Submission to the OPC’s Consultation on Consent under PIPEDA (CLHIA)

Canadian Life and Health Insurance Association

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

The life and health insurance industry has had firsthand experience with what is noted in the consultation document as the "transparency paradox". However after years of further reviewing and refining our disclosures, our members believe they have reached an appropriate balance. Consequently, we believe it is still feasible and appropriate to obtain meaningful consent in our industry and there is no need to rethink the concept of consent in its entirety.

That being said, we suggest the addition of a new exception that aligns with the concept of “legitimate business interest”. These interests would have to be balanced against other interests and could be tied back to what a reasonable person would consider are appropriate in the circumstances.

We would be open to exploring further the concepts of additional codes of practice and privacy trust marks in order to test their effectiveness. However the use of these tools without having comfort that the public clearly understands that the OPC or government, for example, recognize these accountability protections may not add the value expected.

We further suggest that the notion of "publicly available" information, as found in the Regulations, be updated as it is not technology neutral and no longer appears to reflect the reality and expectations of individuals it is meant to protect.

New technologies do not impact the feasibility of obtaining meaningful consent for our industry. However we understand that the situation may be different for other types of businesses. Perhaps online environments are better suited to a layered approach where organizations can present a consumer with additional information to supplement the user's understanding, by allowing the user to click on a link for example. Therefore, if the information that is available is important to the user, they could obtain it with a further click of the mouse.

Also, with certain types of technologies (e.g., smart phones and similar technological tools) it may be possible for an organization to provide a standard initial consent statement that may be developed by industry, perhaps with the OPC or other input, and could be made available directly or via a link.

Whatever changes may be made to the concept of consent, we believe that consumers must continue to bear some amount of responsibility for becoming familiar with the provided disclosures or consumers will have no incentives to read even the clearest of disclosures.

We believe “no go” zones may be too black and white and caution against rules that may not afford the needed flexibility to deal with an ever changing environment. However, there may be flexibility in allowing broad categories of services to require different content to be initially disclosed.

We support a continuation of the existing ombudsman model as it is effective at balancing the rights of individuals to protect their personal information with the rights of organizations to use that information in legitimate and reasonable ways for commercial purposes. It also allows the OPC to remain more accessible, informal and flexible in its ability to assist parties in resolving the issues at hand. In addition, the court system is an efficient complement to the OPC powers as the courts are well positioned to assess damages and impose penalties on non-compliant organizations.

The full submission is available in the following language(s):

English (PDF document)

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Date modified: