Insurance provider revises retention period and practices for insurance quotes containing personal information

PIPEDA Report of Findings #2014-019

October 30, 2014


An individual made a request to an insurance provider for access to his personal information. Eight years before, he had received automobile and home insurance quotes from the provider, but did not become a client. He was surprised when the response to his access request showed that the provider still held the personal information he had provided to obtain the quotes.

In addition, the insurance provider informed him that its retention policy for such information was only seven years. The individual asked that his information be deleted and the provider carried out this request.

The individual, however, still disagreed with the provider’s retention practice.  In particular, he wondered why the personal information of individuals who do not become customers is kept for seven years when quotes are only valid for 60 days. As a result, he filed a complaint against the provider with our Office.

The provider in this case is a subsidiary of a Canadian bank. The provider stated that the seven-year retention period was: consistent with financial institution industry standards;  established to comply with various applicable laws, statutes of limitation and regulatory requirements; and established for certain business reasons, including fraud detection and prevention.

In the course of our investigation, we found that some of the evidence submitted by the provider was unrelated to the provision of insurance quotes, which are subsequently declined or withdrawn by the applicant.

During the investigation, we also learned that the provider had no automated process in place to destroy personal information when it reached its seven-year anniversary.  Further, in addition to the complainant, there were other individuals whose personal information was retained beyond seven years.

In the end, our Office made two recommendations to the provider: 1) determine reasonable time periods for the retention of personal information, and develop guidelines and procedures accordingly; and 2) delete or anonymize personal information in accordance with these guidelines and procedures.

The provider confirmed to us that it had deleted all insurance quotation-related personal information that had been kept longer than seven years. In addition, it created a new record series specifically for automobile insurance quotations with a three-year retention period (to reflect the requirements of fraud management).

The provider also informed us that, from now on, all its automobile insurance quote records would be subject to an automated deletion process after three years.

Our Office was satisfied that three years would be an appropriate retention period, based on additional corroborating information provided by the insurance provider.

As a result, the complaint was deemed well-founded and resolved.

Lessons Learned

  • Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods.
  • Personal information shall be retained only for as long as needed to fulfill the purposes for which it was collected. Two exceptions to this requirement are (i) if the individual consents to a longer retention period, or (ii) if longer retention is required by law.  Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous.
  • Organizations must develop guidelines and implement procedures to govern the destruction of personal information.

REPORT OF FINDINGS

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”)

Overview

The complainant alleged that an insurance provider had retained his personal information for a declined automobile insurance quote for longer than the seven-year retention period prescribed by the organization’s own policy. He also alleged that a seven-year retention period was excessive.

The insurance provider responded that its retention policy is a standardly accepted period for financial records, supported by regulatory requirements and retention rules, as well as by business reasons, including the detection and prevention of insurance fraud.

Our Office found that the insurance provider retained the complainant’s personal information beyond its own retention period. Also, we found that there was insufficient evidence to support the respondent’s practice of applying this retention period (used for credit application information) to declined or withdrawn insurance quotes.

In response to two specific recommendations by our Office, the insurance provider agreed to: (i) delete all quote data in its possession that was older than seven years; and, (ii) modify its data retention period for declined or withdrawn automobile insurance quotation data to three years from the previous seven. The insurance provider also confirmed a future deadline for implementation of this policy.

We thus determined that the retention matter was well-founded and resolved.

Summary of Investigation

  1. The complainant alleged that an insurance provider (the “respondent”), a subsidiary of a major Canadian bank (the “Bank”), retains personal data collected for the purpose of providing quotes for an excessive length of time (seven years).
  2. He also alleged that the insurance provider did not destroy his personal information in a timely manner and, in not doing so, was in contravention of its own retention guidelines.
  3. The complainant, a resident of Ontario, received a home and auto insurance quote from the insurance provider in March 2005. By all accounts, he has never been a customer of that provider, either before or since that time.
  4. In 2013, the complainant made a request to access his personal information from the insurance provider, who confirmed to him that it had his personal information in relation to his 2005 insurance quote. This personal information included the complainant’s name, date of birth, vehicle information and property information.  At the complainant’s request, the insurance provider then deleted his personal information from its database.
  5. The complainant remained unsatisfied since the eight-year period for which the insurance provider had retained his personal information was longer than the seven years prescribed by the data retention policy, as it had been explained to him.  For that matter, the complainant also objected to the policy itself, believing that a retention period of seven years was too long for personal data collected in respect of an insurance quote that is valid for only 60 days.
  6. He filed a complaint against the insurance provider on these matters with our Office.
  7. During the course of our investigation into the matters at issue in the complaint, the respondent provided certain representations and documentation.  Based on the preliminary results of our investigation, we forwarded certain recommendations which are outlined later in this report.  In response to our preliminary report, the respondent provided further representations and responded to our recommendations.  The information below is based on the information obtained by our Office during that process.

Retention Periods

  1. The insurance provider explained to our Office that in its records management system, retention periods are assigned based on the retention schedule of the Bank, its parent organization.  Retention periods are assigned to a series of similar types of information.  This was done for ease of understanding by its employees.  Pursuant to the retention schedule, a retention period of seven years was applied to a series of records which included records related to declined or withdrawn insurance quotes as well as those related to declined and withdrawn applications for other products of the Bank (e.g., credit cards, loans, mortgages, etc.). The insurance provider stated that it retains the records in this series so that it can substantiate a lack of bias or discrimination in the approval or declining of a product.
  2. The Bank’s privacy policy states that information collected by the respondent can be information provided on an application for the provision of products and services. It also states that the individual will be asked to provide only the information that enables the Bank to complete the request, to provide better service or to offer products and services that the Bank believes might be of interest. The privacy policy further states that the Bank may use customer information to manage the Bank’s risks and operations and meet regulatory and legal requirements. 
  3. The respondent claimed that its seven-year retention period was: consistent with financial institution industry standards; established to comply with various applicable laws and provide for statutes of limitation, as a result of a comprehensive analysis of over 10,000 records related acts, citations, regulations, regulatory requirements and retention rules in Canadian, U.S. and UK legislation; and, established for certain business reasons, including fraud detection and prevention.
  4. More specifically, the insurance provider stated that compliance with federal anti-money laundering legislation was instrumental in establishing the seven-year retention period.  The insurance provider contended that pursuant to the Proceeds of Crime (Money Laundering) and Terrorist Financing ActFootnote 1(“PCMLTFA”), it is required to retain records with respect to credit arrangements with clients, including declined credit applications, for five years after the closing date of the accounts to which the client credit file is related.  However, the insurance provider did not refer to any specific guideline or regulation from the PCMLTFA to support the seven year retention period.
  5. The insurance provider also offered, referencing another example of legislation in support its seven year retention schedule, that pursuant to section 34(1) of the Saskatchewan’s Mortgage Brokers and Mortgage Administrators Regulations, mortgage administrators, including the Bank, are required to retain, for six years, all documents and correspondence that the mortgage administrator provides to, or receives from, another person with respect to a mortgage transaction.
  6. The insurance provider further clarified that the seven-year retention period also considers the statute of limitations for plaintiffs to commence a legal action (after discovery of the cause of action), which is generally two years in the province of Ontario, as well as in certain other provinces.
  7. Finally, the insurance provider contended that there are business reasons that support the seven-year retention period. More specifically, the insurance provider asserted that the period allows it access to information in order to detect and prevent insurance fraud, but did not provide any rationale to support a seven-year retention period for this purpose.
  8. In our discussions with the Financial Services Commission of Ontario (“FSCO”) and the Office of the Superintendent of Financial Institutions (“OSFI”), neither identified any data retention guidelines for insurance companies.
  9. In discussions with the Insurance Bureau of Canada (“IBC”), it provided no guidelines with respect to retention periods in relation to insurance quotation information.

Expired Personal Information Held by the Respondent

  1. Despite the seven-year retention policy, our investigation revealed that certain personal data was retained in digital format on the Bank’s servers for longer than seven years.
  2. In correspondence with the complainant prior to his submission of this complaint, the Bank indicated that it was unable to automatically purge records, even though the retention period had expired.  It further explained that since its records management system pre-dated PIPEDA, data kept beyond its retention date had to be purged manually.
  3. The insurance provider also clarified that it never used, disclosed or otherwise conveyed the complainant’s information to any third party, and that as outlined in paragraph 4 of this report of findings, the information was immediately destroyed in response to the complainant's request.
  4. The insurance provider indicated during the course of our investigation that it was not yet in a position to immediately purge any electronically held “date-stamped” customer data that had exceeded its retention limit.  The respondent explained, however, that it had initiated a project to modify its retention management system to address the issue.  The modified system was to be implemented by October 2014.  Pursuant to this project, the insurance provider was in the process of identifying data elements to be: (i) deleted; or (ii) retained and anonymized.  Certain quotation-related data elements would be retained, in anonymized form, for long-term trending and analysis purposes.
  5. On June 25, 2014 our Office issued a preliminary report of investigation to the insurance provider in which we examined the issues raised in the complaint and requested that the insurance provider respond to our recommendations. What follows is the result of our analysis of the evidence obtained during our investigation.

Application

  1. In making our determinations, we applied Principles 4.5, 4.5.2 and 4.5.3 from Schedule 1 of the Act.
  2. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
  3. Principle 4.5.2 states, in part, that organizations should develop guidelines and implement procedures with respect to the retention of personal information.  These guidelines should include minimum and maximum retention periods.
  4. Principle 4.5.3 states that personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

Findings

  1. The insurance provider acknowledged that it had retained the complainant’s auto insurance quote, as well as other information in its retention management system, in excess of its stated seven-year retention period.  As such, we were of the view that the insurance provider acted in contravention of Principles 4.5 and 4.5.3.
  2. This leads to the second issue, which is whether the insurance provider’s data retention policy of seven years, for information related to declined or withdrawn insurance quotes, is longer than necessary under PIPEDA. The Act does not stipulate precise limits for organizations to retain personal information. Instead, the determining factor is whether the respondent retained the information for longer than necessary to fulfill its identified purposes.
  3. The insurance provider stated that the reasons for which it needed to keep customer information (including data belonging to individuals, like the complainant, who ultimately do not obtain an insurance service or product) for seven years were: to comply with various applicable laws and provide for associated statutes of limitation; and, certain business reasons, including fraud prevention. We gave the matter much consideration and did not find compelling the reasons and explanations that the insurance provider had put forth.
  4. More specifically, the legislation referenced by the respondent in their representations (e.g., as referenced in paragraph 12 of this final report) related to credit-based financial products, and not to the type of information at issue in this complaint, that related to a declined personal insurance quote.
  5. Further, when we consulted financial and insurance industry oversight organizations having jurisdiction in Ontario (the complainant’s province of residence), they offered no endorsement of the retention policy of seven years.
  6. While we accept that certain business reasons, including fraud prevention, may be relevant in determining the retention period for personal information in certain cases, The insurance provider did not elaborate on how such reasons specifically factored into the establishment of the seven-year retention period at issue in this complaint.
  7. Based on the above, we were of the view that the insurance provider was retaining personal information related to declined or withdrawn personal insurance quotes for longer than necessary to fulfill its identified purposes.
  8. The responsibilities that organizations have under PIPEDA to manage effectively the personal data in their possession cannot be overstated. Should there ever be a data breach, organizations that retain personal information for longer than necessary also run the risk of being held to account in the court of public opinion.

Our Recommendations and the Insurance Provider’s Response

  1. Thus, in our preliminary report of investigation, we recommended that the respondent:
    1. Develop and implement sound guidelines and detailed procedures for the retention and destruction of its customers’ and applicants’ personal information, in accordance with Principle 4.5.2, including reasonable time periods for records of various types.
    2. Delete or anonymize its customers’ or applicants’ personal information in accordance with these guidelines.
  2. In its response to our first recommendation, the insurance provider further explained to our Office why it needs to retain automobile insurance quotation data for business reasons, such as fraud management, and provided scenario examples to support its position.  The insurance provider reported, however, that it would create a record series specifically for automobile insurance quotations, and that the retention period for data in that series would be amended to three years, to more appropriately reflect fraud prevention requirements. The insurance provider committed to implementing this new retention policy by December 2014, and it confirmed in November 2014 that an automated routine (to run at least monthly) had begun deleting all automobile insurance quote records when they exceed the new maximum retention period of three years. Based on the additional information provided by the insurance provider, we are satisfied that three years is an appropriate retention period.
  3. In respect of our second recommendation, the insurance provider informed us that its new retention management system was implemented in July 2014, and that mid-way through that month it had deleted all insurance quotation information that had been retained beyond the set retention period of seven years.

Conclusion

  1. Accordingly, we conclude that the retention matter is well-founded and resolved.

Footnotes

 

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: