A perspective on Canada’s new privacy legislation

January 2004 is the deadline for compliance with Bill C-6, the new set of ground rules for how the private sector must manage the personal information they collect about employees.

The intent of the Personal Information Protection and Electronic Documents Act (Bill C-6) is to balance an individual’s right to privacy with an organization’s need to collect, use or disclose personal information for legitimate business purposes.

Canada’s life and health insurers have long recognized the need for the proper stewardship of personal information — the trust of clients is extremely important. That is why the Canadian Life and Health Insurance Association adopted right to privacy guidelines in 1980, well in advance of most Canadian industry groups. However, as with any new legislation, there will be some bumps along the road toward compliance.

Privacy legislation at a glance

The new federal act comes into force in three phases. Since January of this year, it has applied to personal information (excluding personal health information) that is collected, used or disclosed by federally regulated sectors, such as banking, telecommunications and transportation businesses On Jan. 1, 2002 it will include personal health information collected, used or disclosed by these organizations.

The act will extend to all employers and insurers on Jan. 1, 2004 (although many organizations, including insurers, are working toward early compliance).

The act is based on 10 guiding principles for fair information practices that businesses must follow. They are:

1) Accountability: organizations are responsible for the protection of personal information that is under their care.

2) Identify the purpose: organizations must identify the purposes for which personal information is being collected, at or before the time of collection. They must also identify any new purpose for the information after it has been collected and obtain consent before using it.

3) Obtain consent: personal information can only be collected, used or disclosed with the informed consent of the individual. Should an individual choose not to provide consent, he cannot be penalized for this decision. For example, an employer cannot withhold benefits or refuse employment if an individual refuses to provide consent to share his benefit claims information with the employer.

4) Limit collection: only information necessary for the identified purposes may be collected, and this must be done by fair and lawful means.

5) Limit use, disclosure and retention: information can be used and disclosed only for the identified purposes, and should be kept only as long as necessary to satisfy these purposes.

6) Be accurate: the information maintained by an organization must be accurate, complete and as current as necessary for the identified purposes.

7) Use appropriate safeguards: organizations must put safeguards in place to protect information from loss or theft, and to prevent unauthorized access, disclosure, copying, use or modification of information.

8) Be open: privacy policies and procedures must be easily understood and readily available to those making inquiries.

9) Give individuals access: individuals have the right to know about the existence, use and disclosure of their personal information within or by an organization, as well as the right to access that information.

10) Provide recourse: organizations must develop simple and accessible complaint procedures, and inform complainants of other avenues of recourse (the Privacy Commissioner, for example). Penalties under the act are stiff, with maximum fines ranging from $10,000 for summary conviction offences to $100,000 for indictable offences.

Toward compliance

As the insurers’ obligation under the act becomes clearer, a number of questions have surfaced.

In terms of group insurance, several issues have arisen regarding the act’s consent requirements. For example, insurers require personal information about plan members, and they solicit the plan members’ consent to use that information through authorizations on forms such as enrolment and claim forms.

However, if a plan member requires benefit coverage for children, do insurers require consent from these children once they reach the age of majority (between 16 and 18, depending on the province of residence or even at a younger age)? In many cases, children to whom this would apply are often away from home attending college or university. Logistically, the implications for collecting these consents are enormous.

How do insurers word the consent sections of benefit forms? Should they be able to use information for any purpose that isn’t expressly stated in the form? For example, when plan sponsors and consultants engage in activities like claim audits and reviews in an insurer’s office (to assess quality of claim processing), do insurers require the express consent of every plan member whose claims are reviewed?

Another area of concern is disclosure. In the past, many reports that insurers provided to plan sponsors and their consultants contained personal information including plan member names or employee identification numbers.

This is now prohibited by law without consent. Even without plan member names or identification numbers, there is often enough information that could lead to identification of a plan member. For example, where a group (or division of a group) is very small, information in the report may unintentionally identify certain individuals simply based on the plan sponsor’s knowledge of the group.

Insurers find themselves in a difficult position. On the one hand, insurers have to help plan sponsors manage their benefit plans and their costs. They and their consultants need information to do that. On the other hand, legislation requires insurers not to share an individual’s personal information without consent.

In the absence of consent from all members, several insurers are going in the direction of “scrubbing” their reports of information that has the potential to identify individuals. However, there has been some resistance from within the industry. As a result, plan sponsors and consultants who are used to receiving this information are left looking for alternatives in terms of how they can continue to assess the effectiveness of their benefit plans.

Also, some might argue that the insurance industry is not required to comply with the new act until January 2004. However, that is only true of those provinces that don’t already have provincial privacy legislation in place. British Columbia, Manitoba, Quebec and Saskatchewan already have such legislation in place, and others including Ontario have draft legislation under way.

A third area of the legislation that raises questions is the whole issue of accountability. An organization can introduce policies and practices to look after the personal information in its care, but in some instances, the information must also be passed along to a third party, for example a drug card provider, for processing. That puts additional responsibility on insurers to ensure the information is protected by the third party, since under the act, the organization that initially provided the information will be held accountable. While privacy agreements exist with many business partners of insurers, there will now be a need, to enter into privacy agreements with all organizations to whom information is regularly provided.

An ongoing effort

It is hardly surprising that major legislation like this would cause concern for affected organizations. That is why the act does not require full compliance until 2004. Early indicators, however, suggest that many Canadian life and health insurers are working toward early compliance.

Rob Hiscock is vice-president, group marketing at Halifax-based Maritime Life Assurance Company. He can be reached at (902) 453-7482.

Latest stories