Navigating Privacy Legislation

Privacy may not have been the only topic on the table at the Insurance Bureau of Canada (IBC) Regulatory Affairs Symposium, but by the end of the day it became clear that insurers are going to have to make it a priority. The Personal Information Protection and Electronic Documents Act (PIPEDA) was passed in 2000, but does not apply to insurers until 2004. There has been a sense of comfort around the industry’s readiness to comply with the act, but new debates are surfacing over what constitutes using information for purposes “a reasonable person” would deem appropriate, and what constitutes “adequate consent”.

PIPEDA is Canada’s response to European common market standards, and is based on the Canadian Standards Association code of conduct. Under PIPEDA, the commissioner’s “extensive powers” include the right to search and seizure and the ability to order companies to change their business practices or ask courts to impose financial penalties. The commissioner can also “out” companies who fail to comply with his orders.

ISSUES OF CONSENT

The overriding issue will be what constitutes “consent” to collect, use and disclose personal information and the IBC’s privacy committee has been looking at an industry standard. A “privacy notice” is being put forward as the means to obtain consent, based on the belief that property and casualty insurance companies can rely on implied, versus expressed, consent. Obtaining expressed consent may be difficult in an industry that uses large amounts of personal information and often takes information over the phone, such as in claims adjusting.

However, some companies have balked at the privacy notice, saying how insurance companies handle information is “already in the customer’s mind”, says committee member Angela Shaffer, general counsel and vice president for Royal & SunAlliance Canada. “This may be a defensible position, but it is not one I would advise,” she warns.

Still, the privacy notice may not go far enough, says William Charnetski, partner at Torys. He notes that the current privacy commissioner has shown no tolerance for negative option privacy policies. Another bone of contention is what the notice should contain, notes Vivian Bercovici, vice president of legal and public affairs and corporate secretary for The Dominion of Canada. “It has been a bit of a minefield and it remains unresolved.”

Shaffer notes that consent requires specific knowledge of what uses the information will be put to. But what constitutes a “reasonable” or expected use of information is up for grabs. Does this include marketing measures such as cross-selling, and would this change if cross-selling is based on the client’s income?

While some high profile companies such as Air Canada and Canada Post have been taken to task for privacy violations, no one has yet appealed a decision to determine how the courts will interpret the legislation, adds Charnetski. Despite the confusion, Shaffer advocates making a decision soon. “If we are all able to send it [the privacy notice] out with renewal notices, by the time we are required to comply with PIPEDA, all our clients will already know how we are going to collect, use and disclose their information.”

From the broker perspective, the implied versus expressed consent debate was heard, says Robert Carter, CEO of the Insurance Brokers Association of Ontario (IBAO). The association has accepted “implied” as reasonable consent and believes that current guidelines already in place “fall well within” this standard. Now brokers will be addressing security measures and the need for a privacy officer in each brokerage as being their prime issues.

REASSURANCES

The presence of the current privacy commissioner, George Radwanski, at the symposium may have offered some comfort to insurers. Radwanski recognized the industry’s past “exemplary role” in handling personal information and notes that the new legislation is “more likely to coincide than to conflict” with provincial insurance regulations. “My role is to be an ombudsman, not an enforcer,” he comments. The legislation “reflects the realities of the business world and not some abstract Ottawa thinking”.

However, if insurers were hoping for a “green light” on their privacy notice, Radwanski made it clear he will not prejudge such things. His comments on consent may not seem encouraging, however. “Explicit consent should be used whenever possible and I’m not for opt-out consent…that puts the onus on the wrong party. Telling me I’ve consented and then leaving me to object, that’s bad privacy practice and I also think it’s bad business.”

LIFTING THE BURDEN

Beyond privacy, insurers showed concerns at the meeting over what IBC CEO Stan Griffin calls the “confusing, costly and unnecessary burden” being placed on the industry by over-regulation.

As part of a study for the IBC, Neil Parkinson, partner at KPMG, notes that the 2002 Insurance Companies Act is 86.5% bigger than the 1994 version. With mergers, legislative reviews, new international standards and the like, the burden continues to grow. The irony is that p&c insurance poses much less risk than many other financial services and by comparison, insurers have received the least amount of complaints to the Office of the Superintendent of Financial Institutions (OSFI) since 1998.

Parkinson estimates the base cost of regulation is about $160 million, although this could go as high as $500 million when different agencies are taken into account. He proposes more dialogue, clear justification for new and existing regulations and streamlining efforts amongst regulators. Griffin says the IBC also supports the risk-based approach used by OSFI, and is looking for what he calls “smart supervision”, that requires companies to recognize public policy issues but still gives room for difference and creativity.

Saskatchewan superintendent Jim Hall says the Canadian Council of Insurance Regulators (CCIR), of which he is chair, is making streamlining a priority. However, when the CCIR sought proposals for regulatory harmonization, “as you can imagine, the proposals were varied and sometimes conflicting”. He recognizes the work done by IBC on regulatory burden and says, “what we need now are specific proposals.”

Regulators are also focusing on financial strength as the market faces difficult times, says Michael Hafeman, assistant superintendent in OSFI’s specialist support sector. “You may notice more attention on our part now and in the near future – hopefully not in the long term.” More than one-third of companies are losing money and capital adequacy margins have declined from 25.5% in 2000 to 20.6% by the end of June this year. “Many companies are below industry averages and even below that 10% [capital adequacy] target,” he notes.