Presentation to the Canadian Life and Health Insurance Association
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
2006 Joint Annual Conference of the Compliance Section and Consumer Complaints Officers Section
May 11, 2006
Niagara Falls, Ontario
Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada
(Check against delivery)
If you were to ask Canadians about the type of personal information most sensitive to them, many would likely place health and financial information near the top of the list. The life and health insurance industry carries a heavy burden when it comes to protecting the privacy of that information.
Personal health and financial information is necessarily your stock-in-trade. You know all too well that privacy breaches - particularly involving personal health or financial information - can quickly destroy an organization’s hard-earned reputation. The climb back up from such a fall can be a long and arduous one, having significant impact on the company's operations.
In June 2005, the Office of the Superintendent of Financial Institutions (OSFI) issued the results of its review of the reputation risk management practices of certain federally regulated financial institutions. OSFI called on institutions to recognize their reputation as a strategically important asset and to prioritize efforts needed to strengthen the effectiveness of their reputation risk management practices. As a result of recent corporate scandals, regulatory bodies and the public are placing more and more focus on the business practices, ethics and integrity. Managing risk to reputation is about much more than strict technical compliance with legal, accounting and regulatory requirements. It's about developing a corporate culture of ethics and integrity and demonstrating a personal commitment to those values at the most senior executive levels.
If we were to apply OSFI's findings more specifically to our present context, I suppose the message would be this: managing the risk of damage to corporate reputation that can result from a privacy breach will take more than strict, technical compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). It takes an approach which is based on business ethics and integrity and which is committed to upholding not only the letter, but the spirit of the PIPEDA principles.
Let me give you three examples of what I mean.
First, consent. PIPEDA, as you know, is a consent-based statute. It requires consent for the collection, use and disclosure of personal information in the course of commercial activity. The prevailing view might be, therefore, that as long as the consent clause is worded broadly enough, this will technically and legally permit a wide range of future collections, uses and disclosures under the terms of the insurance policy. Truly free and informed consent however, is more than this. It is more than a one-time, wide-open, blanket signature on a consent form. Informed consent is a dynamic process that involves keeping individuals actively aware - on an ongoing basis, using understandable language, and in a transparent manner - of what you intend to do with their personal information and for what purpose. It is about allowing them the opportunity to receive further explanations to the extent that they wish and to ask questions or challenge assumptions – particularly in relationships of unequal bargaining power.
Second, collection. PIPEDA allows the collection of personal information that is necessary to fulfill the purposes consented to. But when insurance companies describe the purpose as broadly as they do, then I suppose almost anything could be argued to be necessary. And, from the perspective of the individual, when their choices basically boil down to having insurance or not, it's hard to argue back. So the important question, beyond one of technical legal compliance, is whether the purported collection of personal information is really necessary to evaluate an application and/or assess a claim, or whether the information is being collected out of sheer habit or established past practice? I suspect that an internal review of many Canadian organizations – both public and private – would uncover reams of personal data that are not necessary to the mandate of the organization. Is the health and life insurance industry any different, or is it as prone as other sectors of the Canadian economy to ask for and accumulate personal information that may be only marginally relevant at best? Perhaps the time has come for you to take a far more critical look at your existing databases and truly question the collection practices that led to their existence.
Third, accountability. To give meaningful effect to this principle, PIPEDA requires organizations to implement policies and practices and train their staff accordingly. I suppose some could take the view that distributing a few brochures, including a page or two in the orientation package for new employees or talking about privacy generally at general staff meetings, should be sufficient to check off this box in order to comply technically with PIPEDA. However, you would be surprised to know just how many privacy complaints we get based on simple employee error and poor judgment. Investing in good privacy training is time and money well spent. Do employees appreciate what's really at stake, not only in terms of clients' individual interests, but also in terms of the organization's business interests? Do they understand the underlying spirit and intent of fair information management principles so that they are able to exercise judgment in situations that may not have come up explicitly as examples in their training program or been covered chapter and verse in their procedure handbook? Do they work for organizational leaders who demonstrate a concrete commitment to privacy protection and promote a culture that is respectful of persons' rights? Do they feel that they can blow the whistle on colleagues or managers who are non-privacy compliant without fear of reprisal?
While I stress that strict, technical compliance with the letter of PIPEDA is not merely enough for an organization to successfully manage the risk to its reputation that may result from a privacy breach, I would also stress that PIPEDA is the minimum floor to stand on. It is important to build that floor right so that it is solid enough to uphold the privacy rights of individuals that are so vital to a free and democratic society, while also supporting the feasibility of commercial activities that are so vital to a prosperous and vibrant economy.
The Canadian Life and Health Insurance Association (CLHIA) has been involved for many years in discussions about how their member organizations can most responsibly address privacy issues in the life and health insurance industry, and we hope this involvement will continue. As you know, PIPEDA is scheduled for legislative review this year, and we would invite you to participate in the debates that will take place in this regard.
Based on our experience with PIPEDA to date, we have identified what we think are important questions that need to be addressed in the upcoming discussions this fall. We do not know if we have identified all of the right questions yet, let alone the right answers. We are in the process of developing a consultation paper to guide our discussions with organizations and consumers about the focus of the PIPEDA review. This paper should appear on our web site by late May and will be consulting stakeholders as appropriate. We are looking forward to hearing your views.
For the purposes of today's presentation, I have assembled a preliminary – and I stress preliminary – list of these questions. Given time constraints, I will describe only some of them today.
Ombuds versus enforcement role: Depending on the jurisdiction, privacy and information commissioners in Canada may have order-making powers or be given the role of ombudsmen. During the upcoming review of PIPEDA, Parliament will no doubt consider if an order-making power would make our federal Office more effective in promoting and enforcing better personal information handling practices in the private sector. This is a decision of some importance. Any change to Commissioner’s powers would likely impact the structures, processes, resourcing and prioritization of other activities of our Office, such as mediation, education, investigation and auditing, for example. An order-making power would likely also reshape the role of the OPC vis à vis the Federal Court. For the time being, however, the Privacy Commissioner has concluded that this may not be the best time to move to an order-making power. At this time in the evolution of PIPEDA however, the Privacy Commissioner has concluded that this may not be the best time to introduce an order-making power. Many implementation challenges relating to PIPEDA in its present form need to be addressed before moving to a different model. For example, currently available tools should be more pro-actively deployed, such as Commissioner-initiated complaints, audits and court review, in order to fully benefit from what the existing PIPEDA has to offer.
Duty to report: About two dozen US jurisdictions impose on organizations the duty to report – or “notify” – security breaches involving personal information. Bills are pending in several other states and at the federal level. The question we now need to ask whether Canadian law should contain similar notice requirements, and if so, what qualifications might be needed. Should qualifications be considered, based on an ascertainment of risk or gravity for instance, to avoid trivializing the effect of notifications over time by diluting the more important notices amidst a flood of others that may not be necessary or even appropriate? Should conditions be articulated to guide how notifications should be implemented in different circumstances to avoid causing potentially more harm than good to the individuals concerned? And should notification be directly to those individuals concerned, or should they be made to an appropriate regulatory body or credit bureau instead for determination of how the situation should be handled to minimize risk of identity theft or fraud?
Due diligence in transfer of business assets: Currently, there are no provisions in PIPEDA that would allow an organization to disclose personal information without consent to a prospective buyer or business partner for the purpose of a due diligence assessment and determination of whether or not to proceed with the transaction. By contrast, other laws, such as Ontario’s health privacy legislation and the Alberta and British Columbia data protection laws, would allow such disclosures, subject to stringent confidentiality agreements. We have also noted limitations with how PIPEDA as it currently can address complaints regarding the transfer of personal information after the sale of business, particularly when individuals wish to withdraw their business from the new organization but record-keeping requirements are imposed on the new organisation to keep the personal information of clients for a regulated period of time. Both these sets of issues need to be addressed in the review of PIPEDA.
Collection without consent: Section 7(1)(e) was added to PIPEDA as a result of the passage of the Public Safety Act, 2002. This provision allows non-consensual collection of personal information and disclosure by an organization to law enforcement and national security agencies. The broad wording of this provision causes serious concerns. It applies to any organization subject to PIPEDA and has the undesirable effect of deputizing the private sector to carry out law enforcement activities without the corresponding public accountability. It does not limit the amount of information that can be collected without consent, nor does it place any limits on the possible sources of information.
Employer-employee relationships: The collection and use of personal information of employees covered by PIPEDA is another area of concern. Complaints that arise in the employer-employee relationship have been some of the most complex and challenging ones our Office has had to deal with in the last five years. One question that is repeatedly raised when applying PIPEDA in this context is whether an employee's consent to the collection and use of their personal information in the workplace that their employer requires as a condition for continuing employment can be considered to be truly voluntary consent. Unilateral decisions by the employer to introduce video-surveillance cameras, GPS systems, biometric security systems, are some of the examples we see of a growing trend towards increased workplace surveillance for multiple purposes, including security, product safety, performance management and/or business efficiency. Both Alberta's and BC's private sector Acts have a distinct provision that allows personal employee information to be collected without consent under certain conditions, including reasonableness. Perhaps an equivalent concept should be considered for PIPEDA review.
As I noted at the outset, financial and health information on which your industry depends are some of the most sensitive types of personal information that individuals care very deeply about. For them, having the ability to control what is done with that information is a way of giving meaningful effect to their fundamental right of integrity and autonomy. For you, protecting their personal information is probably a greater challenge than for most other organizations regulated by PIPEDA. What is at stake is the privacy of individuals which you regard as one of their most cherished rights, and your business reputation as one of your most precious assets.
This is not just a matter of complying with the strict technical requirements of PIPEDA as it exists now, or as it may exist after the legislative review. What I have tried to impress upon you today, is the importance of considering more than this. It is about privacy responsibilities that should form part of the higher-level goals of integrating ethics and integrity into your modern reputation risk management strategy and promoting and concretely demonstrating a corporate culture founded on respect of persons.
- Date modified: