A better definition of consent for release of personal information is one of many changes industry and advisor organizations want made to the Personal Information Protection and Electronic Documents Act.
Industry Canada will conduct five-year review hearings later this year. A date has not been set, but, in pre-paration, the federal Office of the Privacy Commissioner, which administers PIPEDA, released a discussion paper this summer and asked for comments.
PIPEDA applies to all organizations engaged in commercial activities, unless Ottawa exempts an organization or activity because the province in which it occurs has similar legislation. To date, British Columbia and Quebec are the only provinces with such legislation.
“Consent” is not specifically defined under PIPEDA. As a result, a broadly worded consent clause arguably will permit collection of a wide range of information — so-called “blanket consent,” the OPC notes in its discussion paper.
Steve Howard, CEO of Advocis, says there may be cases in which more defined consent would be preferred: for example, when individuals are in relationships of unequal bargaining power, there may be pressure to provide blanket consent.
In a Sept. 14, 2006, letter to the OPC, Howard cites the research Advocis released earlier this year that stated 42% of respondents did not believe they had consented to being contacted by their bank about other products and services.
He also notes the complications facing insurance advisors: “The consumer may wish to grant blanket consent to an agent but only limited consent to a financial institution involved in a transaction. There may be a need to clarify the applicability of consent to a third-party product manufacturer or distributor.”
Some argue refinement of consent is unnecessary and that many consumers would not want to be asked for consent for every instance of collection, use or disclosure of personal information.
“If you get too specific, you will have to go back to the individual every time there’s a transaction,” says Frank Zinatelli, vice president and associate counsel with the Canadian Life and Health Insurance Association, backing the idea that people don’t want to be repeatedly asked for consent. “We need a more balanced approach. Some broad consent should be permitted.”
The Canadian Bankers As-so-ciation also argues against refining the definition. In its comments to the OPC, the CBA says: “If a bank indicates it would like to use [a client’s personal] information to market products and services of its subsidiaries, including mortgage, investment and securities firms, and the customer consents, the customer should not be surprised to receive marketing information from the bank’s subsidiary.”
The CBA recommends permitting disclosure “when release of information would be in the individual’s or the public’s interest.” It points to suspected elder abuse, noting when bankers think clients are withdrawing money from their accounts “under pressure from a person accompanying them,” current law prevents the bank from disclosing this to authorities or other relatives.
BENEFICIARIES’ INFORMATION
Other issues that will be raised in the review include:
Collection Of Third-Party Information. Sara Gelgor, vice president of regulatory affairs at Advocis, says when an advisor is developing a financial plan and discussing beneficiaries under a will, it would be useful to collect certain personal information about the beneficiaries, such as residence and date of birth. Alberta’s legislation provides an exemption in these circumstances, she notes.
Buying And Selling Books Of Business. PIPEDA does not have a provision that deals with the protection of personal information when a business is dealing with a prospective purchaser or new partner. The information may be needed for a “due diligence” evaluation of the business, the OPC notes.
In Alberta and B.C., legislation allows disclosure of personal information, subject to stringent confidentiality agreements. All personal information must be returned if the sale doesn’t go through, says Susan Allemang, director of regulatory affairs for the Independent Financial Brokers of Canada.
If a sale occurs, some clients may not want their information transferred as part of the deal. The OPC paper suggests individuals could be notified of the transfer or be allowed to “opt out” of being part of the transfer.
Howard says an exception to PIPEDA restraints should be available when a book of business changes hands. He urges the privacy commissioner consider appropriate restrictions or “what sort of after-the-fact notification may be recommended.”
@page_break@Legislation should permit inter-provincial acquisitions, when the provinces involved have legislation similar to PIPEDA, says Allemang. “The home province’s legislation would govern,” she says.
Notification Of A Security Breach. Only Ontario’s health information privacy legislation requires notifying affected individuals when a security breach occurs. The OPC is asking if a similar obligation should be part of PIPEDA.
OPC Powers. The OPC asks whether its powers should be strengthened beyond the current ombudsman model. The OPC has the power to make a complaint, conduct an audit and disclose information about an organization’s personal information management practices, but cannot make orders or draft amendments to PIPEDA.
The CLHIA says the system is working well: “If there is a move away from the ombudsman model, the act would have to be changed.” The CBA agrees. Giving the OPC sharper teeth would affect the role of the Federal Court of Canada, the judicial arbiter of breaches of federally administered legislation, the CBA says, and this type of drastic change should be left until the 2011 PIPEDA review. IE
Consent for personal data up for review
Scheduled five-year review of PIPEDA to consider third-party information, privacy when buying books
- By: Stewart Lewis
- October 3, 2006 October 3, 2006
- 09:33