Industry Committee on March 26th, 2015

Thank you very much for providing me with the opportunity to speak to you today.

My name is Éloïse Gratton. I am a partner at Borden Ladner Gervais. I also teach a privacy law course at the University of Montreal law faculty.

I've been practising in the field of privacy law for over 15 years and I represent a range of clients, mostly private sector businesses from various industries. I appear today in a personal capacity, representing only my own views and not the views of my firm or its clients.

My time is limited, so I'm going to first mention two provisions in Bill S-4 that have my support, and then two that raise concerns.

I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.

I have concerns with two provisions in Bill S-4, the first one being the clarification on valid consent. I know that many have appeared before me to discuss Bill S-4 and they have expressed their approval of the proposed amendment to clarify the requirements for valid consent.

Yes, in theory, not many people would logically object to having more stringent provisions governing valid consent; still, I have a few concerns with this proposal.

PIPEDA currently requires that consent be reasonably understandable by the individual. The questions that should be asked are: do we have a concern with this consent requirement, and if so, will the proposed amendment address such concerns?

If the proposed amendment is accepted, the message sent to organizations is that the way they used to get consent may no longer be valid and that perhaps they should be taking additional steps.

PIPEDA is based on a “notice and choice” model that may prove to be a real challenge in 2015. In my recent book Understanding Personal Information, I have a chapter dealing with the challenges with this notice and choice approach. I was raising that in our day and age, it is debatable whether this model still makes sense and is a realistic one. Very busy individuals with limited time are expected to review, understand, and agree to various different—sometimes online—terms of use agreements, and keep up with new technologies and business models constantly evolving.

We have also already begun witnessing how consent forms are now requiring a few additional clicks to ensure that express consent is obtained in compliance with the new Canadian anti-spam law, since under this law certain information has to be brought to the attention of the user separate and apart from the standard terms of use agreement. I am mostly concerned that this type of amendment will be translated by organizations including additional verbiage in their already very long privacy statements and by requiring more clicks from users already overloaded with information.

I also have some reservations about the two new proposed paragraphs 7(3)(d.1) and (d.2), which would allow an organization to disclose personal information to another organization without consent in certain circumstances, although I understand in some situations the necessity for this proposal.

A few files have landed on my desk over the last few years in which this type of provision would have come in handy. One example worth noting was the case of Stevens v. SNF Maritime Metal. It's a case that ended up in the Federal Court in 2010. This was the case of SNF, a company purchasing scrap metal from another company. That company's employee, Mr. Stevens, opened a personal account with SNF and started selling a high volume of scrap metal to them. SNF disclosed the fact to his employer, who was already suspecting that someone was stealing scrap metal from them. The company realized that its employee was indeed stealing from them. They fired him and the employee then sued SNF for breach of his privacy.

Although SNF was probably right to disclose this information to its client, it was nonetheless a technical breach of PIPEDA, since they had disclosed personal information about Stevens, the fraudulent employee, to its employee and their business partner without his prior consent.

The bottom line is that I agree that we need to have a provision authorizing the disclosure of personal information without consent to address these types of situations. Still, given the way the proposed provision is drafted, I am concerned that the amendments could lead to excessive disclosures, used for broad purposes justified under the investigation of a breach of an agreement provision, or the purposes of detecting fraud provision. These disclosures would further be invisible to both the individuals concerned and to the Office of the Privacy Commissioner.

If we could find a way to minimize the risk of over-disclosing, while including a provision under which companies disclosing in such a situation would have to be transparent about these disclosures, I would offer my support to this type of amendment.

Thank you. I welcome your questions.

We will both be making a presentation, Mr. Chair.

My name is Frank Zinatelli. I'm vice-president and general counsel with the Canadian Life and Health Insurance Association. I'm accompanied today by my colleague Anny Duval, who is counsel with the CLHIA.

The CLHIA represents life and health insurance companies, accounting for 99% of the life and health insurance in force across Canada. The Canadian life and health insurance industry provides products that include individual life and group life, disability insurance, supplementary health insurance, individual and group annuities, including RRSPs, RRIFs, TFSAs, and pensions.

The industry protects almost 28 million Canadians and about 45 million people internationally. The industry makes benefit payments to Canadians of $76 billion a year, has $647 billion invested in Canada's economy, and provides employment to over 150,000 Canadians.

We welcome this opportunity to appear before the committee as it reviews Bill S-4, which makes important amendments to the Personal Information Protection and Electronic Documents Act.

For over 100 years, Canada's life and health insurers have been handling the personal information of Canadians. Protecting personal information has been long recognized by the industry as an absolutely necessary condition for maintaining access to such information. Accordingly over the years, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information.

For example, in 1980 we developed right to privacy guidelines that represented the first privacy code to be adopted by any industry group in Canada. Since then, the life and health insurance industry has participated actively in the development of personal information protection rules across Canada, starting with Quebec's private sector privacy legislation in 1994, the development of PIPEDA, Alberta's and B.C.'s personal information protections acts in the early 2000s, and health information legislation in various provinces.

The industry's overarching theme is to achieve harmonization in the treatment of personal information across Canada as much as possible. The operations of life and health insurers are national in scope, and many common day-to-day transactions may involve interprovincial collection use and disclosure of personal information. Thus, the coordination or harmonization of the provisions of PIPEDA with privacy legislation at the provincial level is very important to avoid unproductive duplication and confusion for consumers, organizations, and regulators alike.

With harmonization in mind, let me turn now to Bill S-4, the digital privacy act. The industry is generally supportive of the bill, as it contains some needed updates that move PIPEDA to be more consistent with other private sector privacy legislation in the country.

For example, B.C. and Alberta deal with the use of information without consent of the individual more effectively than is now the case in PIPEDA. In this regard, the industry strongly supports those amendments to section 7 of PIPEDA, particularly proposed paragraph 7(3)(d.2), which would help industry efforts to detect, deter, and minimize fraud. The impact of fraudulent and deceptive conduct on insurance and other financial services can be extremely costly and damaging.

The industry efforts to control the incidence of fraud are not in conflict with our protection of personal information, but we note that there's a gap in the current legislation that restricts the ability of organizations to disclose information without consent of the individual for the purpose of conducting an investigation into a breach of an agreement or of a law of Canada.

While it is industry practice to obtain consent, there exist clear instances where this cannot be done—for example, where the suspected perpetrator is a third party that is not directly involved with the insurance contract, such as a service provider to a member of a group benefit plan.

In some instances, obtaining consent makes no sense. For example, this latter situation is contemplated in a note to principle 3 of the CSA model code for the protection of personal information, which forms part of PIPEDA:

When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.

For these reasons, we support Bill S-4's amendments to section 7 of PIPEDA, which more clearly set out when personal information can be collected, used, and disclosed during an investigation.

This will allow all parties to more clearly understand the range of acceptable circumstances when there is an exception to consent and will have the additional advantage of being harmonized with the approach used in both the Alberta and B.C. PIPA.

Mr. Chair, we would like to comment briefly on two other provisions of the bill. I will discuss the first aspect and my colleague Mr. Zinatelli will discuss the second one.

With respect to the breach notification provisions in the bill, the life and health insurance industry has long supported a method of notifying individuals that is proportional to the risks of harm that may be experienced by those whose personal information has been compromised. We appreciate the effort that has taken place to harmonize provisions as much as possible with the provisions now present in the Alberta legislation. But we believe there could have been even more harmonization.

For example, the record-keeping requirements in the bill require that an organization maintain a record of every breach involving personal information under its management. Given that in some instances there would be no impact on the individual or the organization, we suggest that consideration be given to linking the record-keeping requirements to the level of risk associated with any particular situation. This could probably be done through regulations.

Finally, Chairman, we would like to touch on a provision that has already received a lot of attention by other witnesses: proposed PIPEDA section 6.1, in clause 5 of the bill, describing when consent is valid.

We believe a clear and consistent understanding of consent for the purposes of privacy legislation has developed across Canada during the last decade or so. We are concerned, therefore, that the attempt at clarification may well create more confusion than fulfill the purpose for which it was created. We understand that this amendment is aimed at supplementing the test for informed consent in the context of, for example, minors in their online interactions. But proposed section 6.1 is not limited to the areas of concern expressed. Without clarification in the bill, in regulations, or by some other formal means, it raises questions for organizations as to what is expected of them and how it would be applied and interpreted. We suggest that such clarification is necessary and can be achieved through guidelines or regulations.

Chairman, the goal of our industry is to improve the workability of personal information privacy rules by promoting the adoption of provisions that are practical, predictable, and harmonized across the country as much as possible.

The industry greatly appreciates this opportunity to participate in the committee's review of Bill S-4. We would be pleased to answer any questions you may have.

Thank you.

Thank you, Mr. Chair.

I also thank the committee for the opportunity to share with you our thoughts on Bill S-4.

Before addressing our views on this bill, I would like to begin by making a few preliminary remarks regarding the role of my organization, Credit Union Central of Canada, and more generally, the credit union system in Canada.

Canadian Central is the national trade association for its owners, the provincial credit union centrals. Through them, we provide services to about 315 affiliated credit unions across the country.

As you may know, credit unions represent an important part of the Canadian economy. We have about 1,700 credit union branches that serve 5.3 million Canadians. We have $170 billion in assets and 27,000 employees.

Credit unions in Canada come in all shapes and sizes. It's important to understand that some of our smallest credit unions have less than $10 million in assets, one full-time employee, and one part-time employee. Our biggest credit unions have $20 billion in assets and literally thousands of employees. So there's a lot of disparity or gap there. Regardless of size, however, as member-owned and controlled institutions we believe we have an inherent responsibility to be open and accessible while, at the same time, demonstrating the greatest respect for the protection of our members' privacy.

The Credit Union Code for the Protection of Personal lnformation, adopted by credit unions in advance of the 2004 compliance deadline, really speaks to the system's long-standing commitment to member privacy. In fact, well before it was required or fashionable, this code reflected the credit union system's commitment to protect member privacy by proactively implementing consent requirements for the use of personal information. This commitment to member privacy is enhanced through employee training programs, strong internal policies and procedures, and member awareness programs.

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse. However, we think this measure could be refined somewhat by making it possible to disclose suspected abuse to a member of the individual's family. Research has shown that often, in the case of elder abuse especially, the next of kin are the abuser. We think a little stretch would help with that situation.

We are especially encouraged by attention to this important public policy issue because the credit union system has taken a bit of a lead on this issue of elder abuse. We've designed a course for front-line credit union employees on financial elder abuse detection and prevention and recently made an announcement to that effect with Minister Wong in Winnipeg. We also like Bill S-4 because it does a lot to reduce some of the regulatory burden that results from the current framework.

To give you an example, we are supportive of the proposal that would make it less difficult for institutions to share information when they're in merger discussions. As you may know, the credit union system is rapidly consolidating, so this is a welcome development. Similarly, we support the proposed amendments that permit the sharing of information between organizations for the purposes of fraud prevention. This too will reduce the administrative burden associated with some of the activities of Canadian Central, my organization's Credit Union Office for Crime Prevention and Investigation.

We note, however, that as drafted, the information sharing between financial institutions appears to be limited to the detection and suppression of fraud. We would recommend that financial institutions be allowed to share information related to criminal activity to cover the broader range of activities that we want to capture: bank robberies, ATM breaches, and that kind of thing. We also have some concerns about provisions that may increase regulatory burden.

Specifically, the legislation proposes requirements that would compel financial institutions to keep records of all data breaches. As you know, the reporting requirements say that breaches must be divulged when they pose a real risk of significant harm to individuals. We're not clear why it is necessary to impose record-keeping requirements that are not aligned with this reporting test. The usefulness in recording incidents that do not meet the significant harm reporting threshold is not readily apparent to us. We would recommend aligning the record-keeping requirement with the proposed reporting requirements. We also question the proposed potential penalty of $100,000 for non-compliance with this new record-keeping requirement. While this may not be a material amount to some of our larger competitors, you can imagine the impact of a fine like this on a small credit union with $10 million in assets and whose profits are well under $1 million. This could really harm the credit union. We'd recommend that the fines be geared to the size of the institution.

To help put these concerns in context, just to give you a sense of why these large and small institution issues matter to us, we did a study back in 2013 on regulatory burden. We found that small credit unions, those with fewer than 23 employees, devote fully one-fifth of their staff time to regulatory administration. It's a huge burden for our smaller institutions. Our bigger institutions devote only 4%, and keep in mind that our biggest institutions are many times smaller than the biggest banks out there.

The unintended consequence of a lot of the regulations that get imposed on the credit union system is that they inadvertently create a competitive advantage for larger institutions, and that's a concern for us. In fact, we raised that concern with the finance committee here at the House of Commons, and they agreed. They said that “the government should examine means by which credit unions and caisse populaires could be on a level playing field with Canada’s large financial institutions”. We think there are a couple of areas in this proposed legislation that could be tweaked to address that concern.

To conclude, we want to thank the committee for this opportunity to share our thoughts on Bill S-4. We applaud the government for some important and positive changes, especially around information sharing to prevent financial abuse of seniors and to reduce administrative burden.

That said, we would recommend adjusting the bill to allow financial institutions to share information related to criminal activity in order to cover crimes such as bank robberies, ATM compromises, and so on. We are also recommending that the bill be modified to make it possible to disclose suspected abuse to a member of the individual's family, not just next of kin. Finally, we would just ask that the government continue to be sensitive to the needs of smaller financial institutions by, for example, aligning record-keeping with record-reporting requirements and making fines for non-compliance proportional to the size of the institution.

We want to thank the committee again for our opportunity to share these perspectives, and we look forward to your questions. Thank you.

I'm glad as well, Mr. Chair. Thank you.

My name is Randy Bundus, and I am senior vice-president, legal and general counsel, with lnsurance Bureau of Canada. I am joined by my colleagues Maddy Murariu, with IBC government relations, and Rick Dubin, with IBC's investigative services. We are pleased to be here today.

IBC is the national industry association representing over 90% of private home, car, and business insurers in Canada. My remarks will focus on how Bill S-4 will affect my industry's ability to continue to combat insurance crime, which includes fraud and auto theft.

Insurance crime is big business in Canada. A recent Ontario government task force estimated that in that province auto insurance fraud alone costs up to $1.6 billion yearly. Insurance crime costs everyone in higher premiums and increased costs to our legal and medical systems.

Our industry works hard to suppress and prevent insurance crime through early detection, and also works hard to protect our customers' privacy. Insurers know that they must safeguard customers' personal information or risk losing business.

There are different types of insurance crime. It can be opportunistic. For example, a driver hits a guardrail and then invites a friend, a “jump-in”, to falsely state that he was also in the vehicle and suffered an injury for which he then claims compensation. Opportunistic claims are handled by insurers, but PIPEDA does not allow one insurer to verify facts by reaching out directly to another insurer that might also have been victimized by the suspected fraudulent incident.

Insurance crime can also be premeditated and organized. Large crime rings stage collisions that involve fraudulent injury claimants and others such as auto body shops and medical rehabilitation clinics. A crime ring can generate several million dollars in fraudulent claims.

IBC's investigative services, or ISD, was the first designated investigative body under PIPEDA, and it plays a critical role in the investigation of organized insurance crime. ISD is uniquely positioned to investigate organized insurance crime that involves multiple insurers, multiple claims, and multiple claimants. An example of this is the case of a police officer in Peel Region who was convicted in February on 42 counts, including 21 counts of fraud. This officer falsely reported nine collisions and, as a result, 14 insurers paid out almost $1 million in false claims to 69 participants.

ISD begins an investigation as a result of being made aware of an anomaly in an insurance claim. Information triggering an investigation may come from an insurer, a victim, law enforcement, or a tip from an informant. ISD then acts as a case file manager, coordinating investigations and identifying linkages between parties that are then submitted to regulators and other enforcement agencies. Individual insurance companies are not well positioned to handle organized crime on this scale.

This brings me to Bill S-4. We support the proposal in Bill S-4 to repeal the sections in PIPEDA that create investigative bodies and instead allow for an organization to disclose information to another organization in limited circumstances. These circumstances, as set out in Bill S-4, are to investigate a breach of an agreement or contravention of a law of Canada, and to detect, prevent, or suppress fraud.

My industry's experience under PIPEDA in investigating and detecting insurance crime has been of mixed success. While IBC's investigative services have been successful in combatting large, organized insurance crime, that has not always been the case for insurers in handling the opportunistic fraud. This is because many of the insurers are not able to disclose to each other information about suspected insurance crimes.

The proposed changes in Bill S-4 would help investigations into opportunistic or one-off insurance crimes involving only two claimants with two insurers, such as the jump-in example I gave earlier. Bill S-4 would allow insurers to disclose, in those very limited circumstances, when it is reasonable to do so, information to another insurer without the involvement of an investigative body.

An insurer could also disclose that information, in the same very restricted circumstances, to an organization such as ISD in the investigation of insurance fraud. In our view, this new process would be efficient and effective in detecting, preventing, and suppressing fraud, while still being respectful of privacy rights. Under Bill S-4, ISD could continue to function as a case file manager for organized insurance crime.

In our written comments to this committee, we address a number of other important issues in Bill S-4, including some minor wording changes to ensure consistency among the provisions allowing for responsible fraud investigations. We would be pleased to discuss these matters with this committee or with Industry Canada officials.

Thank you for your attention. I'd be happy to take any questions.

I'm going to ask my colleague Mr. Dubin to address that question.

I think the best way is to give a very brief scenario and show you why we support this.

Here's a scenario that we've run into several times. We have a left-turn situation in front of what seems to be an innocent vehicle. The other vehicle turns in front, and there's a collision. There is not significant damage, just bumper damage to the front of this so-called innocent vehicle. The driver says there are three occupants in the vehicle. In reality—and this is what we're going to get to, these are what we call jump-ins—they weren't in the vehicle at the time the collision took place.

Keeping in mind that the vehicle making the left turn is usually presumed to be at fault, the adjuster now receives this claim and does what we call a Carfax or AutoPlus report, where they're looking into a general history of the driver and vehicle that they insure, and he would contact IBC. They'd find out from that information that this driver and the vehicle were involved in a previous collision. It does identify the other insurer as well in those public reports. What that information has that they're not able to get to yet is that the other insurer also had a left-turn situation with multiple occupants in this vehicle.

Now, this accident happened late at night in a quiet neighbourhood, obviously at an intersection, and there were no witnesses. All three occupants were claiming soft tissue injury, but they didn't report it at the scene of the accident so the police didn't attend.

Under the current law, the adjuster obviously can't contact the other insurer to find out the facts of the other collision, so they're in the dark at this point. In the meantime, the claim starts getting paid and the occupants receive weekly income disability payments. They attend rehab facilities for extensive treatment, all of them usually receiving the same type of extensive treatment of physiotherapy, massage therapy, or chiropractic. At the same time that these bills are building up, the body shop is now doing the repairs to a vehicle that could very well have been previously repaired in the other accident.

It's reported to IBC at this point by the insurer just to let us know that they have some concerns, but the other party looks at fault. They can't contact the other insurer, so they start payments.

We support the bill because if the bill were passed, it would allow the insurer of this vehicle to contact the other insurer. They would find out some of the scenarios, that the same scenario existed with the same service suppliers: they used the same rehab facility, the same body shop, everything was virtually the same. This accident even took place in the same area.

What I'm getting into is an identified social network. It creates linkages among the possible participants in the suspected fraud, but because they couldn't contact the other insurer, because they didn't want to be found to be in bad faith, they started payment. They would have informed IBC, and we would get to it at some point.

The problem that exists here is that by the insurer contacting the other insurer immediately when they had these red flags coming up, they could quickly ascertain that this is a very suspicious situation, and they're in a position to at least stop payment and deny the claimant, stop the bleeding. With the way things stand right now, because they don't want to be accused of bad faith, they start payments right away.

Finally, just to give you an idea of how serious this is in the province of Ontario, the Insurance Bureau of Canada has the statistics that the average accident benefits payment per person in Ontario is $31,785. This is the staged collision capital of Canada, right here in the GTA. The average in Atlantic Canada for accident benefits is $8,668, and in Alberta it's $3,766.

A major problem that exists here is the identity theft we're seeing with service suppliers. That's a key reason these individuals get these accident benefits forms submitted to the insurers; there's a lot of forgery going on.

I've been in the insurance industry for 35 years as a senior investigator and a solicitor and negotiator, so I'm very familiar with the general practices. An underwriter will look at prior accidents. They won't necessarily be contacting the other insurer for facts. They'll see that there was another accident.

What we do find is that in order to camouflage this a lot, they change the ownership of the vehicle that seems to be involved in let's say a multitude of different staged collisions. That really creates difficulty for an underwriter to know that this same individual was involved in suspicious circumstances.

They intentionally change the scenario as to ownerships of vehicles and run between different insurance companies. All the underwriter is going to see is that possibly there was another accident, but they won't get into the specific investigation of the facts of that particular accident.

Actually, no, and I have to say that this is a concern. If an injury is not reported at the scene of an accident...and these individuals intentionally do not report, in a lot of cases, at the scene of the accident and will go to a collision reporting centre afterward. At that point in time there will be a report taken.

The insurers have access to that report, but again, it's very limited information. All it's basically going to say is a left-turn situation. They probably charge the driver doing the left-turn situation that was staging this collision intentionally. It would just show the fact that the other driver drove into them. That's all they're going to have.

Actually, at the time, initially after the accident, they won't even have the names or facts of occupants, because the police didn't attend the scene of the accident. They've got up to 24 hours for these occupants to show up, let's say at a collision reporting centre, and claim that they were involved in an accident. In a lot of cases they don't even bother, and the next thing you know they've hired counsel and put the insurer on notice.

Well, I think the example I gave is.... The insurance industry is quite well trained in terms of first contact and the type of information they need to receive. They're just going to start acquiring what I gave you in terms of certain information: the time of the accident, where it took place, how many occupants, the nature of the damage, how soon was the tow truck driver there, did somebody recommend the body shop, how much damage was there to your vehicle, where were you going at the time, where were you coming from, how do you know these individuals, things like that.

They're going to start developing certain red flags. Based on those red flags, it doesn't mean that there's fraud; it means that it requires further investigation. This is the point that a prudent individual, having reasonable grounds, such as what I suggested, should be contacting the other insurer and saying, “What's happening here?”

In terms of another problem that exists, in 2014 IBC investigated on an ongoing basis 52 rings. A ring investigation usually involves at least 20 to 50 suspected staged collisions that we have to investigate. On top of that, we took 14 new ones. Even though the insurer reports it to us, we can't take these claims right away. They're going to sit until we can get to them, and unfortunately these payments are continuing all the way through. By the insurer being able to contact the other party, they would be able to stop the payment at this point in time.

Basically, we have a problem with the fact that people are constantly being asked for their consent. They are exposed to a lot of information and I am afraid that with the proposed amendment, businesses will simply include more information, and ask for additional consent, and so on. I have the impression that we are not solving the problem.

If there are concerns with regard to the consent given by minors, that should be handled in another way, regarding the type of consent to be obtained from a minor through his or her parent or parental authority. Our concern is more in regard to obtaining the consent of an adult. We have to look at the issues and target them more precisely.

The proposed amendment is probably going to create confusion. That said, I think that fundamentally, the acts raise problems in the sense that everything has to be authorized by consent. In my book, I suggest that we protect less personal information and target the potential uses of information that can be nefarious for individuals. The issue of consent has been well managed over the past 10 years. I don't want to call the whole bill into question, but I think that the proposed amendments are simply going to create confusion.

We need this type of provision. But I am a little worried that they will be used in fishing expeditions, so to speak. Information will be exchanged, to see if something comes out of it and if a file has to be opened. That is our concern.

I listened to the testimony of representatives of the insurance companies and other organizations. I understand the fraud issues. We need to target the type of situation that could arise with that type of information exchange. We have to ensure that before an exchange is authorised, there is a reasonable doubt, and that a certain amount of investigative work has already been done and that this is not a fishing expedition.

I think part of the solution could also be transparency. If there were transparency during an investigation it could happen in some cases that one did not obtain the necessary information. Could transparency be a factor afterwards? We would to think about that, but I feel transparency would be appropriate in this type of exchange between organizations, whether we are talking about insurance companies or other private sector businesses.

I missed the beginning of your question.

Yes, those suit me. I know that certain reservations were expressed with regard to the record. All of the records need to be kept. I'm also aware of the position of the Canadian Bar Association, which also has certain reservations as to the records that would have to be kept.

Bill S-4 suggests that the commissioner and individuals be notified in this type of situation where there is a high risk of prejudice. I like that. In practice, when I divulge breaches, I advise individuals, but I also often advise the commissioners. These things are often done together. It does not bother me that the same criteria do not apply to disclosure.

Our opinion on that is unchanged from our previous testimony. The reason is that harmonization is critically important for our industry. Our members operate across the country, and if they were to have to take separate approaches for different parts of the country, it would make the cost of the product much larger once you try to specialize for smaller provinces, different provinces.

That's the main reason we would want to have that.

No, that's okay. Of course, in an ideal world, notification provisions would be standardized.

It's hard to say. We will have to see whether there is a compliance problem and how businesses behave.

Of course, I am sitting on one side of the fence. Businesses contact me because they want to comply with the law. So I am in a bad position to tell you that we have a problem and that people are not respecting the law. I am always on the side of respecting the law and ensuring that we do it well.

I will repeat what we said before. We support the bill as such, but we would also like to see some minor changes.

We have mechanisms to improve the situation or lessen the burden for our small credit unions, even if the burden is much too heavy for them. At the central, we work together, for instance to learn the rules and communicate them to our smaller members. We certainly are proposing that the fines be adjusted, because a $100,000 fine would be a huge punishment for a small credit union that barely generates a million dollars a year. That is our main concern.

Just briefly, we recognize that this is a major issue as the population ages, and that's part of the reason we're very supportive of this measure. In our day-to-day interactions, we do see instances where these kinds of situations arise, so it's in the interests of our members to have legislative override that gives us that capacity to talk to family members about these suspected cases. That's a very positive thing for our members and for society as a whole.

I don't know if Rob wants to add anything to that.

I would just reiterate that the one concern we have in this section is the fact that it's targeted at next of kin rather than, more generally, family members being able to disclose.

There's not a definition of next of kin in the legislation, so it's hard for us to interpret that as institutions. If you take a vernacular view of it, then it could be fairly broad, but if it's based on family law, then it may be very restrictive in terms of who we could actually disclose to.

We'd like to see it expanded out a bit. You can imagine in a small town or someplace where a credit union is fairly prevalent that there may be knowledge by the credit union staff that the person who is actually carrying out the financial abuse is, say, the person who's next of kin.

I'll leave it at that.

Yes: $31,785 is the average accident benefit payment per person in Ontario.

I would say it is certainly in the right direction, and it is a positive way of moving forward. Obviously, if the insurers can't contact each other, they can't identify the social networks that develop within organized criminal rings. That's the key. Right now, yes, it's a manual process, but it doesn't take very long, and it doesn't take too many files, to start identifying a possible trend and pattern. Once that exists and we are brought into the scene, we will start looking into our database, where we store all of our investigations going back to 2002, when we got into organized activity. We would start looking at whether there is overlap, and often there is overlap. It's a start of identifying and dealing with each insurer independently, giving them reasonable grounds why we believe there may be a suspected fraud. Then, on the other side, they have reasonable grounds to feel that they can disclose that information. It's like putting together a puzzle.

As you know, in the fraud task force—I was a member of one of the committees dealing with this—there was a recommendation to move to analytics to identify that information, so that it would very quickly raise a flag over a certain threshold, saying, “You may want to investigate this further.” It doesn't mean there is fraud. This bill allows the insurers at this point in time to take that manual type of approach and identify possible red flags that give them reason to hold off on payment, bring us into the picture, and possibly involve other insurers so that they know the same thing: time to stop the payment.

Absolutely.

Yes: organized crime is extremely creative, and they keep changing their approach. They take advantage of the fact that insurers are unable, currently, to share information with one another, and that is why they are ahead of the curve.

That is the critical word, finding the right balance. Insurers will respect the privacy of their customers; they have to. They compete with each other. Once a breach happens, once they are known to be abusive of information, customers will no longer go there.

In addition, the insurance contract is a contract of utmost good faith, which means that if the insurers do not act appropriately, they could be subject to punitive damages for a claim of bad faith. The high-water mark at this point in Canada is $1 million. It was approved by the Supreme Court of Canada a number of years ago, but that does not mean that this is as much as will be awarded against an insurer for a bad faith claim. It's really because of the bad faith risk that insurers take every effort to make sure that they proceed carefully before they allege that someone has committed fraud.

I'd like to highlight four of them. It's not that we would say, “Stop the bill and make these happen”, but in our mind, they would make for a better bill.

For example, in paragraph 7(1)(b), which is collect without consent in certain circumstances, we would also like to have a reference to collecting for the purpose of detecting, preventing, and suppressing fraud. We have the right to disclose for that purpose. Just to balance it out, having the right to collect would sort of be the other bookend to that.

We would also propose a small change to proposed paragraph 7(3)(d.2), and that's in the written submission we gave. It's to make sure we really have the ability to conduct those fraud analytics in a way that was recommended by the Ontario fraud task force.

A third change is with respect to proposed paragraph 7(3)(c.1). This is the provision that says you don't have to give access when someone makes an access request in certain circumstances. There's a reference in proposed paragraph 7(3)(c.1) to no access. We want to make sure there should be no access if the information is collected as part of the work product. We've added that work product aspect to the bill if we're able to collect information as part of a work product.

For example, insurers have claims files, adjusters have claims files, and we collect personal information in those claims files. In those claims files is also the reserve amount that has been set for that particular claim. It would be quite inappropriate in our mind to have to release the amount of that reserve amount for a particular claim via a PIPEDA request at the request of the person who is at the other side of the transaction. We would like to have that fixed if we could.

The fourth item is with respect to paragraph 9(3)(a). An amendment has been made already under Bill S-4. We suggest in addition to having solicitor-client privilege, that litigation privilege also be a basis for that.

I would not stop the bill from being passed, but just have those changes. It would be a better world.

We have a concern where the breach might be of a minor nature but it would still be subject to very serious penalties, as was being referred to earlier. Including those as part of the requirement for record-keeping would be inappropriate.

I mean, think of an example where you step away from your computer, and a colleague from another department who doesn't have access might come to visit and see something on your screen for a second. They see some piece of personal information. Technically that could be a breach. It would be subject to putting it on the list and, if you don't do it, it could be subject to the penalties.

I think there are examples like that, very minor in nature, where we could clarify that those kinds of things are not covered. That can be done, as we suggested earlier, by regulations, by guidelines, or some other means.

I like the risk-based approach so that if we're talking about a real risk of significant harm, then those should definitely go on the list. What should go beyond that on the list is something I think should be discussed and clarified in a guideline or in regulations.

I'm sorry, I thought you were asking him the question.

Yes: so it's why I have an issue with valid consent.

When I saw the proposal, I wondered why we needed a change, because I think PIPEDA, to a certain extent, is clear enough on the fact that you need to make sure that consent is valid and people understand what you're collecting. Then I realized that the concern originally related to minors: maybe it's not stringent enough; how do we get consent from minors; maybe vulnerable groups; aging investors. So my testimony today is saying if that's the concern, maybe we should specifically address these types of issues in the law, not reopen the whole consent issue. That's what I'm trying to say.

Yes, my concern is with the anti-spam legislation; it's providing for a very stringent express consent provision, and some of the information has to be obtained outside of the standard terms of use agreement, privacy policy. So already when people buy something or they subscribe to something, they have to accept the policy, accept the terms of use. Now they have to agree to receive commercial messages and so on. So we're going to go back to the same situation when people are overloaded with information and they don't read it. I'm saying if the concern is minors and vulnerable groups, let's focus on these people and make sure that consent in specific situations is properly addressed.

I don't know if there's too much to add, other than that is correct. We have seen instances, especially, again, in smaller regions, as Rob was pointing out, where there may be criminal activities within a very small regional area. You can't talk to the person next door even though you might see them on a daily basis in a social context.

So there's a real challenge for us there, and again, I would just maybe underline a point that was made earlier that we hope for elaboration on some things in the guidance. On the fraud, if it's not addressed in legislative change, maybe there could be an interpretive guidance on that to capture other kinds of criminal activity.

We've run into a real difficult time getting police to take these investigations. First of all, they're only going to take high-priority investigations, for one thing. They're overloaded. They want to deal with the more serious crimes of personal harm—assault, attempted murder, murder, things like that—and unfortunately, with their limited resources, these departments are small...that will have a fraud component to the police. They'll only take the more serious ones, the ones that actually have been investigated fairly thoroughly and put into a crown brief sort of format, which takes an extensive amount of work on our part. Then at that point in time we'll meet with the police officer who's in charge of accepting investigations and we'll run it through with them, showing them the connections, the social networking among the parties. But their ability to take on these investigations is fairly limited. They're only going to take on the high-priority ones.

Now, the other thing that we do is share investigations with the Financial Services Commission of Ontario, and as a result of doing that as well, they have laid numerous charges and actually shut down illegal operations. Unfortunately, the police over the years have kept reducing their head count in the areas of insurance crime and have concentrated in areas where personal harm exists.

I can tell you that in a study we're involved in for which we provided data, organized insurance crime itself in Ontario was estimated to be as high as $1.6 billion. Last year alone, as I said, in ongoing investigations we investigated 52 suggested insurance crime rings and we accepted an additional 14. These involved a significant amount of work.

We think this is just the tip of the iceberg, because unfortunately we rely on our member companies to at least give us a tip to say “There's something that seems a little out of norm here; can you guys at least look into it?” This is the area in which it is important that they be able to speak to each other.

Absolutely.

We've come down. When I started at CUCC about four years ago, we had 450 credit unions or thereabouts; now we're down to 315. It's a very consistent trend. Even a few years ago we were at close to, I think, 1,000. There may be 20-odd mergers a year, speaking roughly.

I'd just like to add something. Earlier, I think I may have misunderstood Ms. Sgro's question. I want to add a clarification, if I can. I was thinking in the going forward sense. Currently we have a credit union office of investigation whereby we can share information around criminal activities. The concern is that if, going forward, the definition is limited to fraud, we may have trouble with that kind of information sharing.

I just wanted to clarify that.

I think that's a fair statement. The information sharing happens now, but it's under a cloud of uncertainty. There is no legal clarity about what is permissible.

This change would, I think, remove a concern that we have around the current situation. We welcome this change.

Maybe; I guess it depends which groups and what kind of threshold we're talking about.

One thing is for sure; the concern that I've had with this bill and that we're trying to address with the sharing of information without consent is that this privacy law should not be used to commit fraud, to hide behind. We need to make sure that we can have access to information and can conduct investigations.

I would suggest that insurers will comply with the privacy law as they do their data mining.

I'm not sure, really, how to answer that question, to be honest with you.

I think the key point with the data analytics is that it will raise almost immediately, once the claims information is in the system, whether there is a social network and whether it's a heads-up to the insurer to say, “You have to look into this now, further, rather than automatically start paying.” That's the beauty of it, because the main problem we see right now is that payments are going on and on, and it's building up, and nothing is happening. This allows them to get some immediate information and shut it down pretty quickly.

I'll give it a try.

It's very difficult for any particular government to control the Internet. There is always a risk that rules you make here just drive the wrongdoers outside the country—not that you should make the rules for here, but they will just move away. You need cooperation internationally to resolve those problems.

One of our themes, as I said, is harmonization within Canada, but clearly, also for our regulators who deal with other privacy commissioners internationally and do a lot of work together this is very useful, because it creates similar rules—to some degree, at least—across various countries.

I'm going to ask my colleague Rob to answer you.

It's a fairly broad subject. It comes down to there being a training element at the credit unions. We have our own organization, CUSOURCE, which would train individuals to identify fraud and the various features of fraud. Our lenders and our front-line staff will be put through that sort of thing.

There will be some sharing of information through our Credit Union Office of Crime Prevention and Investigation. We have agreements with the Bank Crime Prevention and Investigation Office, so we are able to share some information back and forth. Of course, that is subject to policies and procedures that are developed in alignment with the legislation, so it is fairly carefully guarded. But it does currently help us to prevent, for example, a bank robbery or an attack at an ATM: we are able to share some information with the banks and other credit unions through our office.

That's about as far as I can elaborate on it.

What is attractive about the bill is that it would eliminate the need for the crime prevention office. As you can imagine, in the credit union system we have fairly small institutions. There is an administrative burden that goes along with it.

We actually like the way the bill is going. We would hope that the information could be shared between credit unions, possibly without the intervention of the crime prevention office but based on the requirements of the legislation. We would just like to see it focused on being able to detect and deter not only fraud but other types of criminal activity that would seem to be excluded as it is currently drafted.

That's all I have to say.

I would like to add a comment.

Thank you.

Even following the change in legislation being proposed here, we will most likely keep our office open, but in a more informal way.

Currently this imposes a regulatory burden because we have to meet certain criteria. People who work on this have to qualify. There has to be an investigation in the institution.

This will reduce our burden somewhat. We will probably keep the association, but implementing the changes proposed here will mean that the work will be less demanding in regulatory terms. It is a good thing for us.

As I said in the beginning, in situations where we have to compete with banks, we have to reduce our costs in every possible way; it is really important that we remain competitive.

It's a bit of a complicated question, but we can try to provide you some of the data, if any of that's going on. But you have to keep in mind that there is now anti-money-laundering and anti-terrorist financing legislation that, to my understanding, requires that this sort of information be shared with FINTRAC and not to the police forces directly. There are rules around that. When I joined the credit union system many, many years ago, there was much more informal communication between credit union front-line staff and local RCMP and police. That was cut off with the anti-money-laundering and anti-terrorist financing legislation.

I don't think our office is tracking that, but we can look into it for you.

I'm not sure I understand the question.

You're mentioning that it's just a brief civil matter of some kind...? Perhaps you could be more specific.

Here's how it actually works. They're not going to look further if they don't have...as a reasonable prudent person with reasonable grounds to believe that a possible fraud exists. So unless those grounds are there, they're not going to be contacting us or another insurer. We wouldn't get involved.

Last year alone we trained 1,300 people across the country, including police officers and insurance companies. We teach them PIPEDA. We teach them that you need reasonable grounds to believe that as a prudent person you have concerns that you need to investigate further. If they find that, then they go to their supervisor in most cases and they get a confirmation to share that information or obtain further information.

If they don't see those grounds, they're not going further. They won't come to us. They won't contact the other insurer. What they will do as a matter of practice is that based on the accident that's called in, they'll ask us to look at our database just to see if there were any previous accidents. They can get that information as well from AutoPlus and Carfax.

We have an agreement among insurers that they will conduct themselves according to certain ethics. That's set out in a claims agreement among themselves. As my colleague Mr. Dubin said, because insurers are subject to bad faith claims, if they act inappropriately in handling a claim, that in itself has gone a long way to dealing with their acting properly in handling these sorts of matters.

Yes: specifically with regard to a code of conduct, apart from what's in the claims agreement, no, we do not have one in our industry.

Certainly.

We would be supportive of it going ahead, I think, for some of the reasons we outlined in our opening remarks. Maybe just to underline a couple of other points, we would also support the idea that this is taking us a step forward in terms of harmonizing with some of the provincial rules, and that's a good thing. We might ask that the committee, in its report, flag some of the concerns that were addressed here that could be taken up subsequently in regulation or given some detail on in another review later on. But we would be generally supportive of it going ahead, yes.

We would support it going ahead as well, as it achieves better balance than what we had before. We've learned, over the past number of years, of the weaknesses of the existing legislation, and this bill addresses a number of them. In five years we'll look at this again and maybe get it perfect.

I would also support the bill going ahead.

We would also support the bill. We've heard, even today, some suggestions that are useful—for example, the one about extending fraud to crime and so on. But I think the bill is a very good one and should proceed as it is.

My understanding is that the amount is up to $100,000. Our concern is that if the maximum amount would be imposed on a small credit union, as you said, with say $10 million in assets, that would have very significant consequences, compared to what might happen if a bank faced the same penalty, which would be quite small, I guess, for a large competitor of ours.

That's what we want considered. Of course, there has to be some relationship between the severity of the breach or the issue, and the fine, but there should also be some recognition that institutions of different sizes have different capacities to deal with that.

Just to add to that, there's always a concern when you're dealing with a regulator. They may not be too sensitive to that size differential, despite the fact that they have some latitude. That's our basic concern. We want to make sure that there's some signal that they should take that into consideration, because that could really sink a small credit union that provides services to communities that need them. I think that's important.

The Insurance Corporation of British Columbia, as a government-owned insurer, is not one of our members. We have privately owned insurers as our members.

One area that jumps out is organized auto theft. This has significant impact. We pulled $8.8 million worth of stolen vehicles at the ports of Montreal and Halifax last year alone. We're well over $55 million since we started this in 2009 at those two ports.

The point I'm getting at is that it's just another form of organized insurance crime, as you've mentioned, that has a very significant impact on the premiums that everybody else is going to end up paying for.

The Spencer decision, which relates to the ability of the police to request information of the service provider—the Internet service provider, if I recollect the facts properly—doesn't really have a big impact on our industry. However, we do require as an industry that, when the police come to us requesting information, they illustrate their lawful authority for that.

If as a result of the Spencer decision they have to show a greater degree of scrutiny in providing that lawful authority, then it's really up to the police to make sure they do that. I don't believe our industry will have any difficulty in having the police come forward with the appropriate lawful authority to show they are entitled to receive the information they are asking for.

With regard to what's meant by a reasonable expectation of privacy, we have to balance privacy rights against the fact that there's fraud out there, so what is reasonable has to be determined in that context.

I'll ask my colleague Rob to deal with this.

We haven't had our counsel review it from the constitutional perspective in light of the Spencer decision. We're working on the basis that the government has vetted this bill through its own lawyers—Justice—and that it would actually hold water in that context.

We're in a very similar position as expressed by the Insurance Bureau of Canada, but I would also note that subsequent to the Spencer decision—I'm not going to remember what—there was a decision in December having to do with access to cell phones that maybe changes that again the other way. I think that's an ongoing discussion that will take place.

Yes, very much so.

Definitely; in Spencer, the court said that individuals have an expectation of privacy in their online activities, and therefore, before you come knocking at the door of an ISP to get the identity behind an IP address, you need to have a warrant in hand.

Now with the sharing without consent provisions, are ISPs going to be exchanging information in copyright infringement cases, therefore without a warrant? Definitely, I think, if there's one clause that perhaps should be changed before the bill is passed, in my view it would be toning down the sharing without consent, making sure there is transparency exactly for this reason, to make sure it's consistent with the transparency trend.

I'm thinking that we need to think very closely about the threshold at which this type of information could be exchanged to make sure that we avoid fishing expeditions. I would propose making sure that there is some type of transparency so that people are aware that these exchanges are taking place.

I would need to think about that a bit more, whether it be at the time of or after the fact, depending on the case. The idea is being transparent.

I just wanted to comment that certainly the life and health insurance industry has very rigorous due diligence processes in place, and indeed it has oversight within the company itself. Of course, there's the overall oversight by the Privacy Commissioner, who has also appeared before this committee.

I think there might be the need for the discussion, but certainly we are going in intending to completely follow the act and not use it for fishing expeditions.

I can verify that with the significant training we do on an ongoing basis with member insurance companies, one of the first things we train them on is that you never go on a fishing expedition. You have to have reasonable grounds, acting as a reasonable, prudent person would, and if you are going to contact the other insurer and if you are going to get into the discussion, you document your file accordingly so that you stay away from that type of situation.

I would love to be able to answer that, but I'll have to think about it.

I would be happy to speak with you bilaterally later on, or through the clerk.

For the sharing?

I advise private sector businesses, so I'm going to be answering these calls: “Can I share or can I not share?” I'm going to have to guide them on whether they have reasonable grounds, or if it makes sense, or if it's in compliance with the amended law.

I'm going to have to see the kind of findings that are issued. I'm going to have to stay really up to date to see how the market is reacting and what is the best business practice, depending on the industry.

Specific? No.

I'm concerned about fishing expeditions and about sharing to investigate in case. I guess that would be my concern as a consumer.

Yes, but I would have to take my pen and draft something. I can't answer—

I didn't prepare it. Okay.

You said the word “parents”, so that's interesting.

PIPEDA currently requires that consent be reasonably understandable by the individual. For me there's a clear understanding in the industry what that means. Current practices have evolved over the last 10 years. I'm concerned that we're reopening a door or trying to address a problem that perhaps we don't have.

There's already a problem, and I don't see how the proposed amendment will address that.

Tomorrow, if this becomes law, I'm going to have clients saying the consent they had before is no longer valid; perhaps we need to reopen the door. How can I be sure the consent of the individual is valid because it is reasonable to expect that the individual “would understand the nature, purpose and consequences of the collection, use, or disclosure”? How do I do that? How do I achieve that? Do I include more wording? More clicks? Do I have a longer policy? I'm not sure we're going to address the problem that we have with this current notice and choice model.

Oh, oh!

I'm advising them to be extremely transparent and to be clear and to have proper consent in place. We still have a problem at the end of the day that people click and don't read. That's a reality. How is this going to address the problem? I don't know. I don't know, and I'm just concerned about the confusion it's going to create.

Well, we're certainly paying attention to the amendment. We're scratching our heads a little bit as to what exactly it means. I have been asked the question by a variety of my clients. We represent more than 99% of the life and health insurance industry, and many of the legal folks within that industry have come to me and said, “What does that mean that we have to do, technically?” That's technically in the sense of “On the ground, what am I supposed to do to ensure that this kind of understanding is there?”

As well, what's the difference from the rules now? Again, I think there's been a sense of knowing what you at least have to disclose to the consumer: what is the change going to be? I've certainly been asked the question, and I don't know what the answer is. That is why, in our opening statement, we said that we need to have that discussion with the folks at the department, with the folks at the OPC, whom I saw supported this. Obviously, the department supports it because they put it in, and the OPC was a witness indicating that.

I think we'll need their help with the provision, because we're a compliance-driven industry and we want to comply.

Agreed.

Is that a Thursday?