Language selection

Search

Insurance company required to delete individual’s personal information after individual withdraws consent

PIPEDA Case Summary #2017-005

February 10, 2017


Lessons Learned

  • Individuals may withdraw consent for the collection, use and disclosure of personal information, subject to legal or contractual restrictions and reasonable notice. An organization must inform the individual of the implications of such withdrawal.
  • Organizations should have a policy and procedure for assessing and documenting what personal information it holds, and why it is collecting, using and disclosing that information.
  • Under PIPEDA, an organization does not have to ensure that an individual’s personal information is deleted from a third-party’s records if the information has already been lawfully disclosed.

Complaint

An individual complained that his former automobile insurance company refused to comply with his request to delete his personal information from the company’s records, as well as from the records of any third party organizations to which his information had been disclosed by the company.

The company refused the request for deletion, stating that it had retained the information to continue providing insurance history to other insurers, and that it could not have the information deleted from a third party’s database.

Our Office found that, in the specific circumstances of this complaint, the company should have treated the complainant’s request for deletion as a request to withdraw his consent to their continued use of his personal information. After this reframing of the request, both parties agreed that the investigation would address whether the company was in contravention of PIPEDA by refusing to comply with the request to withdraw consent for the continued use of the individual’s personal information.

Summary of Investigation

The company had previously obtained the individual’s consent for the collection, use and disclosure of their personal information through a standard application for automobile insurance form used in the individual’s province of residence. In 2014, the individual emailed the company’s ombudsman requesting the removal of his personal information from the company and any third parties with whom the information had been shared.

The company’s records

The company submitted to our Office that it had retained the individual’s personal information for the purpose of maintaining insurance history details, in order to assist other insurers in evaluating applications submitted by the individual.

Following our Office’s intervention and the reframing of the complainant’s request as a withdrawal of consent, the company advised that there was no legal requirement for them to retain the individual’s personal information and that they could delete it, excluding the records it needed to keep as part of our Office’s investigation. However, the individual was told that not being able to provide history details, in order to assist other insurers in evaluating applications submitted by the individual could result in either a higher premium or the individual being denied coverage. The individual accepted these caveats and his information was deleted from the insurer’s records. Therefore, our Office found that this portion of the complaint was well-founded and resolved.

Third Party Organizations’ Records

The company identified the organizations/databases to which it had disclosed the individual’s personal information, in compliance with insurance legislation in the province of residence. Further, the company asserted that it could not demand deletion of this personal information from the databases of third-party organizations.

Under PIPEDA, an organization does not have to ensure that an individual’s personal information is deleted from a third-party’s records if the information has lawfully been disclosed. Consequently, our Office found that this portion of the complaint was not well-founded.

Accountability

In the course of our Office’s investigation, it became evident that the company did not have a readily available explanation for, or a clear understanding of, its disclosure of an insured individual’s personal information to third-party organizations, putting them in contravention of Principle 4.1.4(d) of PIPEDA, which states that an organization shall develop information to explain the organization’s policies and procedures. The company committed to developing a document to track where and how personal information is disclosed to third-parties and making this information readily available upon request. The company agreed to provide our Office with this document, three months following the issuance of our Office’s findings for this investigation. Therefore, our Office found that this portion of the complaint was well-founded and conditionally resolved.

Update: After issuing our findings, the company provided our Office with a copy of its revised privacy policy, which makes information available to individuals about where and how their personal information is disclosed. As the company has fully complied with our recommendation, no further follow-up is needed.

Date modified: