The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, October 21, 2005
The Office of the Privacy Commissioner has just posted to its website a finding related to a complaint filed by an insured under an automobile policy who was looking for information about a claim that has been filed by a third party related to damage to a motor vehicle. Though the insurer settled the claim, the insured disputed whether she was at fault.
The insurer refused to provide the insured with access to the particulars of the claim because, in its view, it contained personal information about the claimant. That information, it argued, could not be disclosed without consent under PIPEDA. The insurer attempted to get this consent and was not able to do so.
The insured enlisted the help of the province's superintendent of Insurance but to no avail. She then complained to the Privacy Commissioner that she was denied access to her personal information under Principle 9 of PIPEDA.
The Privacy Commissioner concluded that the third-party personal information should have been severed from the records and the remainder provided to the insured:
Commissioner Findings - PIPEDA Case Summary #314: Insurance company denies access to personal information in statement of claim (August 9, 2005)Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. An exception to access is included in subsection 9(1), which states that an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- Based on her review of the statement of claim in question, the Assistant Commissioner was of the opinion that some of the information in the statement of claim was the complainant personal information.
- While she noted that the statement also contained the third party claimant's personal information, this information could be severed in the manner described in subsection 9(1), and the complainant personal information provided to her.
- As this had not been done, and instead the complainant was denied access to the entire document, the Assistant Commissioner determined that the insurance company had denied the complainant access to her personal information, contrary to Principle 4.9.
The Assistant Commissioner concluded that the complaint was well-founded.
I have some questions about this that are not dealt with in the published finding. First, it refers simply to the "statement of claim". If it is a statement of claim filed in a lawsuit, it's a public document that the complainant can get in other ways and you can likely imply consent to its disclosure. Secondly, and perhaps more importantly, is that the finding does not address any aspects of agency between the insurer and the insured. The insurer is simply the agent of the insured. The information collected and held by the insurer is done on the behalf of the insured. Using principles of agency, the information (arguably) is constructively held by the insured herself. The insured would have the ability and right to that information under agency principles, regardless of PIPEDA. I don't know if this argument was ever raised before the Assistant Commissioner, but I'd be interested to see whether it would fly.
Labels: information breaches, pipeda findings, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.