Protection of personal information: reminders and new concepts
The protection of personal information is a matter of concern for a growing number of consumers and businesses alike. To meet the challenges that come with technological advancement and increasing data leak risks, the Quebec government has modernized its Act respecting the protection of personal information in the private sector (1994) by adopting the Act to modernize legislative provisions as regards the protection of personal information (often referred to as Law 25).
Some of the legislative provisions of the new version of the Act respecting the protection of personal information in the private sector (ARPPIPS) came into force on September 22, 2022, while others will come into effect in 2023 and 2024. This article reviews certain basic privacy concepts and describes the new concepts introduced by the law that affect the practice of certified professionals.
The ARPPIPS applies to businesses and individuals (including damage insurance certified professionals) that collect, hold, use or disclose personal information relating to another person.
What constitutes personal information?
According to section 2 of the law, “personal information is any information which relates to a natural person and directly or indirectly allows that person to be identified.”
Examples of personal information:
| Identification information | Financial information | Health information |
|---|---|---|
|
|
|
Which personal information may be collected?
Only personal information that is considered necessary for achieving the purposes of collection (that is, the objective or reason for which the information is collected) may be collected [1]. Within the meaning of the law, information is necessary if it is required to achieve these purposes. It must therefore be indispensable, essential and of primary importance—not merely useful.
What is personal information in the insurance industry?
All client files (subscription, renewal or claim files) contain personal information. Notes taken by a firm’s employees can also be considered personal information, as can an investigation report and conclusions on the causes of a loss occurrence, or a report on the surveillance of a policyholder by a private investigator.
New concept: sensitive personal information
Among the new concepts in the ARPPIPS is the introduction of “sensitive” personal information. Paragraph 4 of section 12, which comes into force on September 22, 2023, stipulates that:
For the purposes of this Act, personal information is:
[…]
(2) sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy. (our emphasis)
Although isolated pieces of information may seem harmless, the context in which they are used can make them sensitive. For example, in specific contexts, first and last names can become sensitive information that can cause prejudice should they be disclosed, as was the case in the theft of data from the extramarital dating site Ashley Madison in 2015 [2] .
Because a great deal of personal information (particularly sensitive personal information) is collected in the insurance industry (for example, financial and medical information), it is important for businesses to adopt and maintain appropriate policies and practices. In particular, these policies should set out the roles and responsibilities of employees (including certified professionals) throughout the life cycle of personal information, in addition to establishing physical and IT security measures and different levels of access to information. In other words, each employee should only have access to the information that is necessary for them to perform their work.
Note that the law applies to all personal information, whatever :
- The nature of its medium
- The form in which it is accessible, whether written (email, text message), taped (recorded telephone conversation), graphic (photograph, video file), computerized (file), or otherf
Because personal information is increasingly stored electronically, training, knowledge and best practices in the use of information technology (document backup, file sharing, electronic transfer and data segregation) are also important.
Want to brush up your information protection skills for the digital age? Take the short “Information protection” course on EduChAD.
What are the obligations of claims adjusters and damage insurance agents or brokers under the ARPPIPS and the new provisions of Law 25?
Your primary responsibility in this regard is to protect personal information throughout its entire life cycle. The best place to start to abide by your obligations is to know and apply your business’s policies and practices pertaining to the protection of personal information, including cyber security practices.
Your code of ethics also sets out your obligations regarding the confidentiality of information gathered in the course of your work.
Sections 23 and 24 of the Code of ethics of damage insurance representatives and sections 22 and 23 of the Code of ethics of claims adjusters stipulate that any personal or confidential information obtained from a client must be kept confidential and used only for the purposes for which it was obtained. A certified professional must not disclose the information obtained other than in accordance with the law, nor use such information to the detriment of the client or with a view to obtaining a benefit.
Other new concepts
The following is an overview of the new concepts arising from the amendments to Law 25 that impact your professional practice.
1. The concept of consent: increased transparency and simple, clear language
The concept of consent has been the cornerstone of the law since it was adopted in 1994.
Consent must be:
- Clear: the person’s consent must be clear and unequivocal
- Free: the consent must be given voluntarily, without pressure or coercion
- Informed: the individual must understand what they are consenting to, hence the importance of formulating the request in clear and simple language
- Given for specific purposes: the consent must be given for a specific purpose in order to achieve a specific result
- For a fixed or determinable period: the consent is valid only for the time necessary to achieve the purposes for which it was requested
Law 25 reinforces and clarifies the terms of consent and the explanations that must be provided to obtain it, with an emphasis on transparent communication. As stipulated in section 14 of the law, whose amendments come into force on September 22, 2023:
Consent under this Act must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language. If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned. If the person concerned so requests, assistance must be provided to help him understand the scope of the consent requested. (Bold blue text shows amendments to the law.)
Each of the purposes for which information and consent is requested must be explained in clear
and simple terms[3] .
2. Express consent
As mentioned above, the concept of “sensitive personal information” was introduced by Law 25. The collection, use and disclosure of such information to third persons requires consent to be given expressly [4] .
Express (explicit) or implicit consent?
Generally speaking, a person can give their consent expressly (explicitly), meaning through a specific verbal or written indication (for example, a client answering “yes” to a question relating to the collection of personal data).
Consent can also be given implicitly when it is inferred from an action, behaviour or situation (for example, a client requesting an insurance quote implicitly consents to providing certain information).
However, as of September 22, 2023, consent must be obtained expressly in the case of sensitive personal information:
- Where a business wishes to use it for purposes other than those for which it was collected (s. 12)
- Where this information will be communicated to a third person (s. 13 para. 2)
For example, sensitive personal information is collected when a person asks for a car insurance quote. If a business wishes to use this information to offer home insurance, express consent must be obtained separately.
When collecting personal information for the purpose of creating a person’s file, you must inform the person of the purposes for which the information is being collected and of their right of access or rectification[5].
Reminder: verbal or written consent?
Consent may be obtained verbally or in writing. In the case of verbal consent, it is important to record all relevant information in the file about your discussions with the client and the information that you provided, and in particular the purposes of the collection.
3. Person in charge of the protection of personal information
Since September 22, 2022, businesses have been required to appoint a person in charge of the protection of personal information[6]. In many cases, this will be a senior officer.
In particular, this person is responsible for ensuring that the Act is implemented and complied with, and that the business processes the personal data it holds in accordance with the law. Among other things, they are responsible for implementing internal data management policies, managing confidentiality incidents and handling access requests and complaints relating to the protection of personal information.
The title of the person in charge and their contact information must be published on the business’s website to make it possible for clients to contact them directly[7].
You are responsible for knowing who the person or department in charge of protecting personal information is within your organization. Should a confidentiality incident occur, you will need to contact this person or department in order to:
- Inform them of any confidentiality incident in which you are involved; and
- Take reasonable measures to reduce the risk of injury to persons concerned and prevent new incidents of the same nature.
Examples of confidentiality incidents:
- An email containing personal information is sent to the wrong recipient
- A laptop containing clients’ personal information is stolen
- An IT security breach occurs
- Data is extracted by an unauthorized person
4. Tougher penalties
Starting on September 22, 2023, organizations and individuals who fail to comply with the provisions of the Act and its regulations will be liable to tougher criminal penalties than before. In the most serious cases, these penalties can be as high as $25 million! In addition, the Act will now give the Commission d’accès à l’information, whose duties include overseeing the application of personal information protection legislation, the power to impose administrative financial penalties (up to a maximum of $10 million).
Communication to third persons
A policyholder’s consent is also essential for the communication of personal information to a third person. As stipulated in the ARPPIPS: “No person may communicate to a third person the personal information contained in a file he holds on another person, or use it for purposes not relevant to the object of the file, unless the person concerned consents thereto or such communication or use is provided for by this Act.”[8] This subject will be covered in a separate article in the near future.
Protecting personal information is a shared responsibility
In particular, firms or businesses must ensure that their employees (whether certified professionals or not) understand and comply with their confidentiality obligations.
Agents, brokers and claims adjusters must continue to ensure the protection of personal information, regardless of where it is held or on what medium it is stored. To do so, it is important to develop and maintain good habits when it comes to protecting information, in particular:
- Avoid leaving files that contain personal information in plain sight of the public, office colleagues who have no involvement with a file or residents of your home. Put them away in closed, locked filing cabinets.
- Use the appropriate technology: strong, confidential passwords, data encryption systems, firewalls, etc.
- Avoid using unsecured Wi-Fi connections when you are travelling.
In summary
Whether you are an agent, damage insurance broker or claims adjuster, you must respect the confidentiality of personal information provided to you by clients and use it only for the purposes for which you obtained it, unless you are relieved of this obligation by the provision of a law or the order of a competent court.
Under no circumstances may you disclose any personal or confidential information you have obtained other than in accordance with the law, nor should you use it to the detriment of a client or to obtain a benefit for yourself or another person.
___________
[2] Les Affaires, “ Les données du site de rencontres adultères Ashley Madison dévoilées ”, August 19, 2015.
[3] Section 8, paragraph 4 of the ARPPIPS.
[4] Sections 12 and 13 of the ARPPIPS.
[6] Section 3, paragraph 1 of the ARPPIPS.
Questions about your professional practice?
Visit the Toolbox section at chad.ca/en/toolbox.
Contact Accent Déonto by phone at 514 842-2591, or by email at info@chad.qc.ca or online.
Training courses
Tools for certified professionals
Useful links for businesses
Related articles
What to Do When the Quotes Differ
Financial and material maltreatment* : what should you do?
Cybersecurity: best practices to follow
Your Questions: Which Acts Are Reserved for Agents and Brokers?
Which Acts Are Reserved for Agents and Brokers?
An Overview of Deductibles for Syndicates of Co-ownership
Private or Public Insurance: Effectively Assisting Your Client After a Flood
Disfiguration Damage
