Insurance company collected and used credit score for inappropriate purpose during auto insurance claims assessment process

PIPEDA Report of Findings #2017-003

March 14, 2017


Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Lessons Learned

  • Organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes for the collection of the personal information must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  • In order for consent to be valid, individuals must be able to understand the nature, purpose and consequences of the collection, use and disclosure of their personal information.
  • Failure to make a reasonable effort to ensure that an individual understands that collecting personal information is optional can render consent uninformed or meaningless.

Complaint

An individual complained that an insurance company did not explain why it was collecting his personal information, and collected and used his credit score without meaningful consent. The complainant further alleged that the company collected an excessive amount of personal information when it obtained his entire credit file from a credit reporting agency. The complainant also alleged that collecting a person’s credit score in the circumstances (i.e. an insurance claims process) would be considered inappropriate by a reasonable person.

Summary of Investigation

The complainant was in a car accident and filed a benefit claim with his auto insurance company. According to the complainant, the benefit claims advisor conducted an aggressive telephone interview and requested consent to collect and use the complainant’s credit score. While the complainant consented at the time, he later expressed discontent at having to provide his credit score. The complainant believes the consent was not meaningful because the advisor did not explain why the credit score was needed.

According to the insurance company, requests to collect credit scores are routine and agreeing to permit the insurance company to obtain credit scores is voluntary. The company pointed to its written policies and standard telephone scripts as evidence of its practices, explaining that obtaining credit scores helps detect and prevent fraud, which in turn helps control costs and keep insurance premiums low.

The complainant contacted a credit reporting agency, which informed him that the company had made requests for his credit score and credit file. Based on this information, the complainant believed the insurance company had collected his entire credit file —more than just his credit score — without consent. The company maintained it had only ever collected the credit score.

Outcome

Appropriate purpose

First, our Office assessed whether a reasonable person would consider it appropriate for the insurance company to collect and use a credit score for the purposes of preventing and detecting fraud during the auto insurance claims assessment process, as required under subsection 5(3) of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Our Office considered various provisions from Ontario’s Insurance Act and Consumer Reporting Act (“CRA”).

The insurance company was not able to demonstrate to our Office that it had the legal authority to obtain credit scores as part of the auto insurance claims assessment process. While it maintained that it had a need for such information, it was unable to establish a “direct business need” for credit scores in this context, as required under the CRA; nor was it able to show how such scores are effective in preventing and detecting fraud during the claims assessment process. Therefore, our Office was unable to find that a reasonable person would consider such collection and use as appropriate, on the basis of the information before our Office.

Over-collection

Second, our Office considered if the insurance company over-collected the complainant’s personal information. The credit reporting agency advised our Office that it did not share the complainant’s full credit file with the insurance company. While the agency originally told the complainant that his entire credit file had been provided to the company, the agency later advised this was an error and only the credit score had been provided to the company. Although the complainant believed the company requested and received his entire credit file, our Office found no evidence to support this allegation.

Identifying purposes, meaningful consent and openness

  1. Identifying purposes

    Our Office considered whether the insurance company properly identified the purposes for collecting and using the complainant’s credit score. There was no direct evidence to demonstrate exactly what the insurance claims advisor said to the complainant during the telephone call. However, the insurance company’s records confirmed that the complainant responded “yes” to the scripted question seeking consent for collecting the credit score. The question, as scripted, explains the purposes for collecting a credit score. We also reviewed all notifications provided to the complainant through the car insurance process, including accident benefit forms and the insurance company’s privacy policy. After considering the evidence, our Office concluded the complainant had, in fact, been duly informed of the purposes for which the credit score would be collected and used.
  2. Meaningful consent

    Individuals must be able to understand what is being asked of them before they can consent. A federal court decision and a prior investigation of this Office have clearly established that consent is not informed if individuals are unaware that providing it is optional. The telephone script provided by the insurance company does not clearly indicate consent is optional. Therefore, the insurance company did not obtain meaningful consent from the complainant.
  3. Openness

    During the course of this investigation, our Office reviewed the insurance company’s written notification materials and identified certain shortcomings. For example, notifications do not identify the type of personal information that can be obtained from credit reporting agencies. The explanation of the purpose for collection (“to offer you insurance products and service that best meet your needs”) is not specific enough to help individuals understand how credit score information would be used. Moreover, employee scripts provide individuals who withdraw or refuse consent with inaccurate information. For example, the script specifies that the claim of an individual who does not provide consent to the collection and use of their credit score would be handled the same way as other clients, however, this is not accurate as such a claim would be handled differently. Our Office found the insurance company was not being open about its practices with respect to the collection and use of credit scores during the car insurance claims assessment process, contrary to Principle 4.8.1 of PIPEDA.

Response to recommendations

In response to our Office’s Preliminary Report of Investigation, the insurance company agreed to stop collecting and using credit scores for accident benefit claim assessments by the end of April 2017. The company also agreed to review its collection and use of credit score for other types of insurance, and for other purposes, and make changes, if necessary, by the end of June 2017, or if major IT system changes were necessary, by the end of December 2017.

Our Office was satisfied, that, once implemented, the above changes would meet our Office’s recommendations. Accordingly, our Office concludes that this matter was well-founded and conditionally resolved.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (“PIPEDA”)

  1. The complainant alleges that an insurance company (“Insurance Company”) collected and used his personal information without meaningful consent and did not identify the purposes for such collection and use when he filed an auto insurance claim. Specifically, he alleges that his consent for the collection and use of his credit score was not meaningful as it was provided during an aggressive interview without an explanation of the purposes for its collection.
  2. He also alleges that the Insurance Company collected personal information that was not limited to that which is necessary for the identified purposes. Specifically, he alleges that the Insurance Company requested and obtained his entire credit file from a credit reporting agency (“Credit Reporting Agency”) not simply his credit score, which he viewed as an excessive collection of his personal information.
  3. In addition, the complainant alleges that the Insurance Company’s collection of an individual’s credit score is for a purpose that a reasonable person would consider inappropriate in the circumstances. Specifically, he alleges that this collection of credit score is to determine the financial condition of the insured as part of a payout avoidance strategy.
  4. Our Office is unable to find that a reasonable person would consider the Insurance Company’s collection and use of credit score for preventing and detecting fraud during the auto insurance claim assessment process to be reasonable. In addition, while the Insurance Company informed the complainant of the purposes for collecting and using his credit score, our Office finds that the Insurance Company did not obtain meaningful consent from the complainant in light of its failure to advise that such collection and use was optional. Our Office further finds that the Insurance Company is not being open about its policies and practices with respect to the collection and use of credit score during the auto insurance claim assessment process.
  5. In response to our Office’s Preliminary Report of Investigation, the Insurance Company agreed to refrain from collecting and using credit score during the claim assessment process for auto insurance by the end of April 2017, and to conduct a review of its current procedures and processes for the collection and use of credit score for other types of insurance and for other purposes to ensure compliance with our Office’s recommendations, by the end of June 2017, or if major system changes are necessary, by the end of December 2017.
  6. Accordingly, our Office concludes that this matter is well-founded and conditionally resolved.

Summary of Investigation

Background

  1. After a motor vehicle accident, the complainant filed an accident benefit claim with his automobile insurance company (“Insurance Company”). According to the complainant, who lives in Ontario, the Accident Benefit Claims Advisor (the “Advisor”) conducted an aggressive telephone interview and requested consent to collect and use the complainant’s credit score without an explanation of the purposes.
  2. The complainant indicated that he consented to the request in order to “maintain peace and present a spirit of cooperation” but subsequently expressed his discontent at being required to provide consent for the collection and use of his credit score.
  3. In a letter, the Insurance Company apologized and explained that requesting consent for the collection and use of credit score was a routine question, and that the question’s script made it clear that the consent was voluntary.
  4. The complainant requested that the Insurance Company provide him with access to the personal information collected about him, including reports from credit reporting agencies.
  5. The Insurance Company responded to the complainant’s access request, but refused to provide him with his credit score.
  6. In response to a request, the Credit Reporting Agency provided the complainant with the following explanation for two inquiries made by the Insurance Company:

    [1st inquiry] – insured reported an automobile accident – consumer consent provided to the Insurance Company to obtain credit score – Per the Credit Reporting Agency, the file was found and provided;

    [2nd inquiry] (soft inquiry) – on-going relationship – credit score report ordered prior to policy renewal – Per the Credit Reporting Agency, the file was found and only the score was provided. [Emphasis added]

  7. On account of the differences between these two entries, the complainant believes that the Insurance Company requested and was given his full credit file for the second inquiry, instead of only his credit score.
  8. After expressing discontent to the Insurance Company for its refusal to provide him with his credit score, the Insurance Company provided him with his credit score. However, the complainant rejected that the Insurance Company had limited collection to his credit score, based on information obtained from the Credit Reporting Agency.
  9. In an email addressed to the Insurance Company, the complainant indicated that he had “granted consent for a FICO/CREDIT SCORE to be done. You exceeded your authority by pulling the complete file…” Moreover, the complainant indicates that it was not until several months after filing his insurance claim that he was advised that credit score information is used to “facilitate the claim and to prevent, detect and prosecute fraud”.
  10. The Insurance Company advised the complainant that his credit score was received electronically from the Credit Reporting Agency and it was not viewed by anyone at the Insurance Company until the complainant requested access to it.
  11. The Credit Reporting Agency confirmed to the complainant that the Insurance Company did not request or receive his full credit file during the first inquiry; rather it only received the complainant’s credit score. In response to why the complainant was not initially provided with a correct response, the Credit Reporting Agency advised that human errors of this nature were most regrettable and extended its sincere apologies.
  12. Dissatisfied with the responses, he filed a complaint with our Office against the Insurance Company.
A. Appropriate purposes
Previous OPC investigation
  1. Our Office previously examined the appropriateness of insurance companies using credit scores to assess risk and calculate premiums for home insurance during the underwriting processFootnote 1. In this previous investigation, our Office determined that assessing risk and calculating premiums is an appropriate purpose for collecting credit scores. In making this finding, our Office acknowledged that the Ontario government had made the public policy decision to allow credit reporting agencies to disclose an individual’s credit information to insurance companies for the purposes of assessing insurance risk during the underwriting stage through the enactment of paragraph 8(1)(d)(iv) of Ontario’s Consumer Reporting ActFootnote 2 (“CRA”). This paragraph states:

    8. (1) No consumer reporting agency and no officer or employee thereof shall knowingly furnish any information from the files of the consumer reporting agency, except,

    (d) in a consumer report given to a personFootnote 3 who it has reason to believe,

    (iv) intends to use the information in connection with the underwriting of insurance involving the consumer;

Information from the Insurance Company
  1. The Insurance Company informed our Office that the credit score does not influence the amount of claim payout a policy holder may receive.
  2. The Insurance Company introduced the use of credit score for Accident Benefit claims several years ago, after an investigation into the high instances of fraud in accident benefit claims, particularly in the Ontario market, with the growing trend of staged accidents, fraudulent suppliers and declining economic conditions.
  3. According to the Insurance Company, it uses a fraud detection model at the point of filing an accident benefit claim to triage claims. This is done in order to speed up the claim process, resulting in better experience for clients and focused efforts on higher risks, which leads to lower costs and lower premiums for its customers. Credit scores are one of many variables used in the fraud detection model. If certain thresholds are met, a Claims Advisor will be instructed to further investigate the claim’s legitimacy, without being told which factors triggered the need for additional investigation. The Insurance Company provided our Office with statistics to demonstrate the effectiveness of credit score in its fraud detection model.
  4. The Insurance Company submitted that a reasonable person would consider the collection and use of credit score for the purposes of detecting, preventing and prosecuting fraud, to be appropriate in the circumstances because it believes there is a correlation between low credit scores and increased fraudulent activity.
  5. While the Insurance Company could not cite any legislation that specifically allows the use of credit score for auto insurance claims assessment, it did point to subparagraph 8(1)(d)(vi) and subsection 8(2) of the CRA, which state:

    8. (1) No consumer reporting agency and no officer or employee thereof shall knowingly furnish any information from the files of the consumer reporting agency except,

    (d) in a consumer report given to a person who it has reason to believe,

    (vi) otherwise has a direct business need for the information in connection with a business or credit transaction involving the consumer, or

    8. (2) No person shall knowingly obtain any information from the files of a consumer reporting agency respecting a consumer except for the purposes referred to in subsection [8](1).

  6. It is the Insurance Company’s belief that it has a direct business need for credit scores in order to detect and prevent fraud, and to control costs and clients’ premiums. Moreover, according to the insurance company, obtaining a client’s credit score is to their clients’ benefit as it may result in a faster claim settlement.
  7. The Insurance Company advised that it is not aware of anything that prohibits the collection and use of individuals’ credit score as part of the auto insurance claim assessment process.
B. Over-collection
  1. In its representations to our Office, the Insurance Company confirmed that it only requested and received the complainant’s credit score from the Credit Reporting Agency. As part of our investigation, our Office contacted the Credit Reporting Agency to better understand the circumstances under which it provided the Insurance Company with the complainant’s credit information.
  2. The Credit Reporting Agency advised our Office that it did not share the complainant’s full credit file with the insurance company; it provided the Insurance Company with his credit score. It also advised that as a result of human error, the complainant was initially provided with inaccurate information, which suggested that the Insurance Company had requested and received his full credit file.
C. Identifying purposes, meaningful consent and openness
Information from the Insurance Company
  1. The Insurance Company confirmed that it collected the complainant’s credit score from the Credit Reporting Agency for the purpose of handling his accident benefit claim and determining if further investigation was required, and/or as a tool to detect and prevent fraud.
  2. In line with the Insurance Bureau of Canada (“IBC”)’s Code of Conduct for Insurers’ Use of Credit InformationFootnote 4, the Insurance Company seeks express consent from its clients for the collection and use of credit score, as follows:

    As a standard practice for our Accident Benefits claims, we would like your consent to obtain your current credit score. Collected information will remain confidential and will be used to facilitate your claim and to prevent, detect and prosecute fraud. Do I have your consent to do this?

  3. When a client refuses/withdraws consent with respect to accident benefit claims, advisors inform them as follows: “I respect your decision if you do not want to give us consent, and I will handle your claim the same way I do with other clients”.
  4. The Insurance Company submitted to our Office that the complainant’s response to the request for express consent was entered in the system as “Yes”. Accordingly, it is the Insurance Company’s belief that the complainant consented to the Insurance Company’s collection and use of his credit score, which was voluntary and not a condition of receiving the service.
  5. The Insurance Company advised that the initial call with the complainant was not recorded as its phone system at the time did not record all telephone calls. It further advised that the complainant’s credit score was not attached to, or part of, the complainant’s computer file or physical file accessible by the Advisor.
  6. The complainant also signed the standard claim form Application for Accident Benefits (“OCF-1”) for the motor vehicle accident, as well as a previous motor vehicle accident. This form advised the complainant that The Insurance Company will collect and use his personal information, either directly from the complainant or from any other person with the complainant’s consent, for the purposes of investigating and processing his claims, and preventing fraud, and detecting fraud where there are reasonable grounds to suspect fraud. Collecting and using credit information is not mentioned on this form.
  7. The complainant also subsequently signed an Authorization to Obtain and Disclose Information form, in order to have the same accident benefit claims advisor handle both of his accident benefit claims filed together. This form was witnessed by a Field Claims Advisor for the Insurance Company. By signing this form, the complainant consented to the Insurance Company obtaining from and exchanging information related to his claim from various parties, including credit reporting agencies. He was also informed that this consent was granted for the purposes of analyzing, assessing, investigating and processing his claim. The complainant advised that he did not recall signing this document.
  8. The Insurance Company’s Privacy Code, available on its website and upon request, states that the Insurance Company collects, uses and discloses a customer's personal information in order to process claims involving its customers and prevent, detect and prosecute fraud, among other purposes. It also advises that the Insurance Company obtains personal information primarily from its customers and it may also collect personal information from other external sources, including credit reporting agencies.
  9. Moreover, the Insurance Company included privacy messages in its policy documentation mailed to clients, for both home and auto policies that specifically mention the collection of personal information from credit reporting agencies.

Research

  1. Our Office reviewed research, which suggests that the general public may not be sufficiently informed about insurance companies’ use of their credit score. For example, a report by the Canadian Council of Insurance Regulators (“CCIR”) noted the following:

    One area where all [brokers] recognized they can do a better job was educating the public on the use of credit information. Brokers suggested that consumers are actively being harmed by their lack of knowledge around their credit scores in general as well as the part that their credit scores play in their insurance costs and that this is worsened by the lack of transparency from insurers on the effect of credit scores on the premiums they quote.Footnote 5

  2. In addition, a survey commissioned by the Insurance Brokers Association of Ontario (“IBAO”) in February 2012 showed that 78% of Ontarians were not aware that insurers were using credit scores for their home insuranceFootnote 6, while a consumer survey in Alberta in June 2010 commissioned by the Consumer Representative to the Automobile Insurance Rate Board (“AIRB”) found that 48% of consumers did not know if insurers were using their credit information.

Application

  1. In making our determinations, our Office applied Principles 4.2, 4.3, 4.3.2, 4.4, 4.4.1 and 4.8.1 of Schedule 1 of PIPEDA, as well as subsection 5(3) of PIPEDA.
  2. Principle 4.2 states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  3. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Specifically, Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used, and to make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  4. Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Specifically, Principle 4.4.1 states that organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with Principle 4.8.
  5. Principle 4.8.1 states that organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort and this information shall be made available in a form that is generally understandable.
  6. Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Analysis

A. Appropriate purposes

Previous OPC investigation
  1. Our Office’s previous investigation acknowledged that the Ontario government had made the public policy decision to allow the disclosure of individuals’ credit information to insurance companies for the purpose of underwriting, by virtue of subparagraph 8(1)(d)(iv) and subsection 8(2) of the CRA.
  2. In contrast, the present investigation does not deal with underwriting insurance. At issue here is whether the Insurance Company’s collection and use of the complainant’s credit score for the purpose of preventing and detecting fraud during the auto insurance claim assessment process is appropriate.
Provincial legislation: The CRA and Insurance ActFootnote 7
  1. The CRA prohibits organizations from obtaining credit information except for certain limited purposes such as those related to: credit decisions, collection of a debt, employment decisions, underwriting of insurance, determining a consumer’s eligibility under a statute or regulation or any decision where there is a direct business need for the information in connection with a credit or business transaction involving the consumer. The development of a list of such purposes is likely demonstrative of the sensitivity of credit information.
  2. The Ontario Insurance Act does not allow the use of credit information, including credit score and credit rating, for the underwriting of auto insurance coverage for private passenger automobiles. Specifically, automobile insurance companies in Ontario are prohibited from using credit information in their risk classification system for automobile insuranceFootnote 8, and prohibited from using credit information and credit score to decline to issue, to terminate or to refuse to renew a contract of automobile insurance.Footnote 9 This is likely why credit information is not included in the consent language found in standard insurance forms approved by the Financial Services Commission of Ontario (“FSCO”).
  3. While the Insurance Act specifically prohibits the use of credit information for underwriting with respect to auto insurance, despite the fact that the CRA permits the disclosure of an individual’s credit information to insurance companies for the purposes of assessing insurance risk during the underwriting stage, both provincial statutes are silent on the use of credit information during the claim assessment process for auto insurance.
  4. The Insurance Company was unable to cite any legislation or regulation that specifically permits the practice of collecting and using credit scores for the purpose of preventing and detecting fraud during the claim assessment process. Instead, it claimed that such collection and use fell under “a direct business need for the information in connection with a business or credit transaction involving the consumer”, pursuant to subparagraph 8(1)(d)(vi) and subsection 8(2) of the CRA.
  5. While our Office acknowledges that the claim assessment process is “a business transaction involving the consumer”, the question is whether the detection and prevention of fraud during the insurance claim assessment process meets the standard of “a direct business need for [credit score]”.
  6. In the Bell Relevant Advertising Program (“RAP”) investigationFootnote 10, our Office’s interpretation of subparagraph 8(1)(d)(vi) and subsection 8(2) of the CRA was that targeted advertising did not meet the standard of “a direct business need for [credit score] in connection with a credit or business transaction involving the consumer”. We noted:

    We see such provincial legislation as reflecting the recognition that measures of credit worthiness, such as credit scores, are only to be used for certain limited purposes directly related to decisions with important financial implications for the consumer and the organization concerned. Bell’s use of credit score information to design targeted ads clearly extends beyond these recognized purposes. Given this, we see the use of credit score information for the purposes of the RAP as clearly inappropriate.

  7. While the Insurance Company may have a business need to detect and prevent fraud generally, the Insurance Company has not demonstrated that it has a “direct business need” for credit score to detect and prevent fraud as part of an auto insurance claim assessment process. Our Office believes that the Insurance Company’s interpretation of subparagraph 8(1)(d)(vi) and subsection 8(2) of the CRA is broad and as such, it does not provide a sufficient basis upon which a credit reporting agency can furnish, and an insurance company can obtain, an individual’s credit score information, during the auto insurance claim assessment process.
  8. [Omitted]
  9. On the basis of the information currently before our Office, including the statistics it has submitted, the Insurance Company has failed to demonstrate that the collection and use of credit score is necessary and effective in preventing and detecting fraud during the auto insurance claim assessment process.
  10. In light of the above, we are unable to find that a reasonable person would consider the Insurance Company’s collection and use of credit score for preventing and detecting fraud during the auto insurance claim assessment process to be reasonable, pursuant to subsection 5(3).

B. Over-collection

  1. Our Office also considered whether the Insurance Company limited its collection of the complainant’s personal information to that which was necessary for the purposes identified, namely, whether the Insurance Company requested or obtained more than the complainant’s entire credit file from the Credit Reporting Agency, as opposed to his credit score.
  2. Although the complainant strongly expressed the belief that the Insurance Company requested and obtained his entire credit file, there is no evidence to support this allegation. While the Credit Reporting Agency initially appeared to advise the complainant that his entire credit file has been provided to the Insurance Company, the Credit Reporting Agency later advised that this was an error.
  3. Without actual evidence of receiving more than the complainant’s credit score from The Credit Reporting Agency, our Office cannot find that the Insurance Company contravened Principles 4.4 and 4.4.1.

C. Identifying purposes, meaningful consent and openness

Identifying purposes
  1. The complainant claims that although he provided his consent for the Insurance Company to obtain his credit score, the Advisor did not identify the purposes for such collection and his consent was therefore not meaningful. First, our Office considered whether the Insurance Company identified the purposes for which they were collecting and using his credit score.
  2. To demonstrate its compliance with Principle 4.2 and 4.3.2, the Insurance Company provided our Office with the standard script used by its Accident Benefit Advisors when beginning an insurance claim. This script explains the purpose for which credit score is collected, namely, to facilitate the insurance claim and to prevent, detect and prosecute fraud.
  3. There is no direct evidence to demonstrate exactly what the Advisor said to the complainant during the initial phone call, as audio recordings were not a normal practice at the time; the evidence before our Office is the complainant’s allegation that the Advisor did not identify the purposes for which it was collecting his credit score and the Insurance Company’s records indicating that the complainant responded “yes” to the scripted question, which explains the purposes for collecting credit score. Accordingly, our Office is unable to conclude that the Insurance Company failed to identify the purposes for its collection of the complainant’s credit score.
  4. Also, as part of our investigation, our Office reviewed various instances where the complainant would have been informed of the purposes for which it collected and used credit score, including the IVR message used, the Authorization to Obtain and Disclose Information, the privacy messages in policy renewal documentation and the Insurance Company’s Privacy Code. These indicated that the Insurance Company collects and uses the personal information of its customers, obtained from them directly or from other parties, including credit reporting agencies, for the purposes of analyzing, assessing, investigating and processing claims, and preventing and detecting fraud.
  5. Our Office acknowledges that there is room for improvement in each of these notifications (discussed below under Openness). However, taking all of these notifications as a whole, in addition to the script used by the Advisor, our Office believes that the complainant was informed of the purposes for which his credit score would be collected and used. Accordingly, there is no evidence upon which our Office can find that the Insurance Company did not identify the purposes for which it collects personal information.
Meaningful consent
  1. It is now necessary to turn to the issue of whether the consent provided by the complainant was meaningful. While our Office has determined that the Insurance Company did not fail to inform the complainant of the purposes for the collection and use of his credit score, we find that it did not adequately inform the complainant that such collection and use was optional.
  2. While the Insurance Company submitted that the credit score question’s script made it clear that the consent was voluntary, the script, as written, shows “(Mandatory)” at the end of the question. Therefore, the language of the script as read to insureds does not clearly indicate that consent is optional. While the Insurance Company submitted that “(Mandatory)” means an Accident Claims Advisor must ask the question, this could also be construed as an indication to staff that consent to this question is required.
  3. In Englander v. Telus Communications Inc., the Federal Court of Appeal held that “[a] consent is not informed if the person allegedly giving it is not aware at the time of giving it that he or she had the possibility to opt out.”Footnote 11 This is consistent with PIPEDA Case Summary #142, where a bank’s failure to make a reasonable effort to ensure an individual understood that their Social Insurance Number was optional, resulted in a finding that the applicant could not have given meaningful consent.Footnote 12
  4. The Insurance Company failed to make a reasonable effort to ensure that the complainant understood that collecting credit score was optional, consistent with the expectations established in Principle 4.3.2. Accordingly, our Office finds that the Insurance Company did not obtain meaningful consent from the complainant, as stipulated in Principle 4.3.
Openness
  1. This investigation has allowed our Office to review some of the Insurance Company’s notification materials and we take this opportunity to highlight certain shortcomings, especially given research which suggests the lack of awareness by the general public of insurance companies’ use of credit score in general. For example, the IVR message used did not identify the type of personal information that could be obtained from “credit reporting agencies” – full credit information versus credit score – nor did it reasonably identify the purposes for which such personal information may be used – “to offer you insurance products and service that best meet your needs” is not specific enough to allow an individual to reasonably understand how such information may be used.
  2. Moreover, the Authorization to Obtain and Disclose Information form signed by the complainant, as well as the provisions of the Insurance Company’s Privacy Code and its privacy messages in its policy documentation, do not specify the type of personal information that could be obtained from “credit reporting agencies”. In addition, the script used by advisors/agents when a client refuses/withdraws consent with respect to the use and collection of credit score as part of an accident benefit claim, advises clients that their claim will be handled the same way as other clients, even though this is not the case.
  3. Accordingly, it is our Office’s finding that the Insurance Company is not being open about its policies and practices for the collection and use of credit score for the claim assessment process.

Preliminary Report of Investigation

  1. Our Office issued a Preliminary Report of Investigation on January 26, 2017, recommending that the Insurance Company:
    1. Refrain from collecting and using credit score during the claim assessment process for auto insurance, and provide our Office with confirmation that this practice has ceased, pending a final determination on the issue of appropriate purposes. While already given several opportunities to provide our Office with information with respect to this issue, we are willing to consider additional information in response to this report, including:
      1. the basis upon which a credit reporting agency can furnish, and it can obtain, an individual’s credit score information, during the auto insurance claim assessment process; and
      2. evidence to demonstrate that a reasonable person would consider the Insurance Company’s collection and use of credit score for preventing and detecting fraud during the auto insurance claim assessment process to be reasonable.
    2. To the extent that the Insurance Company collects and uses credit score for other types of insurance and/or for other purposes, ensure that:
      1. notifications to insureds identify the type of information collected, how it is collected and used, and the purposes for which it is collected and used;
      2. insureds are advised that providing consent to such collection and use is voluntary, where it is voluntary; and
      3. consequences for refusing to provide consent for such collection and use are explained to insureds. For example, it is not accurate to advise insureds that a claim will be handled the same as other insureds, when this is not the case.

Response to Preliminary Report of Investigation

  1. In response to our Office’s recommendations, the Insurance Company agreed to refrain from collecting and using credit score during the claim assessment process for auto insurance. It confirmed that this practice will cease effective the end of April 2017 with the implementation of required IT systems changes on or before that date.
  2. In addition, the Insurance Company agreed to conduct a comprehensive review of its current procedures and processes, in regards to its collection and uses of credit score for other types of insurance and for other purposes, to ensure that our Office’s recommendations in 73(b) are complied with prior to the end of June 2017, or if the comprehensive review reveals major system changes, prior to the end of December 2017.

Conclusion

  1. Our Office is satisfied, that, once implemented, the above changes will meet our Office’s recommendations. Accordingly, our Office concludes that this matter was well-founded and conditionally resolved.
Date modified: