Case Study: Decision from the Office of the Privacy
Commissioner of Canada
Insurers and banks function on personal information; insurers
require that information to underwrite and adjust, and banks to
assess risk. It is no surprise that these two entities are perhaps
the largest targets of privacy law, specifically the sweeping
Personal Information Protection and Electronic Documents
Act (otherwise known as PIPEDA).1
PIPEDA requires the full and timely disclosure of
personal information generated in the course of commercial
activity. However, personal information does not need to be
disclosed when the information is generated in the course of a
"formal dispute resolution process",2 such as
For years now, all insurance companies incorporated in Canada
have been required to establish procedures for dealing with
complaints, as per sections 165 and 486 of the federal Insurance
Companies Act.4 This is also required by Canadian banks
pursuant to sections 157 and 455 of the Bank
Act.5 The process is not fixed, but it must include
a designated individual to deal with those complaints, often
referred to either as the Complaints Officer or
Nothing dictates what the complaint process should look like,
and as such the internal complaint process is distinct from company
to company. By necessity there is at least some level of
investigation, and my experience has been that this investigation
will result in the generation of personal information.
The question then arises: does personal information generated in
the course of the complaint become subject to PIPEDA?
Decision #2016-006,7decided in February 2016 and
published on August 25, 2016, concerned an insured who filed a
complaint with her insurer's internal complaints office. As
part of that complaint, the insured made phone calls to the insurer
which were recorded. The insured then requested disclosure of these
phone calls pursuant to PIPEDA.
The insurer took the position that the complaint process was a
formal dispute resolution process, and therefore, the personal
information was exempted from disclosure. The insurer (through its
parent company, being a bank) provided information indicating that
the complaint process was independent and impartial, and also
provided statistics showing the process was effective.
The Privacy Commissioner disagreed, focusing on the requirement
of the process to be "formal":
The regulatory structure for banks and insurance companies
referenced by the Respondent requires them to provide an internal
complaints resolution process and to require customers to exhaust
the internal process first. However, our Office is of the view that
this regulatory structure does not speak to the formality of those
processes; it requires banks and insurance companies to have a
process in place, but does not provide any framework of what this
process must entail. Banks and insurance companies retain
considerable flexibility as to the kind of internal processes
... on the refusal to release personal information related to
dealings with the ombudsman, our view is that while the ombudsman
provides a means for resolving complaints, it lacks the framework
and structure that would qualify it as a "formal
process." As a result, the company's use of the exemption
in paragraph 9(3)(d) was not justified.
As of February 2016, the Privacy Commissioner determined that
internal complaints processes – required by insurers and
banks by legislation – do not qualify as formal
dispute resolution processes. Insurers and banks must now be aware
that any documentation generated through their internal processes
is subject to disclosure requirements under PIPEDA.
Although the decision is relatively unsurprising in result, but
its analysis is interesting. There very well may be dispute
resolution processes put in place by regulation which meet the
formality requirements to be exempt.
For now, the decision simply reiterates that each
PIPEDA request must be viewed in its own context to
determine whether a disclosure exemption applies.
1 Personal Information Protection and Electronic
Documents Act, S.C. 2000, c. 5.
2 PIPEDA, s. 9(3)(d).
3 See Case Summary #2003-147.
4 S.C. 1991, c. 47. This is not to be confused with the
provincial Insurance Act,
R.S.O. 1990, c. I.8. Insurers are incorporated pursuant
to federal jurisdiction, whereas they are regulated and licensed
pursuant to provincial jurisdiction.
5 S.C. 1991, c. 46.
6 In Ontario, these individuals are identified and listed
on the FSCO
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).