On June 18, 2015, the Digital Privacy Act received Royal Assent and is now law in Canada. The Act amends PIPEDA in a number of ways, but there are three major changes that insurers need to know about:
Organizations must make sure they are using a valid consent for the collection, use or disclosure of personal information. What constitutes a “valid consent” might not be as obvious as it might have been before the amendments.
Organizations can now disclose personal information without the knowledge or consent of an individual for the purposes of preventing, detecting or suppressing fraud; and
Organizations can now, for certain purposes, collect, use and disclose, without the knowledge or consent of an individual, personal information contained in witness statements related to insurance claims.
As discussed below, the disclosure amendments should alleviate some privacy concerns/obstacles that have plagued the insurance industry over the years, while the valid consent issue will likely cause some new headaches.
What is Valid Consent?
Sections 6 and 7 of PIPEDA deal with an individual’s consent to allow organizations to collect, use, and disclose the individual’s personal information. Section 4.3 of Schedule 1 of PIPEDA stipulates that the knowledge and consent of an individual are required for the collection, use, or disclosure of personal information, except where inappropriate (such as by legal obligation, best interests of the individual, etc.).
The Digital Privacy Act adds a new section 6.1 to PIPEDA, which places an important condition on consents:
6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
This means that a claimant’s executed consent is valid only if the individual providing the consent fully understands the potential consequences of providing their personal information to the insurer. In the insurance claims world, companies deal with a wide array of individuals, some of whom are sophisticated while others are not. It now appears that insurers will have to tailor their consents to suit the individual whose private information they will be seeking to collect, use, or disclose.
Gone are the days where an insurer can rely on a “one size fits all” consent to collect, use, and disclose a claimant’s medical records. Insurers might have to take into account the claimant’s age, education level, first language, etc. before asking them to sign a specific consent.
Moreover, insurers might have to review all of the existing consents that they have on open files to determine whether they are still valid in the circumstances. It might be safer for insurers to send new consents on every open claims file, first making sure that the particular claimant would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
Is your head hurting yet?
Disclosure for Fraud
This is likely the most welcomed PIPEDA amendment for the insurance industry. Section 7 (3) of PIPEDA deals with disclosure without an individual’s knowledge or consent, and provides a number of instances where such disclosure is allowed. TheDigital Privacy Act adds a number of other instances allowing such disclosure, including disclosure:
(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
Previously, insurers were not allowed to share information with other insurers (and in many unfortunate and misguided cases, with other departments within their own companies), without obtaining the consent of the person they suspected were committing a fraud. Section 7 (3)(d.2) should allow different insurance companies to exchange information with each other for the purpose of investigating and combatting fraud.
For example, in any given car accident there might be a number of passengers who each have accident benefits claims with different insurance companies. Where one or more of the insurers suspect a fraudulent claim involving one or more individuals, that insurer can now contact another insurer to see whether they have any information that could identify or substantiate fraudulent claims.
Insurers should embrace this amendment and proactively work with other companies if they are presented with a potentially fraudulent claim.
Information in Witness Statements
How often have we tried to investigate the cause of an accident by obtaining witness statements from third parties, only to find out that the names and contact information of the witness (or other witnesses) have been redacted?
The Digital Privacy Act adds a new section 7 (3)(e.1), which allows an organization to disclose personal information without the knowledge or consent of the individual if the disclosure is:
(e.1) of information that is contained in a witness statement and the disclosure is necessary to assess, process or settle an insurance claim;
This provision should allow police departments or other investigative bodies to disclose witness statements to insurers (or their lawyers) without fear of breaching PIPEDA. Whether they actually disclose that information is another story.