Canadian National Insurance Crime Services (CANATICS) recently became one of the first organizations to receive Privacy By Design (PbD) certification from the Privacy and Big Data Institute at Ryerson University.1 CANATICS is a not-for-profit corporation established by Canadian insurance companies to assist in combatting organized and premeditated insurance fraud in a manner that protects and respects individual privacy. CANATICS uses state of the art data analytics technology to identify potentially suspicious insurance claims in data pooled across participating insurance companies. CANATICS only provides an alert for potential fraud; it is mandatory for the insurance company to conduct further investigation before making a decision in relation to each alerted claim before it makes a decision.
Organizations are increasingly harnessing the analytics power of their data assets by deploying cutting edge data analytics solutions in-house. CANATICS represents an emerging innovative approach in which organizations "pool" their respective data for an integrated analytics, towards a common purpose. Financial industries worldwide have been embracing this concept of pooling and analyzing data on an industry-wide basis for purposes of managing common risks such as fraud, money laundering and cyber threats.
Understandably "pooled" data analytics may heighten privacy risks concerns already confronting in-house data analytics. At a time when in-house data analytics remains beyond most organizations' technological and business management capabilities, pooled data means bigger "Big Data" and potentially more privacy challenges to grapple with. Furthermore, multiple sources and ownership of pooled data may complicate individual participant's privacy compliance management. As well, pooled data analytics is invariably outsourced to a third party independent of the participants, as such it typically introduces a new player, new technology, new business processes and new information flows into risk framework, further complicating privacy accountability issues.
Both pooled and in-house data analytics confront the same traditional dualism view of Big Data and Privacy: Big Data puts privacy at risk and privacy in turn hinders organizations' ability to maximize value from data assets. With that premise any solution must necessarily involve a trade-off between the two. CANATICS is proof that this view is no longer sacrosanct. The world of data analytics is open to, and can take, a win-win approach that enables organizations to have the best of privacy and Big Data.
The 7 Foundations Principles of Privacy by Design provided CANATICS the framework to avoid (or resolve) the dualism challenge.2 Several studies by the federal Office of the Privacy Commissioner show that Canadians highly value their privacy. But they are also very concerned about the costs to society of auto insurance fraud. A study by KPMG estimates that auto insurance fraud costs as much as $1.6 billion every year in Ontario alone. In addition to higher premiums for all drivers, organized fraud rings reduce road safety and endanger innocent drivers when they stage collisions to fraudulently collect claims money. And these organized fraud rings include numerous participants – policy holders, relatives, health care providers, paralegals, tow truck operators, body shops etc.
Meeting the challenge head-on, CANATICS committed right from conception to advance, rather than "balance" Canadians interests in reducing insurance fraud and protecting privacy – no trade-off and no compromise. To accomplish this, CANATICS embraced and operationalized the 7 Foundational Principles of Privacy by Design in establishing its privacy practices and controls in alignment with applicable privacy legal requirements. Key among the steps taken in designing CANATICS privacy framework are:
1) Privacy Governance: CANATICS' operating slogan "Privacy Smart from the Start". Privacy protection is a corporate priority throughout all organizational levels. CANATICS privacy framework is a standing item on corporate governance agendas and regularly a subject of review by the Board of Directors and its Privacy & Risk Management Committee.
2) Minimal Data: Only the minimal amount of data required to perform meaningful insurance fraud analytics is used, and once processed all fraud alerts and reports are masked.
3) Limiting False Positives: Fraud alerts are only generated for highly suspicious activity at both the network and claim level. All alerts must be followed by investigation by the affected insurance company; a decision cannot be made on the alert alone.
4) Security: CANATICS technology is provided and managed by a world leader in security, which has implemented controls to protect data during its lifecycle as well as access, audit and logging controls.
5) Transparency: CANATICS communications plan focuses on consistent, coherent and clear multi-channel content that enhances consumer awareness and promotes CANATICS strategic goals and commitment to privacy and security. The plan involves regular consultations with privacy regulators to ensure that the privacy framework remains aligned with legal requirements.
CANATICS approach to maximizing privacy and economic values, through the operationalization of the Privacy by Design principles, will become even more important as organizations increasingly recognize the game-changing value of Big Data analytics in formulating growth, competitive and risk management strategies.
1 The basis for Ryerson's Privacy by Design Certification are the 7 Foundational Principles of Privacy by Design. Created by former Ontario Privacy Commissioner Dr. Ann Cavoukian, Privacy by Design is a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices, thereby achieving the strongest protection possible.
2 In addition to the book espousing the principles, Dr. Ann Cavoukian and Deloitte experts have published papers demonstrating how organizations can successfully deploy of privacy-protective Big Data strategies. See for example "Achieving Big Data Innovation Without Compromising Privacy", available at http://bit.ly/Ta8Lsb ; "You Can Have It All: Privacy Embedded Into Innovation Will Achieve Big Data Success!", available at https://www.ipc.on.ca/images/Resources/2014-06-10%20Deloitte.pdf ; and "Have it all – Protecting privacy in theage of analytics", available at http://www2.deloitte.com/content/dam/Deloitte/ca/Documents/Analytics/ca-en-analytics-ipc-big-data.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.