The PIPED Act and its implications
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Second Annual Regulatory Affairs Symposium of the Insurance Bureau of Canada
October 30, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
I'm very pleased to have this opportunity to meet with you today. Your industry is one of the most important in our society. Our homes, our cars, and our businesses are woven into just about every aspect of our lives, and they all depend on our ability to insure them against various misfortunes.
We have an unusual relationship with our insurers. We often reveal more to them than we would to our very close friends. Your industry collects and handles vast amounts of our personal information, much of it extremely sensitive. People who surrender that personal information to you have to be able to be able to trust you with it. That puts a very heavy responsibility on you. This industry has been exemplary in taking on that responsibility.
So I'm glad to be able to talk to you about the Personal Information Protection and Electronic Documents Act, or PIPED Act as we call it, and its implications for the insurance industry. The Act doesn't apply to insurers at present, except in some very limited ways. But either it or substantially similar provincial laws will apply to insurance companies as of 2004, so you'll want to prepare ahead of time.
Before I talk about the Act, though, let me tell you a little about the importance of privacy.
What is this "privacy" that I'm talking about? Why this increasing focus on its protection? Why has Parliament passed laws to protect it? And more to the point, why should we care about privacy?
To begin with, privacy is a fundamental human right, recognized as such by the United Nations. Indeed, it is the right from which all our other freedoms flow-freedom of speech, freedom of association, freedom of thought, virtually any freedom you can name.
To me, that's almost self-evident: How can we be truly free if our every move is watched, our every activity known, our every preference monitored?
But privacy is more than a fundamental human right-it's also an innate human need. When you go home at night, you probably close the blinds. It's not that you're trying to hide something. You just instinctively need your privacy, your freedom from being observed.
If you're on a bus or a plane, and someone starts reading over your shoulder, you probably feel uncomfortable. What you're reading isn't secret, it's just that your privacy is being invaded.
If you've ever had your home or even your car broken into, you'll know that the sense of intrusion, of having your privacy violated, can be even more painful than the loss of whatever was stolen.
And yet, almost every day, in some new and creative way, that innate human need, that fundamental human right-the right to privacy-is being chipped away. Sometimes the diminution is subtle, sometimes it's a full frontal attack. In either case, it is a challenge we must answer.
To do that, we must first understand that privacy is not just an individual right-it is a public good. It reflects decisions we have made as a people about how we will live as a society.
And because it is a shared value, all of us-collectively-must be responsible for its preservation.
It isn't a question of balancing the individual right to privacy against the interests of society. It's understanding that the interests of society include the individual's privacy and that we are, all of us, the loser if individual liberty is lost.
Privacy is, as Justice La Forest of the Supreme Court of Canada has said, "at the heart of liberty in a modern state."
Now let me turn to the PIPED Act, which I'm sure most of you are familiar with.
Those of you who aren't will be soon enough, because within the next couple of years, if you conduct commercial activities in Canada, either this Act or a substantially similar provincial one will apply to you.
That means that there will be important privacy challenges for property and casualty insurers. Personal information is the lifeblood of insurance.
Your industry collects, uses, and discloses personal information for all sorts of things-to evaluate the risk of insuring customers, to settle insurance claims, to control fraud, to track claims.
The personal information of policy applicants and policyholders can find its way into the hands of brokers, agents, service representatives, claims adjusters, investigators, the Insurance Crime Prevention Bureau-about which I'll have something to say in a moment-and the IBC's Insurance Information Division. That's quite a list, and I probably missed some. And personal information is sometimes collected from or disclosed to parties outside the industry-for example, to police or fire departments, witnesses, experts, or credit agencies.
I recognize that your collection, use, and disclosure of personal information is heavily regulated by provincial superintendents and other authorities. Their laws and guidelines all have an impact on how you collect information during the application process, how you craft your consent statements, and so on.
So I wouldn't be surprised if some of you are groaning at the thought of yet more laws applying to you. Maybe you are particularly concerned about conflict between insurance laws and regulations, on one hand, and the PIPED Act or a substantially similar provincial law on the other.
This may not turn out to be such a big problem. The PIPED Act is more likely to dovetail with insurance laws and regulations than to conflict with them. Where the Act requires something of you, and insurance laws and regulations are silent on it, there's no difficulty in following the Act. Obviously that's what you should do in that situation.
Where there really is a conflict between the PIPED Act and a provincial law or regulation, the same basic rule applies as in any conflict between federal and provincial law. All other things being equal, the federal law prevails.
I can understand why the prospect of more regulation concerns you, and particularly the prospect of reconciling provincial and federal requirements. You obviously don't want problems with provincial regulators, and you don't to find yourself faced with privacy problems, and maybe privacy complaints.
But let me set you at ease by pointing out three things. The first two apply to any business covered by the PIPED Act. The third is not so common-and it sets the property and casualty insurance industry in the leading ranks of Canadian business.
The first is that the PIPED Act is built around the Canadian Standards Association's Model Code for the Protection of Personal Information. That Code, which is actually incorporated into the legislation, came out of a collaborative effort of government, consumers, and business groups-including the Insurance Bureau of Canada. So it reflects the realities of the business world, rather than some abstract Ottawa thinking.
The second is that, yes, if you're subject to the PIPED Act, you will be subject to oversight by me and my Office-but we're here to help business, not to hinder it. As I'll explain shortly, the Act is intended to ensure that your legitimate needs for personal information can be balanced with the fundamental privacy rights of individuals. My role in all this is to be an ombudsman, not an enforcer. I'm really only interested in finding solutions to privacy problems, not in finding someone to blame for them.
The third thing that should set your mind at ease, that should make compliance with the PIPED Act a pretty straightforward business, is that you've been at it for a while already. The Insurance Bureau of Canada has had a code of personal information practices for over five years now, one that's in compliance with the Canadian Standards Association's Model Code. Of course, the PIPED Act does go farther than the Model Code. It's stricter, for example, in limiting the situations where you can collect, use, or disclose personal information without consent. So you'll still need to look at the Act.
With that, let me move on to the Act's purpose, provisions, and application.
The Act is intended to balance individual privacy rights with the needs of businesses to collect, use, and disclose personal information.
The heart of it is the Canadian Standards Association's Model Code for the Protection of Personal Information, which you're familiar with. The basic outlines of the Act look like this:
If you're an organization covered under the Act and you want to collect, use, or disclose personal information about people, you need their consent, except in a few specific and limited circumstances.
You can use or disclose people's personal information only for the purpose for which they gave consent when you collected it.
Even with consent, you've got to limit your collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Individuals have the right to see the personal information that you hold about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected, and redress if people's rights are violated.
I mentioned that there are specific and limited exceptions to the basic rule that you need consent to collect, use, or disclose personal information. One of those exceptions involves investigating a breach of an agreement or a contravention of law. A related exception allows an investigative body specified in the regulations to obtain personal information from an organization, and to disclose personal information back to it, without consent. One of the two investigative bodies that the government has specified is the Insurance Crime Prevention Bureau.
That means that when insurance companies suspect fraud or have reason to believe that a particular claim is suspicious, they can ask the Insurance Crime Prevention Bureau to investigate. The Bureau can carry out its investigation-check into its databases, or talk to other companies, for example-and report back to the insurance company. Neither the insurance company nor the Bureau has to get the individual's consent for any of that, provided it relates to investigating a breach of an agreement or a contravention of law.
It's worth noting, however, that both the insurance companies and the Insurance Crime Prevention Bureau will still have to comply with all the other requirements of the Act. Of course the insurance industry isn't generally subject to the Act until January 1, 2004. I expect that the Bureau will adjust to the requirements of the Act pretty well, judging from what I've seen with the banking industry's investigative body. It's been covered under the Act all along, and I haven't yet had the occasion to deal with a complaint concerning it.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses. That's primarily banks, airlines, telecommunications companies, broadcasters, and transportation companies. It also applies to the personal information of employees in those organizations. And it applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across interprovincial or international boundaries.
Beginning in January 2004, the Act will apply right across the board-to all personal information collected, used, or disclosed in the course of commercial activities by all private sector organizations, except in one special circumstance.
The special circumstance is this. In provinces that have passed privacy legislation that's "substantially similar" to the PIPED Act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the Act, for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings, and businesses in all provinces. And it will also continue to apply to personal information when it's collected, used, or disclosed across interprovincial or international boundaries.
So those are the broad outlines of the Act. I'll come back to this question of substantially similar provincial legislation in a moment, but first let me briefly describe what I do.
I'm an independent Officer of Parliament, with two major aspects to my mandate.
The first is oversight. That includes investigating and adjudicating complaints under the PIPED Act and the Privacy Act, which is similar legislation that has already applied to the federal public sector for almost twenty years.
In my oversight role, I'm an ombudsman. That means I'm there to find solutions, not to blame or punish people.
I do have full investigative powers, of course. I can order the production of documents, enter premises, and compel testimony. But in almost twenty years of overseeing the Privacy Act, which covers the federal public sector, I and my predecessors have never had to use these powers, because we've always been able to get voluntary cooperation. I very much hope that the same will be the case with the new private sector legislation.
If I find that an organization is violating privacy, I'll recommend how the problem can be fixed.
I don't have order-making powers. But I do have instruments at my disposal to ensure that privacy rights are respected and my recommendations are not ignored.
If an organization refuses to comply, I can make the problem known publicly-and then rely on public opinion to move things forward.
Or I can ask the Federal Court to order compliance, and even to award damages to people whose privacy rights have been violated.
The second major aspect of my mandate is education and promotion. Under the PIPED Act, I have a mandate to educate Canadians about their privacy rights and promote respect for privacy.
I mentioned a moment ago that the PIPED Act will apply to all commercial activities as of 2004, except where a province passes substantially similar legislation. You may be wondering what "substantially similar" means, exactly. That brings me to what's actually a third aspect of my mandate, to review and comment on provincial privacy legislation and the degree to which it's substantially similar.
I'll interpret "substantially similar" as meaning equal or superior to the PIPED Act. I'll be looking for, at a minimum, the ten principles of the CSA's Model Code. I'll look particularly closely at consent, the reasonable person test, access and correction rights, oversight, and redress. Provincial privacy legislation will have to be as strong or stronger than the PIPED Act in those areas to be considered substantially similar.
The upshot of this will be that the principles of the PIPED Act will be part of the business environment throughout Canada. Many of you may have brought your practices into line with them already. That's probably about more than just a concern to be in compliance. My guess is that it's because you recognize that respecting and protecting privacy is a significant element of competitive advantage. You know that your customers want privacy, your employees need it-and, most importantly, your competitors are going to provide it.
Nothing this important is easy. It takes time and attention-and resources.
Part of my job is to help you with your efforts to respect privacy. I encourage consultation between my Office and the business community, and I've met with many business organizations-including the Insurance Bureau of Canada. We've undertaken a lot of initiatives to help businesses. We've produced a business guide and a backgrounder to the Act, for example, and a number of fact sheets. Summaries of all my findings under the Act are put up on our Web site to help you with interpretation.
This leads me to several recent findings that I made on complaints about the use of personal information for secondary marketing purposes. I think you'll find that they're worth looking at, because they should provide some guidance for using opt-out consent.
Before discussing some of the points that come out of those findings, let me say a few words about consent.
Consent is simple enough: if you want to collect, use, or disclose someone's personal information, you need their permission. That simple concept is fundamental to privacy. Most of the important provisions of the PIPED Act relate to consent.
The Act recognizes that there are different ways consent can be given, and that consent doesn't have to be explicit in absolutely every case. But like most privacy advocates I believe that explicit consent should be used wherever possible.
And like most privacy advocates, I'm not a fan of opt-out consent, where someone who wants to collect, use, or disclose our personal information gives us the option to say we don't want them to. If we don't take them up on this offer to opt out, they proceed as though they have our consent.
As a general rule, this puts the onus on the wrong party. Someone who wants to use my personal information should seek my permission. Telling me that I've consented and leaving it to me to object-that's pretty poor privacy.
And I think it's also bad for business. You show respect for your customers by inviting them to actively opt in to something, not by requiring them to opt out of it or suffer the consequences.
My suggestion to you would be, if you want to satisfy the expectations of your customers, use opt-in-be up-front about what you're doing. If your customers are likely to approve of what you want to do with their personal information, they'll be gratified if you show them the respect of asking them anyway. There's a competitive advantage in being known as a company that respects privacy.
But I recognize that sometimes opt-out consent makes sense-if you're marketing to your existing customers, for example.
If you do decide to use opt-out consent, you'll want to be careful to do it in the most privacy-respectful way. This leads me to some of the points that you might want to draw from my recent findings on secondary marketing uses of personal information.
The PIPED Act requires you to tell your customers, at the time you're collecting their personal information, why you're collecting it, and how and why you'll use and disclose it. You need to state those purposes in clear, plain language-language that's understandable to ordinary consumers.
Any secondary purposes should be specific, limited, and clearly identified. If the purpose of disclosing personal information is to allow direct marketing, you should say so.
There has to be adequate detail for consumers to appreciate the nature and extent of what's going to be done with their personal information. You should be very clear about the items or types of information that you intend to use or disclose, the parties to whom you intend to disclose information, and the purposes for which you intend to do it. Say it in clear, plain language, so that your customers can easily understand what it is they're consenting to.
Don't rely on documents that aren't actually provided to the customer, that they have to find on their own initiative. And don't rely on fine print buried in a long document.
You should advise customers clearly that uses for their personal information like direct marketing are optional, and make it easy for them to understand how they can opt out.
Opting-out itself should be easy, immediate, and inexpensive. A check-off box on application forms is a good way to allow people to opt-out. If for some reason that's not feasible, an alternative would be to provide an explicitly identified 1-800 number.
Make sure that your uses of personal information are clear to customers who deal with you in person and in any medium-in writing, on line, or by telephone. And make sure that customers receive the same information by telephone as they do in writing or electronically. If you use a telephone script-instructions to your representatives on how to explain to customers how you use and disclose their personal information-make it a good one. Make sure that it states the purposes for information collection and makes clear that customers have an option to withdraw consent.
When you tell your customers that you'll be disclosing their personal information for secondary marketing purposes, it really helps if you clarify your business relationship with the recipients-whether they're your affiliates, subsidiaries, or partners, for instance. You don't want to be asking for consent to disclose to unspecified future "others."
In one complaint there was a concern that a company didn't identify the members of the group of subsidiaries among whom information would be shared. Now, I know that sometimes membership in a group of subsidiaries is changeable. Where that's the case, it may be impractical to provide an exhaustive listing of current members in a standing privacy document.
But the company named in this complaint still made the effort to inform customers of the types of organizations in its group of subsidiaries, and offered to provide a list of its group's current membership to any customer asking for one. I was favourably impressed by that, and I'd recommend it.
And of course respecting privacy works to your benefit. I have to say, I've seen occasions where it looks like a company is using opt-out consent as a way of sneaking something by the customers. I presume that's driven by some short-term vision of the bottom line. But I think that, if a company is genuinely concerned about the bottom line, it should resist that temptation. There's a distinct competitive disadvantage in being known as a company that violates privacy.
I've been talking about this today from the perspective of someone who is mandated to protect privacy.
But if I can put myself in your shoes, let me also present it from a business perspective.
An organization is not going to get far sneaking something by its customers, relying on opt-out consent because it isn't confident that opt-in will give it what it thinks it needs. If customers won't accept it when it's made clear to them, you shouldn't do it. To put it bluntly, maximizing profits by violating a fundamental human right is a recipe for disaster.
And, anyway, why would any marketer want a list of potential customers made up of people who may not want to be marketed to? That's not going to be a very useful list of prospects.
The whole reason organizations collect and analyze personal information is to find out who is going to want their products and promotions. The key to that is getting people's solid, affirmative consent to the use of their personal information.
If people don't trust businesses, if they see businesses twisting consent or unjustifiably inferring it, they'll undermine the system. They'll refuse to give information, or give false information. They'll swamp companies with complaints. They'll reject things that might be of benefit to them, out of sheer anger and frustration and resentment. And they'll look for competitors who do respect their privacy.
So, once again: the competitive advantage goes to the firm that respects privacy. Good privacy is, in the end, good business.
These are some of the important implications of Canada's privacy law for you as businesspeople. Let me just conclude by saying that I look forward to working with you in the months and years ahead, and I and my Office are always here to help.
- Date modified: