Last week I had the pleasure of listening to a great talk titled “Privacy: Getting Accountability Right” at the 2013 Compliance and Consumer Complaints Annual Conference organized by the Canadian Life and Health Insurance Asscoiation Inc. Taking place in sunny Vancouver (see below), the speakers were Barbara Bucknell of the Office of the Privacy Commissioner of Canada, Jill Clayton, Information and Privacy Commissioner, Alberta, and Elizabeth Denham, Information and Privacy Commissioner, British Columba.
Here is a summary of their remarks.
The first question addressed to each panelist was the trends they were seeing in relation to privacy in the insurance industry.
- Barbara Bucknell noted that between 2008 and 2013 the OPC closed 148 insurance related complaints. (These were not limited to life and health insurance). Most were complaints about access to personal information; others related to unauthorized use or disclosure. Forty four were resolved. Sixteen were well founded and resolved. Forty were not well founded. The trend is that complaints against the insurance sector is dropping.
- Jill Clayton noted that only about 4% of all complaints in Alberta were in the insurance sector. The kinds of complaints vary and include a disclosure of medical information to an unauthorized plan member; a few employee workplace matters involving use of inaccurate information obtained through social media to evaluate candidates; theft of claim forms from a courier; laptops and mobile devices containing personal information stolen from vehicles; mailing and transmission errors such as tax slips and other tax information sent to the wrong people; statements sent to a wrong person with an identical name of the intended recipient; an attachment sent to the wrong recipient;, lab results put into the in the wrong envelope; and personal information left on a bus. Many of the complaints arose from human error, such as those listed above.
- The trend in Alberta is now fewer complaints and more self reported breaches because of Alberta’s breach notice law. In all of the cases of reported data breaches, the data controller notified those potentially affected by the breach. Ironically, in only 6 out of the 17 reported data breaches would the reporting have been mandatory. This reflects industry practice to be transparent, even if not required to do so.
- Elizabeth Denham noted that since BC’s privacy law was enacted in 2004, the BC Privacy Commissioner received 500 informal complaints and concerns. BC has a rigorous call back process which requires the complainant to try and resolve the complaint with the organization before the complaint is processed. This has resulted in most cases being resolved. She expressed the view that the insurance industry is a heavily regulated industry with a lot of knowledge of their compliance obligations. This industry is not the “wild west”. Complaints are channeled up the organization, a good way for privacy compliance to be managed. BC also has its share of privacy breaches such as lost laptops and USB keys not encrypted.
The speakers highlighted major challenges being faced by organizations in light of new technologies that pose challenges to appropriate data protection. An example is “big data”, information of extreme size, diversity and complexity. Gartner defines big data as “as high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making”. Big data was described as “analytics on steroids”. It reveals correlations and patterns that were previously not seen or known. There are many useful applications of big data including in developing fire prevention strategies. The flip side is the potential for dataveillance on individuals. Big data is premised on the collection and processing of massive amounts of information. It therefore runs up against the identifying purposes, limited collection, and limiting uses of information principles.
Other examples of challenges faced by organizations is the potential for massive data breaches affecting millions of people around the world; security and privacy challenges associated with cloud computing; use of social media when doing background checks in view of the obligation to use accurate information in assessing candidates for employment; uses of credit scores; and bring your own devices (BYOD) in the employment context.
Each of the speakers recommended that organizations implement privacy management programs using the principles developed in Getting Accountability Right with a Privacy Management Program, a document jointly developed by their offices. In fact, there is a growing tendency among the offices of privacy commissioners to apply the principles in this document in privacy audits and other enforcement contexts.