In 2004, the Personal Information Protection and Electronic Documents Act (“PIPEDA“) came into force across Canada to regulate how private organizations collect, use and distribute personal information in the course of business. Last year, PIPEDA was amended by Senate Bill S-4 (the Digital Privacy Act) in some important ways.
As a general rule, organizations require the informed consent of an individual before collecting, using or disclosing his or her personal information. PIPEDA has always provided certain exceptions to this rule, in the interests of balancing privacy rights with facilitating business and justice. One such exception allows organizations to disclose personal information without the consent of that individual to an investigative body in situations where the organization has reasonable grounds to believe that the information relates to a breach of contract or unlawful activity.
Regulations specifying investigative bodies
Previously, to take advantage of these non-consensual disclosure privileges, an investigator had be designated as an “investigative body” in accordance with the Regulations Specifying Investigative Bodies. This regulation contained a list of regulatory and professional organizations, such as private investigators and insurance adjusters.
An investigator had to pay for an application to Industry Canada to be designated an “investigative body” and be approved to enjoy the benefit of PIPEDA’s exemptions. This requirement was unduly onerous and redundant for many of the applicants. The investigative body concept implemented by PIPEDA was generally unworkable. As Jill Paterson, Private Policy Analyst for the Commerce Branch of Industry Canada stated:
“[N]ot only is the existing regulatory process for designating Investigative Bodies cumbersome and onerous to small and medium-size organizations, but the existing consent provisions do not allow for the detection and prevention of fraud.” (Canadian Privacy Law Review, vol 7, no 12.)
The Digital Privacy Act amendments
On June 18, 2015, the Digital Privacy Act came into force, amending PIPEDA in three ways that are fundamental to the insurance and investigations industry:
- disclosure of personal information to other organizations without consent
- collection, use, and disclosure of personal information in witness statements without consent
- breach notification
Disclosure of personal information to other organizations without consent
In recognition of the unfeasible “investigative body” designation process, Parliament repealed the concept as part of the Digital Privacy Act. Organizations may now disclose personal information without consent to another organization in certain circumstances as long as some criteria are met. First, the disclosure must be reasonable for the purposes of either investigating a breach of an agreement or a contravention of a law that has been, is being, or is about to be committed, or detecting or suppressing fraud or of preventing fraud that is likely to be committed. Second, it must be reasonable to expect that disclosure with the knowledge or consent of an individual would compromise the investigation or the ability to prevent, detect or suppress the fraud.
Under these new disclosure rules, the onus of confidentiality is always on the custodian of the personal information. For example, Insurer A may ask Insurer B for information, but Insurer B is under no obligation to disclose it. With this new scheme, networking, knowledge of the law, and the papering of files in one’s care will be crucial to effective investigations and information transfers.
Witness statements in insurance claims
With the Digital Privacy Act amendments, an organization may collect, use, and disclose personal information without an individual’s knowledge or consent where:
- that information is contained in a witness statement; and
- the disclosure is necessary to assess, process, or settle an insurance claim.
Breach reporting, notification, and recordkeeping
The amendments to PIPEDA will require organizations to report to the Office of the Privacy Commissioner (“OPC”) “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals. PIPEDA will further require the organization to notify affected individuals of the breach, and to keep a record of all breaches involving personal information and to provide copies of these records to the OPC upon request. This provision has not yet come into force.
The definitions section of PIPEDA has been updated to correspond with this language, such that “breach of security safeguards” refers generally to data breaches, and “significant harm” now includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, and identity theft. Furthermore, organizations will need to consider factors such as the sensitivity of the information involved and probability that the information was or will be misused, among others, when assessing the presence of a real risk of significant harm.
Organizations will be required to notify the affected individual, or another organization or governmental institution, as soon as possible after a breach if it believes that body may be able to reduce the risk of or mitigate the harm. For example, a retailer could notify a credit card-issuing bank or law enforcement agency regarding relevant data breaches. The consent of individuals would not be required for such disclosures.
With respect to the recordkeeping requirement, organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000.
However, until these provisions come into force, breach reporting will remain voluntary. The OPC urges organizations to report breaches by visiting the OPC’s privacy breaches reporting webpage and notifying affected individuals where appropriate in accordance with the OPC’s breach notification guidelines.
Powers of the OPC and State Farm v Canada (2010)
A complainant or the OPC may apply to the Federal Court for a hearing regarding a matter complained about or referred to in the report the Commissioner issues after her investigation. In 2010, the Federal Court issued a decision which clarified the limits on the OPC’s authority to intervene in private investigations.
In 2005, a State Farm-insured driver from New Brunswick, Ms Vetter, was involved in a collision with Mr Gaudet. Gaudet advised Vetter and State Farm that he would be commencing legal action against them. In anticipation of that action, State Farm placed Gaudet under covert surveillance. Before initiating his personal injury claim, Gaudet made an access request to State Farm, pursuant to PIPEDA, for all his personal information they had collected, including any covert surveillance and accompanying reports. State Farm denied Gaudet’s request on the grounds that PIPEDA did not apply. Gaudet then lodged a complaint with the OPC, alleging that State Farm was in breach of PIPEDA by refusing him access to his personal information that they had collected without his consent. State Farm then commenced an application in the Federal Court seeking a declaration that OPC did not have the statutory or constitutional authority to investigate, make recommendations or otherwise act upon the complaint of plaintiffs such as Gaudet.
The Federal Court rightly noted that the pivotal issues in this case concerned the interpretation of the phrase “commercial activity” in PIPEDA and the “constitutional authority of Parliament to make PIPEDA applicable beyond the operations of federal works, undertakings or businesses”. State Farm argued that PIPEDA only regulates commercial activity in the private sector and the legal action between State Farm and Gaudet is outside PIPEDA jurisdiction.
The Federal Court ruled that the OPC has “no special expertise in the interpretation” of PIPEDA, which entrusts the Federal Court with that authority.
The Court ruled that the collection of evidence in a tort action such as this does not constitute “commercial activity” for the purposes of PIPEDA, nor could that have been the intention of Parliament because the PIPEDA exists to balance competing interests of privacy and access to necessary information. Accordingly, the Federal Court ruled that investigation and covert surveillance reports are not subject to PIPEDA, and are outside of the jurisdiction of OPC interference.