The Office of the Privacy Commissioner has just posted to its website a finding related to a complaint filed by an insured under an automobile policy who was looking for information about a claim that has been filed by a third party related to damage to a motor vehicle. Though the insurer settled the claim, the insured disputed whether she was at fault.

The insurer refused to provide the insured with access to the particulars of the claim because, in its view, it contained personal information about the claimant. That information, it argued, could not be disclosed without consent under PIPEDA. The insurer attempted to get this consent and was not able to do so.

The insured enlisted the help of the province's superintendent of Insurance but to no avail. She then complained to the Privacy Commissioner that she was denied access to her personal information under Principle 9 of PIPEDA.

The Privacy Commissioner concluded that the third-party personal information should have been severed from the records and the remainder provided to the insured:

Commissioner Findings - PIPEDA Case Summary #314: Insurance company denies access to personal information in statement of claim (August 9, 2005)

Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. An exception to access is included in subsection 9(1), which states that an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• Based on her review of the statement of claim in question, the Assistant Commissioner was of the opinion that some of the information in the statement of claim was the complainant personal information.
• While she noted that the statement also contained the third party claimant's personal information, this information could be severed in the manner described in subsection 9(1), and the complainant personal information provided to her.
• As this had not been done, and instead the complainant was denied access to the entire document, the Assistant Commissioner determined that the insurance company had denied the complainant access to her personal information, contrary to Principle 4.9.

The Assistant Commissioner concluded that the complaint was well-founded.

I have some questions about this that are not dealt with in the published finding. First, it refers simply to the "statement of claim". If it is a statement of claim filed in a lawsuit, it's a public document that the complainant can get in other ways and you can likely imply consent to its disclosure. Secondly, and perhaps more importantly, is that the finding does not address any aspects of agency between the insurer and the insured. The insurer is simply the agent of the insured. The information collected and held by the insurer is done on the behalf of the insured. Using principles of agency, the information (arguably) is constructively held by the insured herself. The insured would have the ability and right to that information under agency principles, regardless of PIPEDA. I don't know if this argument was ever raised before the Assistant Commissioner, but I'd be interested to see whether it would fly.

Labels: information breaches, pipeda findings, privacy