The ChAD answers eight frequently asked questions regarding the protection of personal information and the damage insurance industry. Agents, brokers and claims adjusters can refer to these questions for guidance in their day-to-day practice.
Personal information is information that pertains to a natural person and allows others to identify this person.
This information may be written, drawn, audio, visual, electronic, etc. and may, for example, take the form of e-mails, notes in a file, photographs, recordings of telephone conversations or videos.
Often, the following personal information is found in insurance files:
- Identification information: name, home address, home or cell phone number, e-mail address.
- Financial information: credit file, bank account or credit card numbers.
- Information on personal business: report from the Automobile Claims Database or the Société d’assurance automobile du Québec.
When consent is required—be it verbal or written—you must ensure that it is:
- Manifest: consent obtained from the person in question must be clear and unequivocal.
- Free and enlightened: the person in question must give his consent voluntarily, without being pressured or constrained to do so.
- Given for specific purposes: the consent must be given for a specific objective in order to achieve a defined result.
- Given for a defined period of time: the consent must be given for a defined or definable period of time.
N.B.: Proof of consent must also be documented in the file, for example, by keeping an e-mail or the recording of a phone discussion, noting the exact time and object of the consent in the client’s file, etc.
You must obtain consent for collecting, using and communicating personal information from each of the co-insureds.
Yes. The Act provides for certain exceptions to the principle of confidentiality.
For example, if a file is under investigation by the syndic of the Chambre de l’assurance de dommages, he may ask for and obtain this information without the consent of the insured. Similarly, a tribunal may, under certain circumstances, allow a representative to testify regarding the personal information of an insured.
Also, an insurance broker who wishes to recover a sum of money owed to him may hire a collection agency that holds a licence from the Office de la protection du consommateur and provide it with the information necessary for the agency to carry out its work.
The Chambre de l’assurance de dommages has created a form entitled Consent for the collection and communication of personal information when making a claim. This form respects the principles of the Act and may be used as a model consent form for the collection and communication of information for other purposes.
It contains the following details:
- The object of the file;
- The identity of the persons from whom the insured authorises the collection of personal information;
- The identity of the persons to whom the insured authorises the communication of personal information;
- The use that will be made of information collected or communicated;
- The nature of the information exchanged;
- The period of time during which the consent is valid;
- The place where the file thus constituted will be held;
- The right to access and rectify the file.
You must ensure the security of information that you hold on others, no matter what the format (paper or electronic) or where it is kept (your office, at home, in your car, etc.).
For further information, please read the syndic’s January-February 2009 column entitled “Minimum Rules for Managing the Confidentiality of Client-Files When Working from Home”.
When you receive a request to access or rectify personal information, you must:
- Verify the identity of the person requesting the information and validate his right to access;
- Note the date you received the request;
- Follow up on the request as quickly as possible, at most, within 30 days of having received the request;
- If you refuse a request for access, inform the person requesting the information in writing. Explain the reasons behind your refusal and refer to the provisions of the Act that you have used to justify your decision. Furthermore, you must inform the person of his right to contest your decision. The Commission d’accès à l’information provides individuals with a model notice of recourse;
- If you refuse an application for access, keep the information for which this application was made until the person requesting it has exhausted all avenues of recourse provided for under the Act;
- If you receive an application for rectification in order to add or change personal information recorded in a file: send the person making the request, free of charge, a copy of any personal information that has been changed or added to his file;
- If you remove personal information from a file following a request for rectification: send the person making the request an attestation that the personal information has been removed.
When personal information is lost, you must do the following:
- Take the necessary measures to avoid or limit any potential harm to the individuals to whom this personal information pertains;
- Quickly notify the individuals concerned.
For further information, please read the “Checklist for organizations and companies: What to do in case of loss or theft of personal information“, published by the Commission d’accès à l’information du Québec.
Download the eight frequently asked questions and their answers.