.

A key requirement of PMP is to have “buy-in” from senior management, he noted, and the program controls need to be documented.

“The owners of different units or business processes, or to be more granular, the owners of the data flows in question are actively involved as part of a cross-disciplinary team and that they know what data is there, they are looking at it regularly,” Kardash added.

When asked about the requirement to report to the board of directors, Kardash said: “my guess is the regulatory authorities probably didn’t qualify the wording on this because they made it categorical. You’ve got to report to the board.”

Depending on the situation, he added, it is sometimes “critical to have meaningful discussion at the board level,” while the existence of a program, as opposed to a simple policy statement, would have to be acknowledged by the board to exist and to be functioning as expected.

“Most critical by far is there is appropriate escalation procedure in place, which is grounded in a security incident protocol, that if necessary, the board needs to be aware.”