Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Report of Findings #2012-005

Ontario insurance company used credit information to assess risk; calculate premiums


The complainants saw their home insurance premium increase significantly from the previous year. They alleged that their insurer’s policy of basing premiums on a customer’s credit information, obtained from a credit bureau, was not justified.  They alleged that the insurer did not have their knowledge and consent for this practice. They were also concerned that the insurer would use the information for other purposes.

We noted that Ontario’s Consumer Reporting Act confirms that credit information may be disclosed for the purpose of underwriting insurance. 

We concluded that a reasonable person would consider the purpose of the collection and use of credit information in this particular circumstance to be appropriate.

This aspect of the complaint was not well-founded.

Nonetheless, our Office has some general concerns with information – provided to credit reporting agencies for one particular purpose – being collected and possibly being used in a different context.

The long-term public policy impact stemming from the use of credit information for the purposes of assessing insurance risk is unknown at this time. Accordingly, our Office will continue to conduct research and monitor this trend and our position may evolve over time.

In this particular complaint investigation, we also found that meaningful consent had not been obtained to collect the complainant’s personal information for this purpose.

With regards to openness, we found that there was a lack of available and sufficient information regarding the company’s use of statistical score and credit score information.  We therefore recommended that the insurance company amend its application consent clause to include consent for its collection and use of this type of information, and that existing policyholders also be informed of the practice and its purposes. We also recommended the company ensure it makes information about its policies and practices on the use of this information readily available to individuals who wish to acquire it.

In response, the organization committed to amend its application form; inform policyholders at their next renewal about its use of credit information; and modify its website to explain its use of credit information.

These aspects of the complaint were well-founded and conditionally resolved.

Lessons Learned

  • In order to obtain meaningful consent for the use of personal information, organizations must ensure they inform individuals of all of the purposes for which their personal information will be used.
  • Organizations must be open about their policies and practices with respect to the management of personal information. This information should be readily available to individuals.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainants alleged that an insurance company (“the company”) used their personal information without their consent − specifically their credit score information provided by a credit bureau − to calculate the cost of their insurance premium. They find the company’s practice to be unreasonable.

Summary of Investigation

2. The complainants are husband and wife, and were joint applicants on a property insurance policy in Ontario from the company.

3. In 2009, they were surprised when their insurance renewal premium had increased considerably over the previous year’s premium. The company had been their insurer for six years and the complainants were claims free. When the complainants looked into the matter, they learned that the company had requested and received from a credit reporting agency (“the credit agency”) access to their personal credit information. In their view, the company had done so without justification and without their knowledge and consent. They were also concerned about other purposes to which the company would use this information.

4. The complainants raised their concerns with the company, after being advised to do so by the Insurance Brokers Association of Ontario. Not satisfied with the company’s response, the complainants filed a complaint with this Office, which we received on January 26, 2010.

5. In its representations to this Office, the company explained that it obtains express consent from its customers for the collection of credit information at the time its customers apply for insurance. In the company’s view, the complainants consented when they signed their original application.

6. Both parties submitted a signed copy of the complainant’s policy application as evidence. It uses the standard Centre for Studies in Insurance Operations (“CSIO”) application form, which includes the following consent provision:

The Applicants agree that reports containing personal, credit, factual record, premium payment or claims history information may be sought or exchanged in connection with this application for insurance or renewal, extension, variation or cancellation thereof.

7. The company also contended that its website privacy statement advises individuals that the organization may collect their personal information from third parties for the purpose of administering insurance policies, as well as for other purposes.

8. Since 2003, the company has sent to all its policy holders in Ontario (including the complainants) a detailed, two-page notice at the time of their first policy renewal. We examined a copy of the notice. It explains the company’s collection and use of personal information. According to the company, the second page contains a detailed and transparent explanation of its collection and use of credit-related information. Specifically, it states that the company may use the score as one of many rating factors to determine eligibility for personal property insurance and premiums.

9. The company then expanded on the insurance-related score mentioned in the notice. The company explained that the score (”statistical score”) is a three-digit number derived from a statistical analysis of information contained in a consumer's credit file. The credit agency presents the statistical score along with up to four score reason codes that list the key factors in a customer’s credit file that had the greatest impact, positive or negative, on the customer’s score. These factors are: length of time accounts have been established, number of accounts opened within the last 12 months, relationship of balance to high credit on bank/national or other revolving/open accounts and number of accounts paid as agreed.

10. According to the credit agency, the statistical score is a powerful and unique underwriting tool that rank-orders risk for underwriting and predicts the likelihood of delinquency over 12 months. Jointly developed by the credit agency and another company specifically for personal property underwriting, the statistical score uses the other company’s models and the credit agency's current data-attributes to predict loss ratio and frequency of claims. The credit agency asserts that the statistical score consistently and accurately indicates the potential risk of a future insurance claim from any applicant or policyholder.

11. For their part, the complainants maintain that before their premium increased, they had a perfect credit rating for 50 years. This changed for the worse when they co-signed a loan that resulted in three defaulted payments. However, the complainants assert that in the end, the loan was repaid in full in 2007 without the complainants further neglecting their obligations in any way.

12. The company confirmed that the complainants’ premium had increased between 2008 and 2009, and that a change in their statistical score had negatively affected their premium. However, the company noted this was not the only factor: an increase in the overall standard insurance rates and a higher insurance replacement cost for the complainants’ home also contributed to their higher premium.

13. The Insurance Bureau of Canada (“IBC”), a national industry association representing Canada’s private home, car and business insurers has issued guidance with respect to the use of insurers’ use of credit information. Its Code of Conduct for Insurers’ Use of Credit Information (the “Code”) provides insurers who use credit information in their underwriting and rating activities for personal insurance with voluntary guidelines to set parameters around the use of credit information.

14. During our investigation, in addition to reviewing the IBC Code, we also reviewed the complainants’ insurance policy, the company’s privacy policy, the positions of several provincial governments, a study from the Financial Services Commission of Ontario (“FSCO”), and numerous studies and research papers on the matter.

15. Our Office’s research into the matter revealed that although several studies claim that credit-based insurance scoring information is a valid predictor of risk of a future loss, there is no unanimous industry support for using credit-based information in this manner. For example, a survey carried out by the FSCO in 2009 demonstrated that not all insurance companies in Canada are using credit scores for risk assessment.Footnote 1

16. In addition, a survey commissioned by the Insurance Brokers Association of Ontario in November 2010 showed that 3 out of 4 Ontario consumers were not aware that their credit scores were being used to determine how much they pay for their home insurance premiums.Footnote 2

17. On September 14, 2011, our Office issued a preliminary report of investigation to the company in which we examined the issues raised in the complaint and requested that the company respond to our recommendations. What follows is the result of our analysis of the evidence presented to our Office during the course of the investigation.

Application

18. In analysing the facts, we applied subsection 5(3) of Part 1 from Schedule 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA” or “the Act”) and Principles 4.3, 4.3.2, 4.8.1.

19. Subsection 5(3) states an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

20. Principle 4.3 states that knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 clarifies that the principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information shall be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

21. Principle 4.8.1 states that organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

Findings

April 27, 2012

Are the Purposes of Collection and Use Appropriate?

22. At issue is whether the purposes for which the company collects and uses personal information are appropriate in the circumstances.

23. In this matter, the issue concerns the company’s collection and use of the complainants’ credit information for the purpose of calculating the cost of the complainants’ premium. The company has indicated that the use of underwriting tools, including statistical score, is used for purposes of assessing risk and setting premiums.

24. Section 8 of Ontario’s Consumer Reporting Act confirms that credit information may be disclosed for the purpose of underwriting insurance. It states:

  1. 8. (1) No consumer reporting agency and no officer or employee thereof shall knowingly furnish any information from the files of the consumer reporting agency, except, (…)
    1. (d) in a consumer report given to a person who it has reason to believe, (…)
      1. (iv) intends to use the information in connection with the underwriting of insurance involving the consumer, (…) [italics added]

25. As such, we acknowledge that the Ontario government has made the public policy decision to allow the disclosure of individuals’ credit information for purposes of assessing insurance risk through the enactment of the above provision.

26. We also note that assessing risk is a fundamental component of the insurance business model. The company asserts that the selling of insurance policies requires the undertaking of a risk analysis before providing the service. From the company’s perspective, underwriting tools are necessary to analyse and predict risk in order for insurance companies to be able to provide insurance products at the appropriate price. At the same time, the company has indicated that there is a benefit for both the insurer (who gains by managing its risk and pricing its insurance policies appropriately) and the policyholder (for whom “credit information has a positive impact on the overall premium.")

27. In the circumstances, we find it difficult to conclude that a reasonable person would not consider it appropriate that the company would collect and use statistical scores as a tool to underwrite insurance policies and set premiums for its customers in Ontario, especially given that the provincial government has specifically allowed it.

28. In addition, we acknowledge that the statistical score is an aggregate number, which may be less intrusive than accessing an individual’s entire credit report. We further acknowledge that there is some indication that the statistical score is predictive of risk. For example, the US Federal Trade Commission studied the issue, releasing a report in July 2007. The report affirmed the predictive value of credit-based insurance scores in claiming experience and found that the use of such scores may result in consumer benefits.Footnote 3

29. For the reasons above, we have determined that the requirements of subsection 5(3) have been met.

30. Nonetheless, our Office has some general concerns with information − provided to credit reporting agencies for one particular purpose − being collected and possibly being used in a different context. In this respect, we note that there is no obvious link between credit information and insurance premiums. While the majority of risk assessment tools that insurance companies use have apparent links to the product being purchased by the consumer (claims history, for example), credit history does not. Moreover, the means by which the credit score is determined is closely guarded and most individuals have no way of knowing whether or how their credit information may factor into their insurance premiums. Credit reports are also not always accurate.

31. The insurance industry’s own national association seems to recognize that using credit information is not entirely consistent with other tools typically used to assess insurance risk. In our view, the presence of the Code indicates that the IBC views the use of credit information as sufficiently different and separate from other tools to warrant special considerations around its usage and treatment. We also note that the Code guides insurance companies to not use credit information as a sole variable and to not deny quotes and insurance to customers who refuse to consent to the use of credit information. This suggests to us that IBC further recognizes that credit information is not a tool that is necessarily integral to assessing insurance risk.

32. In addition, we note that the use of credit information in the property insurance context is not permitted in all provinces. Insurance companies operating in Newfoundland and Labrador are now prohibited from using credit information in their “personal insurance risk classification systems" or using credit information to decline to issue, to terminate or to refuse to renew a contract of "personal insurance".Footnote 4

33. As such, this complaint has raised broader issues of concern for the Office. In our view, the long-term public policy impact stemming from the use of credit information for the purposes of assessing insurance risk is unknown at this time. Accordingly, the Office will continue to conduct research and monitor this trend and the Office’s position may evolve over time.

Consent

34. Our conclusion that the credit agency could rely on the consent obtained by the company and the accompanying analysis used to reach this conclusion are not determinative with respect to whether the company has met its own obligations under the Act. To determine the latter requires an examination of the company’s practices having regard for the particular circumstances surrounding the complaint at hand. As such, we will now focus on the validity of the consent obtained by the company, in light of the current complaint against the company.

35. At issue is whether the company obtained the complainants’ consent to use their credit information (or a derivative of it, as the company claims the statistical score to be).

36. In our view, and after carefully reviewing both parties’ representations, adequate consent for the use was not obtained by the company.

37. To illustrate, we find the language used in the consent provision on the insurance application form to be very general in nature. An applicant reading that provision would not easily be able to infer that their credit agency credit score will be used to determine their policy premiums on an ongoing basis. While the consent provision includes a mention of “credit information”, this is not sufficient to claim that meaningful consent (as required by Principle 4.3.2) has been obtained for the company’s practice of using statistical score to, specifically, calculate the cost of the insurance to the customer

38. Further, it is not reasonable to expect an individual to understand that their credit score will be used in this way since the most obvious accepted use of this information by businesses is to establish an individual’s credit worthiness in a loan or credit context, not in determining the probability of them later filing an insurance claim. Consequently, since this is not a familiar or expected use for customers, for the company’s application consent provision to be acceptable in the current circumstances, further clarification of what customer information will be used by the company and to what specific end it will be used are required under Principles 4.3 and 4.3.2 of the Act.

39. Moreover, we note that the company does not appear to be following the guidance provided by its own industry association with respect to consent. The Code provides detailed instructions for obtaining consent to the use of credit information and advocates for obtaining express and informed consent. While we acknowledge that the Code is voluntary, as noted above, our view is that its presence indicates that special considerations are warranted for the use of credit information. Accordingly, we find the Code to be informative with respect to the parameters it sets for obtaining appropriate consent in the context of using credit information in underwriting and rating activities for personal insurance.

40. As for the notice that the company sends to all policyholders at the one-year anniversary of their policy, we note that the language it uses to explain the use of customer credit information is more descriptive than that found in the application. However, we consider the notice misleading since it states that the company “… may [italics added] use the score as one of the rating factors to determine …premiums”. In fact, the company advised our Office that it obtains a statistical score at the first renewal of all policyholders in Ontario.

41. In our view, a customer reading the company’s notice could form the general impression that they are exempted from the practice, or that it applies only in a minority of cases (e.g., individuals with a consistently poor credit history). In actual fact, the company applies the practice broadly and consistently.

42. In any event, we believe the notice would be inadequate for consent purposes since it is not sent to policyholders (the complainants included) until one year after they have already consented to the use of their credit information (i.e., after having signed the consent provision in the policy application). We do not accept that merely disseminating this information one year after customers have signed their initial policy is tantamount to obtaining proper consent.

43. In the preliminary report of investigation, we recommended that the company amend its application consent clause to include consent for its collection and use of the statistical score, to comply with Principle 4.3 of Schedule 1. We specifically requested that for consent to be meaningful, information about the purposes for the collection and use of the statistical score must be provided, as required by Principle 4.3.2 of Schedule 1. Ideally, this consent clause would be separated from the general consent clause and include the elements of consent set out in the Code.

44. We also recommended that the company ensure it provides its existing policyholders with information − concerning the purposes for the collection and use of statistical score − consistent with that which is provided to new customers.

45. In response to the first recommendation, the company informed us that it uses, like all major insurers, standard forms that are developed and provided by the CSIO for the property and casualty insurance industry as a whole. It explained that as such, it cannot unilaterally change any standard consent language used in application forms for insurance coverage. However, it explained that the application form for property insurance is currently being revised by the industry such that the consent language now incorporates two potential uses by insurers of the credit information of applicants. The company further explained that it is working with industry stakeholders to ensure that the consent wording adopted will be aligned with the provisions of the Code and our first recommendation. The company has agreed to keep our Office informed on a regular basis on the progress of the consent language amendments over the next few months until its completion. At which time, the company has agreed to provide our Office with a copy of the revised application form.

46. In response to the second recommendation, the company confirmed that it will be sending out a notice to all its policyholders at the time of their property insurance policy renewal, in jurisdictions where it uses credit information as an underwriting tool. The notice will inform policyholders about the company’s use of their credit information to help assess customer risk. The company indicated to our Office that it had amended the notice and expects to commence the issuance to policyholders by a specified date.

Openness

47. This Office is concerned about the company’s apparent lack of transparency and openness. As noted previously in this report, a survey commissioned by the Insurance Brokers Association of Ontario in November 2010 showed that three out of four Ontario consumers are not aware that their credit scores were being used to determine how much they pay for their home insurance premiums.Footnote 5

48. This holds true in the matter at hand since the complainants alleged that in spite of being clients of the company for six years, they were not aware of the practice of using statistical score to determine premiums. Our investigation also revealed that on the company’s website, there is no explicit information available about statistical score or how credit score information is used to determine premiums. In addition, this information is not included in the company’s Privacy Policy, which is available online.

49. Principle 4.8.1 states that organizations shall be open about their policies and practices with respect to the management of personal information and that individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. Due to the lack of available and sufficient information regarding the company’s use of statistical score and credit score information, we find that the requirements of this Principle are not being met.

50. As a result, we made a third recommendation in our preliminary report of investigation, requesting that the company ensure it makes information about its policies and practices on the use of the statistical score readily available to individuals who wish to acquire this information.

51. In response to our recommendation, the company agreed to post on its website written notification to its policyholders about its use of credit information as one of the several underwriting tools available to the company to assess customer risk. The company indicated to our Office that it expects to have completed the work required to post this information on its website by a specified date.

Conclusions and Follow-up

52. With respect to issues relating to consent and openness, we have concluded that the company is in contravention of the Act and the issues are well-founded and conditionally resolved. We arrive at this conclusion based on the company’s commitment in writing to implement the corrective measures identified in this report, within the indicated specified periods.

53. Our Office has a continuing interest in ensuring that the company adopts the measures needed to bring it into compliance with the Act and that it follows through on the express commitments it has made to the Office in this regard. As such, over the coming months we will be monitoring and assessing the corrective actions the company has committed to undertake. At such time, we will gauge whether the company has fully complied with our recommendations and, if necessary, pursue any outstanding concerns in accordance with our authorities under the Act.

54. In respect of the issue of the appropriateness of the purposes for collecting and using statistical score, we find the company is not in contravention of the Act. Thus, the allegation in relation to this issue is not well-founded.

Update

At the time of posting this Report of Findings, the company had sent notices to policy holders to inform them of its use of credit information (see recommendation in paragraph 46) and had also updated its website (see recommendation in paragraph 51). We were continuing to monitor the company’s work to implement our recommendation that it amend its application consent clause (see recommendation in paragraph 43).