Following are some Frequently Asked Questions (FAQs) about the privacy provisions of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).  As of January 1, 2004, the PIPEDA applies to all P&C brokers in Canada not otherwise subject to “substantially similar” provincial legislation.

The following information is intended for the general information and guidance of insurance brokers, and does not constitute specific legal advice.  It should be read concurrently with the Privacy Toolkit which was prepared by the Insurance Brokers Association of Canada, and is available from your provincial or regional insurance broker association.

DOES THE ACT APPLY TO MY BUSINESS?  IF SO, WHEN?

Q. Do I have to comply with the provisions of the Act if I live in a province that already has “substantially similar” legislation in place, for example Québec?

A. Yes.  If a province passes a law that is substantially similar to the federal Act, the brokers in that province will be exempted from the federal law for collection, use or disclosure of personal information within that province only.  The federal Act will continue to apply to all interprovincial and international collections, uses or disclosures of personal information — a situation that applies to many brokers.  

Q. Does the Act provide for any grandfathering?

A. No.  Organizations must ensure that all data is compliant from the time the Act first applies to the personal information or the organization.  However, a complaint may not be made against you for actions taken before being subject to the Act.

WHAT IS PERSONAL INFORMATION?  WHAT INFORMATION IS SUBJECT TO THE ACT?

Q. Do the consent and other provisions of the Act apply to the preparation of an industry directory, whether in hardcopy or website form, containing contact information such as the name, address, phone number of businesses?

A. No.  Under the Act, personal information means information about an identifiable individual.  A business is not an identifiable individual.

Q. What if the same directory contains basic employee information?

A. No.  Under the Act, personal information does not include the name, title or business address or telephone number of an employee of an organization.  In other words, information that would normally appear on a business card or can be found through publicly available information such as the telephone book is not covered by the Act.

Q. Is the information collected and handled for the purpose of offering a home or automobile insurance policy to an individual subject to the Act?

A. Yes.  The Act applies to organizations that collect, use or disclose personal information in the course of commercial activity.  Personal information is defined as "information about an identifiable individual.”  For insurance brokers, personal information will include things such as a client’s age, marital status, medical, criminal, employment or financial history, numerical identifiers such as the Social Insurance Number and driving license, and evaluations such as credit and driving records. 

Q. Is data collected for the purpose of offering a commercial insurance policy, which doesn’t include any personal information, covered by the Act?

A. No.  However, the provision of a commercial insurance policy that requires handling any information about an identifiable individual is subject to the Act.  For example, providing a commercial insurance policy for a fleet of vehicles requires handling the personal information of the drivers of those vehicles (e.g. their license and driving record information), and is thus subject to the Act.

WHEN TO COMPLY—PRACTICAL SITUATIONS

Q. A broker transfers personal information to an insurer or data processing unit in another country.  Is that broker subject to the Act?

A. Yes.  The broker is subject to all the provisions of the Act.  This includes obtaining the client’s consent for the collection, use and disclosure of their personal information.

Q. A broker sends personal information to an insurer in the same province.  That insurer in turn transfers the information to another province.  From the perspective of the broker, will the information be deemed to have been disclosed intra-provincially or extra-provincially?  (Important for brokers subject to “substantially similar” provincial privacy legislation)

A. Intra-provincially.  However, the insurer who then transfers the information to another province is subject to the PIPEDA.  This may have implications for the broker who originally collected the personal information.

WHEN TO OBTAIN CONSENT

Q. Does an organization, whether a brokerage or an association, that gives a membership or employee list containing personal information to an outside service provider (e.g. for health plan coverage) have to obtain the consent of the concerned individuals before doing so?

A. Yes.  The Act applies to the collection, use or disclosure of personal information in the course of commercial activity.  “Personal information” is defined as "information about an identifiable individual” (e.g. age, marital status, employment and medical history, etc…) while “commercial activity” means any course of conduct that is of a commercial character, including the selling, bartering or leasing of membership lists.  Information provided to a health insurance provider would certainly be personal in nature and thus subject to the consent and other provisions of the Act.

Q. If a business must obtain personal information from an individual as a condition of employment (e.g. driver’s license and record), must it also get his/her consent to provide that information to a broker for the purpose of insuring the business?

A. Yes.  The individual must be informed of the purpose for which his/her information is collected, used and disclosed (e.g. to hire, to insure etc..), and consent to that purpose.  Unless fraud is suspected, the consent of the individual should also be obtained to collect their personal information from a driver’s abstract.  Preferably, that consent should be in writing.

Q. In providing a commercial insurance policy for a business with drivers, is it safe to assume that I have the consent of the drivers to handle their personal information given that a license to drive is a condition of their employment by the business?

A. No.  Ideally, the express written consent of each of the drivers should be obtained before handling their personal information.  However, depending on the number of drivers involved, there may be situations where it is impractical to do so.  In those cases, consent from each of the drivers could be obtained orally and indicated in the file.  Alternatively, you could obtain the consent of the contact person at the insured business to use the drivers’ personal information.  If doing so, however, you must satisfy yourself that the contact person is acting in a legal and fair manner.

Q. Can I use my P&C insurance client database to cross-sell my business’ other products and services?

A. No.  Personal information can only be used or disclosed for the purposes for which it was collected.  If a brokerage is going to use the information for another purpose, consent must be obtained again.  For example, the client information used to provide automobile insurance cannot then be used to sell life insurance without the client’s consent.

CONSENT--EXCEPTIONS

Q. Do I need the client’s consent to collect or disclose personal information in connection with a fraud investigation?

A. No.  There are a number of exceptions to the Act’s consent and access requirements, including those relating to fraud investigations.

Q. Do I need to obtain client consent to disclose his/her personal information to a collection agency?

A. No.  Disclosure of personal information without consent is permitted in certain specific circumstances, including for the purpose of collecting a debt owed by the individual to the organization.

APPLICATION OF THE ACT AND CONSENT:  A PRACTICAL EXAMPLE IN CHRONOLOGY

Q. Do the consent and other provisions of the Act apply to personal information that was collected, but neither used nor disclosed before the legislation came into force?

A. No.  The Act does not cover personal information only collected before the Act came into force.  However, the Act will apply for the subsequent use and disclosure of that information, regardless of when it was collected.

Q. For example, the year before the Act came into force, a broker collected personal information without consent from a client for the purpose of providing an automobile insurance policy.  At that time, the information was disclosed to an insurer who underwrote the policy.  In a subsequent year, the broker will want to “shop the policy around” to other insurers in order to obtain a better rate.  Will the consent of the individual be required to do so?

A. Yes.  Although the information will have been collected before the Act applied, the consent of the individual will be required to disclose the “old” information to potential “new” insurers.  The other provisions of the Act will also apply.

Q. If the client is satisfied with the “new” insurer, will express written consent be needed for every renewal?

A. No.  If you are simply renewing an insurance policy at the client’s request, it is reasonable to assume that there is an implied consent to use the existing information.

SAFEGUARDS

Q. Should brokers lock the filing cabinets that contain their clients’ personal information?

A. Yes.  The Act stipulates that security safeguards must protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use, or modification.  For physical files, the Act specifically suggests measures such as locked filing cabinets and restricted access.

Q. To what extent should a brokerage with a website capable of handling personal information (e.g. credit card numbers) have to go to protect itself from “hackers”?

A. Assume that all personal information is sensitive and seek to achieve the highest level of security.  For personal information held in electronic format, the Act suggests methods of protection that include the use of passwords and encryption.  The standard by which you will be judged, however, will not be one of perfection but one that a reasonable person would consider appropriate in the circumstances.

ACCOUNTABILITY

Q. Who is responsible for personal information, whether in electronic form or otherwise, sent from a broker to a third party such as an insurer?

A. The broker.  Organizations are responsible for personal information that has been transferred to a third party for processing.  While it is not possible to control the behaviour of third parties, you must give yourself reasonable assurances that the insurer or other party receiving the information is complying with the Act. 

Q. How can brokers protect themselves in their dealings with third parties such as insurers and adjusters?

A. Brokers must use contractual or other means to provide a comparable level of protection while the information is being processed by the third party.  For example, if you are sending a client’s personal information to an insurance company, you should obtain written confirmation that it is complying with the Act.  You should also ask for the name of the company’s Privacy Officer and a copy of its written policies on the protection of personal information.  Ensure that those policies provide a comparable level of protection and where possible, obtain those assurances in writing.