Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Insurance broker asked to amend privacy language

PIPEDA Case Summary #2007-385

[Principles 4.3 and 4.3.2 of Schedule 1]

Lessons Learned

  • Insurance brokers must make a reasonable effort to inform individuals how, why and to whom their personal information will be used and disclosed.
  • Consent to such uses and disclosures must be meaningful.
  • Consent language should not be overly broad, but, at the same time, the language has to allow for the fact that brokers deal with many insurance companies with a variety of target markets and practices.
  • Brokers’ privacy policies and application forms should differentiate between how personal information is treated when applying for insurance and how it is treated when making a claim under the insurance policy.

A couple brought their concerns about the language of consent their insurance broker uses in its personal information consent form.  They felt that the form authorized overly broad disclosure practices, and that they were being asked for prior consent to disclosures, which they believed was contrary to the Personal Information Protection and Electronic Documents Act.  They believed that the broker should be contacting them and obtaining meaningful consent for every intended disclosure of their personal information. 

The Privacy Commissioner concluded that the broker had not made a reasonable effort to inform its clients of how their personal information was being used or disclosed and for what reasons.  Consequently, she found that it was not obtaining clients’ meaningful consent, contrary to the requirements of the Act.  She made several recommendations to the broker, and these were implemented. 

The following is a detailed overview of the investigation and the Commissioner’s findings.

Summary of Investigation

The language the complainants found particularly problematic was the following:

I acknowledge that the Broker’s underwriting process may require them to order consumer, inspection and previous insurer reports, containing personal, credit, factual and investigative information.  The Broker is authorized to collect, use, and disclose my personal information to relevant third parties, as required, including insurance companies.

The paragraph following this one indicated that if the individual refuses or withdraws his/her consent to the privacy practices above, the broker might be unable to acquire or renew coverage, and the insurance policy might be cancelled.  The complainants interpreted this language to mean that, as a condition of service, they had to consent to the collection, use and disclosure of information beyond that required to fulfil explicitly specified and legitimate purposes. 

The form referred the reader to the broker’s on-line privacy policy.  However, parts of the policy were equally problematic.  For example, one of the proposed uses of personal information was:

To share or exchange reports with credit reporting agencies, credit bureaus, and other person(s), corporation(s), firm(s) or enterprise(s) to verify the accuracy of personal information.

According to the privacy policy, personal information may be used to assess the individual’s future needs, and to offer products and services from the broker, its affiliates or reputable organizations selected by the broker.  An applicant wanting to opt out of this practice was required to write to the Privacy Officer listed on the form.  There did not appear to be an easy, convenient, and immediate method of opting out of the secondary use of personal information during the application process.

Findings

Issued November 29, 2007

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.3.2 stipulates that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.  To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

Based on her review of the broker’s consent form and privacy policy, the Commissioner was of the view that the company had not made a reasonable effort to ensure that its customers were advised of how their personal information would be used and disclosed, and to whom.  Given this, she found that the company was not obtaining the meaningful consent of customers, according to the requirements of the Act.

She therefore made the following recommendations:

  • In its privacy policy, one of the purposes for which the broker collects, uses and discloses personal information is “to understand and assess Clients’ ongoing needs and offer products and services to meet those needs.”  The broker should clearly specify what products and services it is referring to, and provide an easy and convenient method for clients to opt out of the use and disclosure of their personal information for any secondary purpose, such as marketing new products and services, during the application process.
  • The broker should specify what information is transferred or disclosed to central databases, under what conditions, and for what purpose.
  • The broker’s privacy policy and consent/application form should distinguish between how personal information is treated when an individual is applying for insurance as opposed to how it is treated once an individual is a customer making a claim under the policy.
  • The broker’s Privacy Policy should provide more detail on the circumstances under which it “confirms information” provided by an insurance applicant or policy holder.
  • The broker should specify what it means by the phrase “disclose my personal information to relevant third parties, as required.”  The broker should provide examples of the types of third parties to which it discloses personal information.
  • The broker should reconsider the language of the privacy policy and consent form that indicates that insurance coverage may be cancelled if the individual refuses or withdraws consent.  The broker should specify the circumstances under which the individual does not have a right to “opt out” of its privacy practices.
  • The broker should clearly indicate under what circumstances and when it shares personal information with insurers, and the types of personal information that is shared.

           
The Commissioner noted that such measures should ensure that the individual is aware of the purposes for which his or her personal information is being collected, used and disclosed, and that the individual is providing his or her meaningful consent to the broker’s personal information handling practices. 

The broker responded to these recommendations, noting that, as an intermediary between clients and insurance companies, it provides client information to multiple insurance companies in order to provide competitive quotes to its clients.  Often these companies have offices in other provinces.  Each of the companies may vary in their underwriting philosophy, target market, and underwriting methodology.  It indicated that some companies may look at claims databases, some may look at credit ratings, some may consider other factors—the practices differ from company to company and even from underwriter to underwriter.  The organization has attempted to inform clients accordingly in its consent form.

The broker amended its privacy documents using those initially recommended by the Insurance Brokers Association of Canada (IBAC) as the basis for the forms.  It also made additional amendments to its privacy documents, in keeping with some of the recommendations.  As for providing an opt-out clause, the company indicated that it was not amenable to doing so as it could notsend the private information of the client to the insurance companies.If the client stated that he or she would provide qualified consent (e.g., not agreeing to certain checks or the ordering of specific reports), it could not accept the business of that client and send his or her information to insurance companies that will be utilizing some or all of these underwriting checks.  The broker would have to respectfully decline to be of service to that person.

The Commissioner considered the revised privacy documents, along with the organization’s rationale for not providing an opt-out provision in its consent form.  It appeared that the broker was taking preliminary steps to ensure that the individual is made aware of the purposes for which his or her personal information is being collected, used and disclosed, and that the individual is providing his or her meaningful consent to the broker’s personal information handling practices.  With respect to the second, fourth, and fifth recommendations, the Commissioner was satisfied with how the company had revised its consent form.

The Commissioner concluded that the complaint was resolved.

See also

#358 Individual objects to insurance company’s consent requirements

#368 Insurance adjusters’ consent form considered overly broad

 

Date modified: