Industry Committee on March 26th, 2015

I'd like to highlight four of them. It's not that we would say, “Stop the bill and make these happen”, but in our mind, they would make for a better bill.

For example, in paragraph 7(1)(b), which is collect without consent in certain circumstances, we would also like to have a reference to collecting for the purpose of detecting, preventing, and suppressing fraud. We have the right to disclose for that purpose. Just to balance it out, having the right to collect would sort of be the other bookend to that.

We would also propose a small change to proposed paragraph 7(3)(d.2), and that's in the written submission we gave. It's to make sure we really have the ability to conduct those fraud analytics in a way that was recommended by the Ontario fraud task force.

A third change is with respect to proposed paragraph 7(3)(c.1). This is the provision that says you don't have to give access when someone makes an access request in certain circumstances. There's a reference in proposed paragraph 7(3)(c.1) to no access. We want to make sure there should be no access if the information is collected as part of the work product. We've added that work product aspect to the bill if we're able to collect information as part of a work product.

For example, insurers have claims files, adjusters have claims files, and we collect personal information in those claims files. In those claims files is also the reserve amount that has been set for that particular claim. It would be quite inappropriate in our mind to have to release the amount of that reserve amount for a particular claim via a PIPEDA request at the request of the person who is at the other side of the transaction. We would like to have that fixed if we could.

The fourth item is with respect to paragraph 9(3)(a). An amendment has been made already under Bill S-4. We suggest in addition to having solicitor-client privilege, that litigation privilege also be a basis for that.

I would not stop the bill from being passed, but just have those changes. It would be a better world.

We have a concern where the breach might be of a minor nature but it would still be subject to very serious penalties, as was being referred to earlier. Including those as part of the requirement for record-keeping would be inappropriate.

I mean, think of an example where you step away from your computer, and a colleague from another department who doesn't have access might come to visit and see something on your screen for a second. They see some piece of personal information. Technically that could be a breach. It would be subject to putting it on the list and, if you don't do it, it could be subject to the penalties.

I think there are examples like that, very minor in nature, where we could clarify that those kinds of things are not covered. That can be done, as we suggested earlier, by regulations, by guidelines, or some other means.

I like the risk-based approach so that if we're talking about a real risk of significant harm, then those should definitely go on the list. What should go beyond that on the list is something I think should be discussed and clarified in a guideline or in regulations.

I'm sorry, I thought you were asking him the question.

Yes: so it's why I have an issue with valid consent.

When I saw the proposal, I wondered why we needed a change, because I think PIPEDA, to a certain extent, is clear enough on the fact that you need to make sure that consent is valid and people understand what you're collecting. Then I realized that the concern originally related to minors: maybe it's not stringent enough; how do we get consent from minors; maybe vulnerable groups; aging investors. So my testimony today is saying if that's the concern, maybe we should specifically address these types of issues in the law, not reopen the whole consent issue. That's what I'm trying to say.

Yes, my concern is with the anti-spam legislation; it's providing for a very stringent express consent provision, and some of the information has to be obtained outside of the standard terms of use agreement, privacy policy. So already when people buy something or they subscribe to something, they have to accept the policy, accept the terms of use. Now they have to agree to receive commercial messages and so on. So we're going to go back to the same situation when people are overloaded with information and they don't read it. I'm saying if the concern is minors and vulnerable groups, let's focus on these people and make sure that consent in specific situations is properly addressed.

We've run into a real difficult time getting police to take these investigations. First of all, they're only going to take high-priority investigations, for one thing. They're overloaded. They want to deal with the more serious crimes of personal harm—assault, attempted murder, murder, things like that—and unfortunately, with their limited resources, these departments are small...that will have a fraud component to the police. They'll only take the more serious ones, the ones that actually have been investigated fairly thoroughly and put into a crown brief sort of format, which takes an extensive amount of work on our part. Then at that point in time we'll meet with the police officer who's in charge of accepting investigations and we'll run it through with them, showing them the connections, the social networking among the parties. But their ability to take on these investigations is fairly limited. They're only going to take on the high-priority ones.

Now, the other thing that we do is share investigations with the Financial Services Commission of Ontario, and as a result of doing that as well, they have laid numerous charges and actually shut down illegal operations. Unfortunately, the police over the years have kept reducing their head count in the areas of insurance crime and have concentrated in areas where personal harm exists.

I can tell you that in a study we're involved in for which we provided data, organized insurance crime itself in Ontario was estimated to be as high as $1.6 billion. Last year alone, as I said, in ongoing investigations we investigated 52 suggested insurance crime rings and we accepted an additional 14. These involved a significant amount of work.

We think this is just the tip of the iceberg, because unfortunately we rely on our member companies to at least give us a tip to say “There's something that seems a little out of norm here; can you guys at least look into it?” This is the area in which it is important that they be able to speak to each other.

Absolutely.