Submission to the OPC’s Consultation on Consent under PIPEDA (IBC)

Insurance Bureau of Canada

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Summary

Insurance Bureau of Canada (“IBC”) is the national industry association representing over ninety percent by premium volume of the private property and casualty (“P&C”) insurance sold in Canada. On behalf of our members, we are submitting comments regarding potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

IBC and its members are of the view that the current consent model under PIPEDA is appropriate for Canadian P&C insurers and their customers, and does not need to be changed. Canadian P&C insurers already use a layered approach for obtaining consent to the collection, use, and disclosure of personal information and this approach gives insurers the ability to inform their customers of new uses and disclosures of their personal information as well as to obtain their consent as the need arises and the relationship with the individual evolves. In addition, there are situations where insurers rely upon certain exceptions to the consent model that exist in section 7 of PIPEDA, particularly when detecting and investigating fraud.

IBC and its members support some of proposals in the Paper that will enhance the consent regime:

Enhancing Consent – Greater Transparency in Privacy Policies and Notices: The use of easy to understand privacy policies currently used by insurers, in combination with the layered approach to consent, helps ensure that customers have a good understanding of how their personal information is being, or may be, used.

Alternatives to Consent – De-Identification: The use of anonymized aggregate data, as a form of de-identified data, is currently being used by insurers and should remain a viable alternative to the consent requirement.  It can be used in various legitimate ways and safeguards against misuse of this data by third party service providers are built into contracts between them and the insurers.

Alternatives to Consent – Legitimate Business Interests: While there is no common view among IBC members as to the necessity of this alternative, as described in the General Data Protection Regulation 2016/697, it should be explored further as a supplement to the exceptions that already exist in section 7 of PIPEDA, however not as a replacement. An activity that organizations may be able to successfully apply this alternative relates to the detection and investigation of insurance fraud.

IBC considers a number of the proposed solutions either inapplicable to insurers or of questionable merit, some of which include:

Governance – Codes of Practice: IBC does not consider codes of practice to be a solution relevant to the P&C insurance industry. As a heavily regulated financial institution, and unlike other industries, insurers must already comply with a wide range of requirements imposed upon them by the federal, provincial and territorial Superintendents of Insurance, including requirements regarding privacy as well as data and information management.

Enforcement Models: Based on insurers’ experience with OPC to date, the industry is of the view that OPC has done an extremely effective job with the powers currently afforded to it. The Digital Privacy Act amended PIPEDA in June 2015 which included new enforcement powers. IBC does not believe OPC needs additional powers to be able to continue to function appropriately and fulfil its mandate.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Introduction

Insurance Bureau of Canada (“IBC”) and its member companies are pleased to provide comments on the discussion paper (“Paper”) that was prepared by the Office of the Privacy Commissioner of Canada (“OPC”) regarding potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Our comments are primarily focussed on Question 1 (Of the solutions identified in this paper, which one(s) has/have the most merit and why?). We also comment on the some of the specific questions in the Paper.

As requested in the Notice of Consultation, we confirm that we have read and understood the consultation procedures.  A 1-page summary of our comments is attached as Appendix “A”.

IBC and its Members

IBC is the national industry association representing over ninety percent by premium volume of the private property and casualty (“P&C”) insurance sold in Canada. The private P&C insurance industry in Canada provides insurance protection for most homes, motor vehicles and commercial enterprises throughout the country.  There are over 212 private P&C insurers actively competing in Canada. The industry is one of the largest employers in Canada, providing over 120, 200 jobs, including positions for independent brokers, adjusters and actuaries. The P&C insurance industry also works to improve the quality of life in Canadian communities by promoting loss prevention, safer roads, crime prevention, improved building codes, and coordinated preparation for coping with natural disasters.

The Insurance Industry’s Layered Approach to Consent

While IBC acknowledges the concerns and issues raised in the Paper regarding the challenges traditional notions of consent will face as technology and business models continue to evolve, we are of the view that the current consent model under PIPEDA is appropriate for Canadian P&C insurers and their customers, and does not need to be changed.

Canadian P&C insurers already use a layered approach for obtaining consent to the collection, use, and disclosure of personal information. For example, when  an individual applies for an insurance policy, they are asked to consent to the collection, use, and disclosure of their personal information for a variety of immediate, and potential future, legitimate insurance purposes, including assessing the risk (underwriting), investigating and settling claims, and detecting and preventing fraud or the contravention of laws. The wording of the consent language in the application forms for automobile insurance is mandated by the provincial and territorial Superintendents of Insurance for each province and territory, and insurers and consumers must use these mandated forms. There is no mandated application form for homeowner’s insurance.

At some point during the insurer-customer relationship, certain events may arise that may require the collection, use, and disclosure of personal information for a specific purpose. For example, if a claim is made under the insurance policy, the insurer will need to investigate the claim, which can include collecting witness statements, and if there are injuries, obtain hospital or medical reports or financial records (e.g. if a claim is made for lost income). When an insured makes a claim, the insurer will typically obtain their consent to collect, use, and disclose their personal information for a specific purpose and provide an explanation why same is necessary, rather than rely solely on the consent provided at the time of the original application. Insurers also employ the use of separate consents obtained when providing insurance quotes and standalone products and services. This practice is particularly relevant for Usage-Based Insurance product offerings. In addition, personal information can also be collected about Accident Benefit claimants from various Auto Insurance Claims (OCF) Forms. These Forms are mandated by the Superintendent of Insurance and also contain certain privacy and consent wordings similar to those in the insurance application.

This layered, circumstance specific, approach gives insurers the ability to inform their customers of new uses and disclosures of their personal information and to obtain their consent as the need arises and the relationship with the individual evolves.

Exceptions to the Consent Requirement Relied Upon by Insurers

Despite adhering to the commonly understood consent requirements in the conduct of their business, there are situations where insurers rely upon certain exceptions to the consent model that exist in section 7 of PIPEDA. Due to the nature of the products and services that insurers provide, they are often required to investigate claims that they suspect are fraudulent, which amount to, among other things, a breach of the agreement between the insurer and the customer as well as a contravention of law. Similarly, insurers may also need to obtain witness statements from individuals in order to access, process, or settle insurance claims.

In these scenarios, obtaining an individual’s consent to collect, use, or disclose their personal information would compromise the insurer’s ability to conduct a proper investigation, detect fraud, settle claims appropriately, and ultimately prevent them from being able to maintain fair and affordable insurance rates for the general public.

Responses to the Consultation Questions Posed in the Paper

1. Of the solutions identified in this paper, which one(s) has/have the most merit and why/why not?

Notwithstanding the industry’s view that the current consent model works and does not need to change, IBC and its members support some of proposals in the Paper that will enhance the consent regime.

Enhancing Consent – Greater Transparency in Privacy Policies and Notices

IBC acknowledges that the personal information that insurers collect from their customers can be used and disclosed in various ways based on the consent they obtain. Insurance policies are complex legal documents subject to the scrutiny of regulators and the courts, and it can be a challenge to prepare privacy policies that capture the complexities of privacy protection in the insurance context. However, many insurers have become increasingly proactive in this regard and as a result the privacy policies of insurers are typically drafted in a way that is easy to understand for the average customer. In cases where insurers disclose customers’ personal information to third parties for legitimate business purposes, customers are made aware of these disclosures either through their insurer’s privacy policy or by the insurer obtaining their consent to the disclosure. Insurers build into their contracts with service providers strict requirements that information provided to a service provider be, among other things, properly secured, used only for the purposes described in the service contract, and treated in accordance with applicable privacy laws.

Insurers also use personal information for the purpose of conducting analysis of information and data to help them develop products and services better suited to their customers, and to remain competitive in the marketplace. Whether or not this analysis is conducted by the insurer, or by a third party service provider the customer’s consent is obtained. This practice would be considered a legitimate and explicitly specified purpose from which consent cannot be withdrawn.

The use of easy to understand privacy policies, in combination with the layered approach to consent used by insurers described above, helps ensure that customers have a good understanding of how their personal information is being, or may be, used. In addition, insurers already, as the Paper recommends, convey privacy related information at key points in the customer experience to help those customers overcome the challenges of trying to understand the complex flow of information.

These are the primary ways that insurers communicate their privacy policies to their customers and they remain very effective and should not be prescribed any further. It should ultimately be up to the organizations to decide how best to obtain meaningful consent.

Alternatives to Consent – De-Identification

The use of anonymized aggregate data, as a form of de-identified data, is currently being used by insurers and should remain a viable alternative to the consent requirement. Information or data that has been anonymized and aggregated can be used in various legitimate ways, one such example being the analysis of information and data described in the section above which helps insurers develop their products and services as well as drives innovation in a privacy compliant manner. For this reason, any revisions to the current consent model should not hinder an insurer’s ability to use anonymized aggregate data effectively.

To protect against the potential misuse of this form of data by third party service providers, service agreements between insurers and their service providers contain strict requirements and obligations that, among other things, such data will only be used for the purposes described in the agreement and for no other purpose. We are not aware of any issues concerning the compliance with such terms and conditions in these agreements.

Furthermore, IBC is of the view that anonymized aggregate data is no longer considered personal information because it no longer contains information about an identifiable individual as required by PIPEDA. While IBC acknowledges that there is a possible risk of re-identification, either through a combination or aggregation with other anonymized data, we believe that the risk in the P&C insurance industry is quite low, and can be addressed by further safeguards against such re-identification being built into contracts with service providers which would prevent them from using data provided to them by insurers in this way. This approach is consistent with the approach described by privacy expert, Robert Gellman, on page 16 of the Paper.

Alternatives to Consent – Legitimate Business Interests

In an earlier paragraph, IBC described the ways in which insurers make use of the exceptions to consent contained in section 7 of PIPEDA. While we are of the view that these exceptions are sufficient to enable insurers to engage in certain legitimate business activities without obtaining consent from an individual, there may be some benefit in considering the inclusion of “legitimate interests” as another viable alternative to consent. Admittedly, there is no common view among our members as to the value or necessity of this new alternative, but the diverging opinions of our members suggests that such an alternative should be explored further as a supplement to the exceptions that already exist in section 7 of PIPEDA, however not as a replacement. A non-legislative approach could be considered whereby OPC issues a commentary on the scope of the term “legitimate purposes” in section 4.3.3 of Schedule 1 to PIPEDA.

A review of the relevant portions of the General Data Protection Regulation 2016/697 (“GDPR”) referred to in the Paper, particularly Article 6 and Recital 47, suggests that organizations may have a significant challenge satisfying the factors described therein in order to use the “legitimate interests” alternative to consent for common everyday business activities. However, one activity that organizations may be able to successfully apply the legitimate interests alternative relates to the detection and investigation of insurance fraud. Insurance fraud has many negative implications for the general public and significantly impacts the ability of insurers to maintain fair premiums for their customers. Not only is insurance fraud illegal, it may also involve a certain criminal element. For these reasons, it is likely that detecting and investigating insurance fraud would satisfy the balancing of interests considerations described in the GDPR should similar criteria be adopted in Canada. 

As identified in the preceding paragraphs, IBC does support some of the proposed solutions to the issue of enhancing consent. However, we consider a number of the proposed solutions either inapplicable to insurers or of questionable merit. Some of the more noteworthy proposed solutions that insurers have a particular view on are described in further detail below:

Governance – Codes of Practice

IBC does not consider codes of practice to be a solution relevant to the P&C insurance industry. As financial institutions, insurers are already heavily regulated by a number of regulatory bodies, particularly the federal Office of the Superintendent of Financial Institutions (“OSFI”) that regulates solvency and corporate governance, and the provincial and territorial Superintendents of Insurance that regulate market conduct, including the wording of certain mandated insurance forms.

As a regulated industry, insurers must comply with a wide range of requirements imposed upon them by OSFI and the provincial and territorial Superintendents of Insurance, including requirements regarding privacy as well as data and information management. Adding another layer of regulation in the form of codes of practice would be redundant, potentially onerous, and in our view, would add little value due to the strict requirements already put into effect by federal and provincial regulators. 

Enforcement Models

IBC agrees that independent oversight bodies such as OPC play an essential role in protecting the privacy interests of Canadians. Based on insurers’ experience with OPC to date, the industry is of the view that OPC has done an extremely effective job of protecting individuals’ privacy with the powers currently afforded to it under its governing legislation. Insurers take their privacy and consent obligations very seriously and understand the importance of strict compliance with the requirements imposed upon them by privacy legislation and insurance regulators. Recognizing the importance of these obligations, insurers have an internal Ombudsman’s Office whose role is to conduct independent and impartial investigations of customer complaints. The role of the Ombudsman’s Office would likely have to be re-evaluated should the OPC’s powers be expanded.

Furthermore, it is noteworthy that the Digital Privacy Act amended PIPEDA in June 2015 which included, among other things, new enforcement powers for the OPC including the ability to compel organizations to enter into “Compliance Agreements”. Also, recent developments in privacy jurisprudence, particularly the creation of the new privacy torts commonly referred to as “intrusion upon seclusion” and “public disclosure of private facts”, creates further incentives for organizations to protect against privacy breaches at the risk of increased reputational and monetary damage. For these reasons, IBC does not believe OPC needs additional powers to be able to continue to function appropriately and fulfil its mandate.

Conclusion

IBC appreciates this opportunity to provide its comments on the potential enhancements to the consent model currently adopted in Canada and would welcome further discussion on these and other related matters. Please do not hesitate to contact me should you have any questions regarding these issues or the comments outlined above.

Yours truly,

Randy Bundus
Senior Vice-President, Legal & General Counsel