According to a report of findings released by the Office of the Privacy
Commissioner of Canada (the "Federal
Commissioner"), insurance companies can obtain personal credit
information from credit reporting agencies and use it to assess
risk and calculate insurance premiums. However, they must
obtain meaningful consent and be open about their personal
The complainants' home insurance renewal premium increased
considerably compared to the previous year's premium.
When they looked into why, they discovered that the insurance
company had asked for, and received, their personal credit
information from a credit reporting agency. In a complaint to
the Federal Commissioner, the complainants alleged that the
practice of using a customer's credit information, obtained
from a third party (like the credit reporting agency), was
inappropriate, and that the insurer did not have their knowledge or
consent to do so.
The Federal Commissioner applied the Personal Information Protection and Electronic
Documents Act ("PIPEDA") in the analysis, and came to
the conclusion that a reasonable person would consider the purpose
of the collection and use of credit information in this
circumstance to be appropriate. Ontario's Consumer Reporting Act allows the disclosure
of individuals' credit information for the purpose of
underwriting insurance, and assessing risk is an essential part of
the insurance business model.
However, the Federal Commissioner noted the following two
"lessons" to be learned:
The insurance company did not obtain adequate consent to use
the complainants' personal credit information. Under
PIPEDA, "knowledge and consent" are required for the use
of personal information. To obtain meaningful consent, the
purposes for which the information will be used must be stated so
that the individual can reasonably understand how the information
will be used. In this case, the consent provision in the
insurance application form was very general and the use of credit
information to determine insurance premiums is not a familiar or
expected use for customers. As such, an individual would not
reasonably infer that their credit information would be used to
determine insurance premiums.
Under PIPEDA, organizations must be open about their practices
with respect to the management of personal information, in a way
that such information can be acquired without unreasonable effort
and in a generally understandable form. The insurance company
failed to be transparent and open as there was no explicit
information available on its website about the use of credit
information to determine insurance premiums.
The Federal Commissioner did note that credit information is not
essential to assessing insurance risk, and that its use in this
manner is not allowed in all provinces. The Federal
Commissioner went on to say that the "long-term public policy
impact" of this use of credit information is "unknown at
this time" and that the Federal Commissioner's position on
this matter "may evolve over time."
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).