Complainant Objects to Insurance Company Database

PIPEDA Case Summary #2010-002

[Principles 4.3, and 4.7]

An individual complained that the respondent, a company which maintains a database of automobile insurance policy and claims information, had collected his personal information for its database without his consent. Specifically, the complainant objected to the accumulation of personal information by the respondent from insurance companies by what he believed to be non-consensual means. The complainant also expressed concerns about whether adequate safeguards were in place to protect the information in the database. He also expressed the wish to have his name removed from the database.

The complainant, who lives in Alberta, originally filed his complaint with the Information and Privacy Commissioner of Alberta. After discussions between the two Commissioners’ Offices regarding jurisdiction, it was determined that the respondent was located in Ontario, and thus subject to PIPEDA. The complainant directed his complaint against the respondent and not at any insurance company that provided the information.

In this case, the respondent, which maintained the database, was a secondary collector of personal information.  As such, the respondent relies on insurance carriers (the original collector) to directly obtain the individual’s consent to subsequent uses and disclosures of personal information. In examining the language of the consent clause used by the insurers, the Assistant Commissioner found that the language was approved by provincial regulators and mandated by provincial statute. As well, the Assistant Commissioner found that the respondent’s standard agreement requires users of their database to comply with all applicable laws, and she found their security safeguards to be in compliance.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

The complainant’s son was in the process of purchasing automobile insurance from an insurance broker.  The agent typed in the complainant’s name into an automobile claims history database, which is operated by the respondent, and showed his son computer screens displaying private insurance information related to the complainant and a number of his family members.  The information included the complainant’s name, address, telephone number, date of birth, details of all vehicles registered to him since he had first purchased automobile insurance, and details of insurance policies he had held and claims he had made on those policies.

The complainant’s son asked for hardcopies of these records, which the agent provided. The complainant subsequently shared the hard copies with our Office.

The complainant learned from the respondent that the automobile claims history database included information on every person who had purchased automobile insurance in almost every province in Canada since 1976. 

The respondent’s automobile claims history database

The respondent is incorporated under the Canada Business Corporations Act and carries out business in all provinces and has maintained the automobile claims history service since about 1987.

The service is used by virtually all private insurers in Canada, but not by government-operated insurance plans. Some government-operated insurance plans, however, may use the service in certain circumstances, such as when a driver moves into the province and wishes to purchase automobile insurance. At present, the respondent is the only company in Canada that provides this essential automobile insurance information within the industry.

The personal information in the database is collected from individuals by insurance carriers in the process of providing insurance and settling claims. In the present case, the information at issue was collected in Alberta by companies that had provided insurance to the complainant in the past.

The information exchange framework

Insurance companies operating in Alberta are governed by the Insurance Act of Alberta, section 610(1) of which provides as follows:

“No insurer may use a form of application, policy, endorsement or renewal or continuation certificate in respect of automobile insurance other than a form approved by the Superintendent.”

The form approved by the Superintendent for insurers includes the following statement, added in 2005:

“The personal information collected on this application is needed to issue the policy. We [the insurance company] are required to provide this information to the Underwriting Information tracking System, which is a data bank operated on behalf of the automobile insurance industry for the purposes of statistical analysis, identification of eligible risks and the proper rating of those risks. The information in the data bank is available to all insurance companies and insurance agents providing automobile insurance in Canada.”

“CONSENT: I am applying for automobile insurance based on the information provided in this application. I authorize you to collect, use and disclose the information on this form and any additional information about my driving record, automobile insurance policy and claims history and that of the listed drivers from whom I declare I have obtained consent for these purposes. I understand that this personal information is necessary to assess the risk, issue the insurance contract, renewal or change, detect and prevent fraud and investigate and settle any claims. If I apply for a premium payment plan, I authorize you to obtain and use my credit report.”

Individuals provide information to the insurers when they apply for insurance.  Insurers then provide the information to the Insurance Bureau of Canada (IBC), which operates the Underwriting Information tracking System (UITS) for the insurance industry. The respondent’s database is not part of the UITS, but includes information transferred from the UITS through the IBC at the request of the insurance companies that collect personal information on the insurance application form. The respondent pays a fee to the IBC for the transfer of this information.

In each case, the insurer signs a form directing the IBC to transfer to the respondent the personal information collected.

The respondent provides this information to all participating insurance carriers, agents, brokers, or claims adjusters on the basis of a contract with the receiving organization. The receiving insurer organization can then request a report from the respondent, which contains information about an individual, such as details of all insurance policies which the individual was listed, all vehicles covered, and all claims made. According to the insurance industry, all the information is necessary to ensure a fair assessment of the insurance risks.

The standard contract between the respondent and insurers using its database contains a provision requiring all users to comply with applicable laws, and contains a provision requiring all claims information be kept confidential and used only in accordance with insurance policies. The respondent has procedures in place for individuals to access their information and request corrections to their information. Individuals cannot have information deleted. According to the IBC, deletion would be contrary to the purposes for which it was collected.

The respondent indicated that the database resides on servers in Canada at an ISO-certified centre equipped with industry-standard security safeguards. Information is delivered electronically to users via secure protocols. The respondent also has in place authentication procedures based on industry-standard protocols and users are required to sign a statement confirming they will protect the confidentiality of the information and use it only for its intended purposes.

Findings

Issued February 10, 2010

Application: Principle 4.3 states that knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

In making her determinations, the Assistant Commissioner deliberated as follows:

Consent

• There are three considerations that prevent making recommendations on the consent language of the form in question. First, the application form uses language that is approved by Alberta’s Superintendent of Insurance and mandated by provincial statute. Second, the insurance companies that use the form are Alberta-based companies and therefore outside of the OPC’s jurisdiction, and thirdly the complaint at question is not directed at any insurance company, but rather at the respondent.
• The respondent does not collect personal information directly from any individuals, but rather through the IBC. As such, the question is to what extent the respondent was obliged to comply with PIPEDA’s “knowledge and consent” principle.
• In previous cases involving such secondary collection of personal information, we have determined that the secondary collector may rely on the original collector to directly obtain the individual’s consent to subsequent uses and disclosures of personal information, but must nonetheless exercise due diligence to ensure such consent is obtained, in many cases this could take the form of contractual provisions.
• In the case at hand, the respondent’s standard agreement with the insurers requires users of the database to comply with all applicable laws. Although the Assistant Commissioner would prefer the respondent’s standard agreement to be more specific about the insurers responsibilities for obtaining individual’s consent, she was satisfied that the provision requiring compliance with applicable laws, when taken together with those requiring confidentiality and limited use, constitutes a reasonable exercise of due diligence on the respondent’s part.
• Therefore the Assistant Commissioner found the respondent in compliance with Principle 4.3

Safeguards

• The alleged disclosure of the complainant’s personal information to his son, which appears to have been the result of a deliberate action on the part of an organization other than the respondent, cannot be taken as evidence of inadequate safeguards for the respondent’s database. Therefore, on the basis of the respondent’s representations regarding its security safeguards, and in the absence of evidence to the contrary, the Assistant Commissioner was satisfied that the respondent was in compliance with Principle 4.7.

Conclusion 

The Assistant Commissioner concluded that the complaint was not well-founded.