Submission to the OPC's Consultation on Consent under PIPEDA (CANATICS)

Canadian National Insurance Crime Services

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Summary

CANATICS is a not-for-profit organization currently consisting of nine (9) Ontario automobile insurance companies representing 75% of the total provincial Direct Written Premium. The sole purpose of CANATICS is to use state-of-the art data analytics technologies to aid the government, consumers and the insurance industry in the detection, suppression and prevention of organized and premeditated insurance fraud.

CANATICS is currently limited in the type of insurance data that its members can include in the fraud analytics solution due to perceived uncertainty about existing PIPEDA consent framework. As a result the solution currently includes Statutory Accident Benefits data (SAB Data) that members collect via regulated SAB forms, but does not include bodily injury tort claim data (BI Data) collected in relation to tort claims arising from the same accident.

CANATICS urges the OPC to accept and implement the “legitimate business interest” (LBI) consent exception and recognize fraud analytics for purposes of detecting, suppressing and preventing insurance fraud as a legitimate interest for which consent is not required under PIPEDA.

CANATICS recommends the following two-part test, similar to those adopted by the EU, to ensure that the proper balance is achieved when relying on the LBI consent exception.

is the collection, use or disclosure of the personal information reasonable to fulfil a legitimate interest of the organization?; and, if so,
is the legitimate interest still valid when balanced against the interests of the individual?

With respect to the first part of the test, CANATICS recommends that there should be a presumption of legitimacy where the interest claimed by an organization is mandated or actively promoted by government as a public policy, such as the Ontario government’s coordinated fight against organized and premeditated insurance fraud.

With respect to the second part of the test, CANATICS recommends that when personal information is pooled and processed within an industry consortium for purposes of achieving explicit government policy or other public interest purposes, the certification of the processing technologies for Privacy by Design (PbD) should be a strong, if not conclusive, indicator that the processing does not unduly prejudice the privacy rights of the data subjects.

Finally, CANATICS urges that the OPC should avoid a protracted PIPEDA amendment and move quickly to implement the LBI consent exception by issuing guidelines based on the comments received in this consultation.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Introduction

Canadian National Insurance Crime Services (CANATICS) is pleased to make this submission to the Office of the Privacy Commissioner of Canada (OPC) in response to the OPC’s Notice of Consultation and Call for Submissions: Consent Discussion Paper (Notice of Consultation). Our comments are limited to the “legitimate business interests” exception identified in the Discussion Paper as a possible improvement or alternative to the current consent framework.

As requested in the Notice of Consultation, CANATICS confirms that it has read and fully understands the consultation criteria and procedures.

CANATICS is of the view that PIPEDA, especially with the recent amendments by the Digital Privacy Act, provides a generally sound consent framework that fairly and efficiently addresses the fundamental right of Canadians to privacy and their legitimate economic, social and political interests in free flowing information. We are pleased with the OPC’s recognition and efforts to calibrate the framework to new technologies and business models in order to ensure that, while still preserving the fundamental right to privacy, consent does not pose a barrier to innovation and to the benefits of technological developments to individuals, organizations and society.

In sum, CANATICS urges the OPC to adopt the legitimate business interest exception to consent, and specifically to recognize the collection, pooling, use and disclosure of insurance data by insurers for purposes of detecting, suppressing and preventing insurance fraud and for insurance fraud analytics, as a legitimate business interest for which consent is not required.

About CANATICS

CANATICS is a not-for-profit organization currently consisting of nine (9) Ontario automobile insurance companies representing 75% of the total provincial Direct Written Premium, with the mandate to expand nationally. Automobile insurance fraud is a large and growing problem in the Ontario auto insurance industry to which the Ontario government and insurers have devoted considerable effort and resources. It affects both the premiums paid by Ontarians and their safety on the roads. CANATICS, established on the recommendation of the Ontario government’s Anti-Fraud Task Force, uses state-of-the-art fraud analytics technologies to identify potentially suspicious claims in insurance industry pooled data, to facilitate further investigation by individual insurers. The sole purpose of CANATICS is to aid the government, consumers and the insurance industry in the detection, suppression and prevention of organized and premeditated insurance fraud.

CANATICS recognizes that having strong privacy measures and systems in place is critical to promoting the privacy interests of consumers who indirectly share their personal information, via their insurers, with CANATICS to achieve its mission in combatting insurance fraud for the benefit of Canadians. Accordingly, CANATICS adheres to a gold standard of privacy protection that respects and abides by Canadian legislative requirements, internationally recognized data protection standards and leading privacy best practices. CANATICS has been recognized by the Information Privacy Commissioner of Ontario as a Privacy Ambassador for adhering to the principles of Privacy by Design in its fraud analytics solution and business processes. And in March 2016, CANATICS fraud analytics solution received the official Privacy by Design Certification from the Privacy and Big Data Institute at Ryerson University in partnership with Deloitte.

Alternatives to Consent – Legitimate Business Interests Exception

The Discussion Paper identifies a “legitimate business interests” (LBI) exception to consent as a possible mechanism to improve the current PIPEDA consent framework. CANATICS is in strong support of LBI consent exception and provides the following comments in response to the three specific questions posed by the OPC about the exception.

Q.1 In the absence of consent, what grounds for lawful processing could authorize the collection, use and disclosure of personal information?

CANATICS urges the OPC to recognize detecting, suppressing and preventing insurance fraud as a legitimate business interest for the purpose of which insurers may collect, pool, use, process and disclose insurance data without consent.

CANATICS is in a unique position to speak to the significance of a LBI exception for insurance fraud. CANATICS’ insurance fraud analytics solution currently includes Statutory Accident Benefits data (SAB Data) obtained from consumers by insurers through forms approved and mandated by the Financial Services Commission of Ontario (FSCO). These forms contain notice to and consent of individuals that their personal information may be collected, disclosed, pooled and used for auto insurance fraud analytics and for purposes of detecting, suppressing and preventing auto insurance fraud.

However, auto insurance companies do not currently add Bodily Injury Tort Claims data (BI Data) into the CANATICS fraud analytics solution. Insurers already validly obtain BI Data from BI tort claimants and BI tort third parties (e.g. witnesses, passengers, tow truck operators, body shops and health care providers), for purposes of processing (including defending) the tort claim. Including such data in the fraud analytics solution will significantly improve their ability to detect, suppress and prevent auto insurance fraud. Unfortunately, they have been unable to do so because of uncertainty as to whether existing consent framework (in terms of the FSCO SAB forms notice and consent and/or PIPEDA consent exceptions) would also cover BI Data. Consequently, we have a situation in which only SAB Data but not BI Data is currently in the fraud analytics solution even though both sets of data would have been collected in relation to the same accident.

Because of the apparent uncertainty surrounding the application of current consent framework to BI Data, CANATICS and the Ontario Ministry of Finance have been exploring an explicit legislative solution, for instance legislating the collection, use and disclosure of insurance data for fraud analytics in order to meet the “required by law” exception in section 7(3)(i) of PIPEDA. This process has been quite lengthy and fraught with its own uncertainty. In the meantime, insurers are unable to include highly probative BI Data in the CANATICS fraud analytics solution.

If the OPC recognizes detecting, suppressing and preventing insurance fraud as a LBI for which insurance data may be collected, pooled, used and disclosed without consent, insurers will be able to add their BI tort data to CANATICS fraud analytics solution without the need for new legislation by the Ontario government.

CANATICS is aware that section 7(3)(d.2) added to PIPEDA by the Digital Privacy Act provides a new consent exception in relation to fraud which, in CANATICS’ view, allows insurers to add their BI Data to the fraud analytics solution. However there seems to be lingering questions over the clarity of the language of section 7(3)(d.2), for example as to whether it permits non-consensual systemic disclosure to detect and suppress fraud and for fraud analytics, or whether it is limited only to a specific instance of fraud investigation involving the data subject.^{Footnote 1} In addition, the drafting of section 7(3)(d.2) has led some to worry that the consent exception could be interpreted narrowly as limited to “disclosure” and not “collection” and “use”.

Consent exception for “legitimate business interest” will be a significant and welcome improvement or alternative to section 7(3)(d.2) for organizations in the insurance industry. Accordingly CANATICS urges the OPC to take this opportunity to recognize the detection, suppression and prevention of insurance fraud as a LBI for which insurance data may be collected, pooled, used and disclosed without consent.

Q.2 How do we ensure a fair and ethical assessment of grounds for lawful processing that ensure the proper balance is achieved?

As the OPC rightly states in the Notice of Consultation, making the proper balance can be a complex process. CANATICS recommends the following two-part test, similar to those in the EU, to ensure that the proper balance is achieved when relying on the LBI consent exception.

is the collection, use or disclosure of the personal information reasonable to fulfil a legitimate interest of the organization?; and, if so,
is the legitimate interest still valid when balanced against the interests of the individual?

With regards to the first test, CANATICS is recommending that consistent with other PIPEDA consent exceptions, the OPC uses the “reasonable” standard rather than the “necessary” standard in the EU directive.^{Footnote 2} Further, CANATICS recommends that there should be a presumption in favor of legitimacy where the interest claimed by an organization is mandated or actively promoted by government as a public policy, such as the Ontario government’s coordinated fight against organized and premeditated insurance fraud.

The second part of the test requires that an organization’s legitimate interest in processing personal information without consent is not outweighed by the prejudice caused to the privacy rights of its customers. In the Notice of Consultation the OPC identifies as relevant factors to be taken into account, the nature of the data, the public interest, and the reasonable expectations of the individual.

CANATICS recommends that there should also be a presumption in favor of balanced validity when the technologies used for processing personal information for purposes of the legitimate business interest has obtained Privacy by Design (PbD) certification. In particular, when personal information is pooled and processed within an industry consortium for purposes of achieving explicit government policy or other public interest purposes, PbD certification of the processing solution should be recognized as a strong, if not conclusive, indicator that the processing does not unduly prejudice the privacy rights of the data subjects.

In this respect CANATICS notes the following OPC’s question in the Notice of Consultation:

How should PbD be treated in the context of Canada’s privacy law framework? Should this concept merely be encouraged as a desirable aspect of an accountability regime? Or should it become a legislated requirement as it will soon be in Europe?

Recognizing PbD certification as a strong indicator that an organization’s non-consensual processing does not unduly prejudice the privacy rights of the data subjects, will provide an incentive for organizations to practice PbD even if PbD is not a legislated requirement.

Q.3 What would be the role of regulators in assessing grounds for lawful processing?

The OPC clearly has a role in developing guidelines for lawful processing under a LBI consent exception. The Notice of Consultation presents the perfect opportunity to obtain public input with respect to possible LBI guidelines. We encourage the OPC to issue guidelines based on CANATICS’ and other comments received in this consultation, rather than waiting possibly for several years to add a new exception for LBI to PIPEDA.

Conclusion

CANATICS thanks the OPC for the opportunity to provide these comments on the potential enhancements to the current consent model. We would welcome further discussion on our comments and other related matters. Please do not hesitate to contact us should you have any questions regarding these comments.

Yours sincerely,

Ben Kosic
President and CEO
CANATICS

Footnote 1

The second test in 7(3)(d.2) requires that “it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud” (emphasis added). Some have expressed the concern that the inclusion of article “the” in “the fraud” and the apparent requirement to demonstrate a state of mind of the subject data could potentially limit the exception to specific individual investigations.

Return to footnote 1

Footnote 2

CANATICS is of the view that insurance fraud analytics will also meet the EU’s standard as a “necessary” tool in combating insurance fraud and pursuing the legitimate interest of detecting, suppressing and preventing insurance fraud. Today insurance fraud detection, suppression and prevention is a necessary part of the insurance business, often mandated or promoted by industry regulators, and insurance fraud data analytics is a necessary tool for that purpose.

Return to footnote 2

Date modified:: 2016-10-05

Language selection

Search and menus

Search