Canada: Privacy Law For AB Insurers


The last 20 years have seen radical advances in technology, the like humankind has never known. The revolutionary way in which data can now be stored, catalogued, and shared has arguably led to a significant "digitization" of individuals. Simply, more of our lives are being recorded than ever before, whether it be voluntary (Facebook, Instagram, Snapchat etc.) or involuntary (intelligence gathering, surveillance etc.).

In light of this digitization, there has been a growing pressure to carve out a space where neither corporations nor government can intrude on the individual, and when they do, to govern what can be made of that information. This is essentially the concept the law recognizes as "privacy".

Canadian courts have moved towards allowing civil remedies – and the awarding of damages – for invasions of personal privacy. Ontario has now specifically recognized the torts of "intrusion upon seclusion"1 and "the publication of embarrassing private facts".2 The Court of Appeal for Ontario, in the seminal case of Jones v. Tsige (in which the court acknowledged the tort of intrusion upon seclusion), provided commentary to the following:

67.   For over 100 years, technological change has motivated the legal protection of the individual's right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of "the pressing need to preserve 'privacy' which is being threatened by science and technology to the point of surrender": "The Law and Privacy: the Canadian Experience", at p. 1. See, also, Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, email or text message.3

While the courts continue to grapple with how the common law should expand and react to the growing need to protect individual privacy, governments have taken legislative steps to assist in filling the legal void.

The government of Canada, for example, enacted the federal Privacy Act on Canada Day in 1983. This legislation governs the collection, use, and disclosure of "personal information" by federal government institutions.4 The provincial equivalents in Ontario are the Freedom of Information and Protection of Privacy Act5 and the Municipal Freedom of Information and Protection Act.6 When an individual makes a request under either of these acts, they are commonly referred to as FIPPA or M-FIPPA (pronounced "fippah" and "em-fippah" respectively) requests.

Insurers, of course, are not government institutions and as such, the above – noted pieces of legislation have no applicability. The only importance that the Privacy Act holds for insurers is that it also established the Office of the Privacy Commissioner of Canada, an independent office which acts as the enforcer – along with the courts – of federal privacy legislation.

Recognizing that private corporations also hold extensive amounts of private information, the federal government enacted the Personal Information Protection and Electronic Documents Act, otherwise simply referred to as PIPEDA (pronounced "pih-pee-dah"), as of 2001.7Unlike the legislation referred to earlier, PIPEDA applies as follows:

4 (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities;8

It is now well-accepted PIPEDA applies to insurance companies, and more specifically, to the accident benefits process.


PIPEDA applies to private sector organizations when they are acting commercially. The definition of "organization" in PIPEDA is broad and covers corporations, associations, partnerships, sole proprietorships and individuals.9 As such it applies to a first-party statutory accident benefits insurers, since an accident benefits insurer could be classified as a private sector organization acting commercially.

PIPEDA only applies to personal information. Personal information is defined as any "information about an identifiable individual".10 The Courts have commented that this definition is "very far reaching" and "remarkably encompassing".11 It has been found to include information such as names, birth dates, income, physical descriptions, medical histories, genders, religions, addresses, political affiliations, beliefs, education, employment, and visual images such as photographs and videotape where individuals may be identified.

Personal health information, which is defined in PIPEDA, is just a subset of personal information.

Once PIPEDA has been found to apply, the legislation goes on to regulate the collection, the use, and the disclosure of "personal information".

On the principle of collection, PIPEDA mandates12 that information only be collected on consent of the individual. Principle 4.3 of PIPEDA states as follows:

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

On the principle of use, PIPEDA mandates, at Principle 4.5:

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Arguably the most onerous effect of PIPEDA is its obligation to account for, and disclose, information to an individual. Principle 4.9 states as follows:

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

It is important to note that "access" is exercised in two ways under this Principle. First, the individual shall be informed of the existence as well as use and disclosure of any personal information. Second, the individual shall then be granted access to said information. All of this must take place within thirty days of the request, unless the organization meets the conditions for an exception or is entitled to an extension of time:

8 (1) A request under clause 4.9 of Schedule 1 must be made in writing.

(2) An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

(3) An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

There are exemptions to the obligation to disclose. Even if information is found to be "personal information" under PIPEDA, there are 6 exceptions to the disclosure requirement. One is contained at s. 9(1) and the remaining five are contained in s. 9(3) of PIPEDA:

  1. An organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party, unless the information about that third party is severable (s. 9(1)).
  2. the information is protected by solicitor – client privilege or, in civil law, by the professional secrecy of lawyers and notaries (s. 9(3)(a));
  3. to do so would reveal confidential commercial information (s. 9(3)(b));
  4. to do so could reasonably be expected to threaten the life or security of another individual (s. 9(3)(c));
  5. the information was collected under paragraph 7(1)(b), being information that was collected without the knowledge or consent of an individual for the purpose of investigating a breach of an agreement or a contravention of the laws of Canada or a province (s. 9(3)(d));
  6. the information was generated in the course of a formal dispute resolution process (s. 9(3)(e)); or
  7. the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act (s. 9(3)(f)).

PIPEDA, as federal legislation, is enforced by the Office of the Privacy Commissioner of Canada. There are two stages to a complaint: the investigation and the report.

The investigation process is handled by an investigator on behalf of the Privacy Commissioner. Most investigators simply take an informal approach between the complainant and the organization, in order to reach a resolution. Mediation and conciliation are two express powers given to the Commissioner.

During the investigation stage, the investigator is bestowed with significant and extensive powers. This includes the power to summons any person to give testimony, and even enter any premises occupied by an organization to interview individuals. In the event that a resolution cannot be met, the investigator will issue a report setting out the findings.

The investigator involved in a complaint process cannot grant remedies. However, once the findings are made, the complainant can then bring an action in the Federal Court based on the complaint regardless of the findings of the OPC (positive or negative). The action before the court is a fresh hearing (known as a hearing de novo), and the court can order damages.


Adjusting a claim implicit requires a gathering of relevant information. Accident benefits claims, in general, require a significant amount of information to adjust on an on-going basis, and as such, privacy legislation should be a forefront concern for insurers.

The Schedule has built-in mechanisms for gathering information. For example, section 33 of the current Schedule allows for the insurer to request any "reasonably required" information from the applicant, with penalties to the applicant in the event of non-compliance:

33. (1) An applicant shall, within 10 business days after receiving a request from the insurer, provide the insurer with the following:

  1. Any information reasonably required to assist the insurer in determining the applicant's entitlement to a benefit.
  2. A statutory declaration as to the circumstances that gave rise to the application for a benefit.
  3. The number, street and municipality where the applicant ordinarily resides.
  4. Proof of the applicant's identity.

(6) The insurer is not liable to pay a benefit in respect of any period during which the insured person fails to comply with subsection (1) or (2).

Of course, s. 33 does not explicitly discuss what use can be made of the information gathered or to whom the information may be disclosed. What if it is necessary to provide a self-employed insured's tax returns to an accountant to calculate the income replacement benefit?

For this reason, the Application for Accident Benefits (OCF-1) – which is signed by the applicant and submitted to the insurer – contains mandatory consent language which facilitates and enables the insurer to adjust the accident benefits claims file. It is contained at the last (8th) page of the OCF-1 and is immediately above the signature area.

The consent language reads as follows:


I UNDERSTAND that you, and persons acting for you, will collect personal information and personal health information about me that is related to my claims for accident benefits arising out of the accident described in this application, and that all such information will be collected directly from me or from any other person with my consent.

I ALSO UNDERSTAND that you and persons acting for you will collect information about my driving record, automobile insurance policy history and automobile insurance claims history if they exist.

I ALSO UNDERSTAND that if I am the holder of an automobile insurance policy, you, and persons acting for you, will collect the driving record, automobile insurance policy history and automobile insurance claims history of any listed drivers on my automobile insurance policy or other drivers whom I have permitted to drive my automobile.

I ALSO UNDERSTAND that the information described above will be collected and used only as reasonably necessary for the purposes of:

  • Investigating my claims and processing my claims as required by law, including the Ontario Automobile Policy;
  • Obtaining or verifying information relating to my claims in order to determine entitlement and the proper amount of payment;
  • Recovering payment from insurers and others liable in law for amounts that you pay in connection with my claims;
  • Identifying and analyzing the nature and costs of goods and services that are provided to automobile accident victims by health care providers;
  • Preventing, detecting and suppressing fraud;
  • Compiling anonymized statistics for government agencies; and
  • Assessing underwriting risks and claims experience.

I ALSO UNDERSTAND that you, and persons acting for you, may disclose this information to the following persons or organizations, who may collect and use this information only as reasonably necessary to enable you or them to carry out the purposes described above: Insurers; insurance adjusters, agents and brokers; employers; health care professionals; hospitals; accountants; financial advisors; solicitors; organizations that consolidate claims and underwriting information for the insurance industry; fraud prevention organizations; other insurance companies; the police; databases or registers used by the insurance industry to analyze and check information provided against existing information; and my agents or representatives as designated by me from time to time.

I ALSO UNDERSTAND that you, and persons acting for you, may pool this information with information from other sources and may analyze this information for the limited purpose of preventing, detecting or suppressing fraud.

I CONSENT and, if I am the holder of an automobile insurance policy, declare that I have obtained consent from the listed drivers on my policy and any other drivers whom I have permitted to drive my automobile, to you collecting, using and disclosing this information in the manner described above, but no more of such information than is reasonably necessary to meet the legitimate purpose of such collection, use or disclosure.

I UNDERSTAND that if I have any questions about this consent I am free to consult with my insurance company representative or legal advisor before signing this document.

I AM ALSO AWARE that you, and persons acting for you, may be required or permitted by law to disclose this information to others without my knowledge or consent.

I CERTIFY THAT THE INFORMATION PROVIDED IS TRUE AND CORRECT. I UNDERSTAND THAT IT IS AN OFFENCE UNDER THE INSURANCE ACT to knowingly make a false or misleading statement or representation to an insurer under a contract of insurance. I FURTHER UNDERSTAND THAT IT IS AN OFFENCE UNDER THE FEDERAL CRIMINAL CODE for anyone, by deceit, falsehood, or other dishonest act, to defraud or attempt to defraud an insurance company. This information will be used for processing payments of claims; identifying and analysing the nature, effects and costs of goods and services that are provided to automobile accident victims, by health care providers; and PREVENTING, DETECTING AND SUPPRESSING FRAUD.

To obtain further information about how your consent relates to pooling and data analytics to prevent and detect fraud please visit

The language of the consent was purposefully drafted; it specifically refers to "personal information" and "personal health information", which are the terms upon which all of PIPEDA is ultimately based. The use of this language was approved of by the Privacy Commissioner of Canada in PIPEDA Report of Findings #2015-003.13

In PIPEDA Report of Findings #2015-003, the Privacy Commissioner noted the following:

14. At issue is whether, pursuant to Principle 4.3, the complainant's insurance company obtained the complainant's consent to use and disclose her personal health information to obtain an annuity via third party organizations. Germane to this issue is whether the purposes for the consent were presented by her insurance company in a manner that could be reasonably understood (Principle 4.3.2).

15. The investigation revealed that the complainant signed the OCF-1, which contains explicit language concerning the collection, use and disclosure of her personal information, including for personal health information. The OCF-1 also contains a detailed list of the purposes for the collection and use of personal information as well as an exhaustive list of parties with whom information may be shared in order to carry out the described purposes.

16. Our Office's comparison of the purposes described in the OCF-1 (to which the complainant had consented) with those for which her insurance company later shared the complainant's personal information revealed that the latter are subsumed in the former. That is to say, in our view, her insurance company was not sharing the complainant's personal information for purposes other than those to which she had consented to when she signed the OCF-1. We also note that both "financial advisors" and "insurers" are named in the OCF-1 as parties to which her insurance company may disclose a claimant's personal information and that the disclosure to the third parties in question fit those descriptions.

17. The use and disclosure in this case clearly occurred in relation to the processing of the complainant's claim with her insurer, specifically to arrange for an annuity for payment.

18. In our view, for the purpose of processing her claim, the complainant's insurance company had her consent to share her personal medical information with the third parties involved in this complaint. Principles 4.3 and 4.3.2 were thus upheld.

Given the sensitivity that surrounds an individual's medical records, disclosure of health information to an independent medical examiner is often met with higher scrutiny than disclosure of other types of information.


A. Disclosure to the Assessor

In addition to relying on the information supplied by the applicant as requested by the insurer pursuant to s. 33, the Schedule also allows for an insurer to have an applicant assessed by a regulated health professional (or a vocational rehabilitationist) to assist in determining entitlement to benefits. This legislated right is contained at s. 44 of the most recent Schedule:

44. (1) For the purposes of assisting an insurer to determine if an insured person is or continues to be entitled to a benefit under this Regulation for which an application is made, but not more often than is reasonably necessary, an insurer may require an insured person to be examined under this section by one or more persons chosen by the insurer who are regulated health professionals or who have expertise in vocational rehabilitation. 

The insurer is also required to provide the assessor with the medical documentation "relevant or necessary" for review:

44. (9) 2. ii. the insured person and the insurer shall, not later than five business days before the day scheduled for the examination, provide to the person or persons conducting the examination such information and documents as are relevant or necessary for the review of the insured person's medical condition, ...

Indeed, an insurer would likely have breached its duty of good faith if did not produce all relevant medical documentation in its possession! Yet still, the insurer must be cautious of disclosing information in contravention of applicable privacy law.

For the purpose of an independent medical examination under section 44 of the Schedule, the most important language of the OCF-1 consent is the following paragraph:

I ALSO UNDERSTAND that you, and persons acting for you, may disclose this information to the following persons or organizations, who may collect and use this information only as reasonably necessary to enable you or them to carry out the purposes described above:

Insurers; insurance adjusters, agents and brokers; employers; health care professionals; hospitals; accountants; financial advisors; solicitors; organizations that consolidate claims and underwriting information for the insurance industry; fraud prevention organizations; other insurance companies; the police; databases or registers used by the insurance industry to analyze and check information provided against existing information; and my agents or representatives as designated by me from time to time.

It is becoming more common that an insured will refuse to "consent" to the examination where an assessor requires a form of consent be executed.

B. Consent to be Examined

In our experience, an applicant's counsel will sometimes attempt to interfere with the proper administration and adjusting of an accident benefits claim file by indicating the applicant "does not consent" to an independent medical examination under the Schedule. To that end, can an assessor require the applicant to sign a consent prior to the examination? If the applicant refuses to sign it, does this constitute a "refusal to attend" for the purpose of denying benefits?

The answer can be found in the arbitral decision of Arbitrator Wilson in Luther v. Economical14 as well as the Superior Court decision of Justice Beaudoin in Intact Insurance v. Anne Beaudry.15 Both decisions quite clearly stand for the proposition that some kind of consent can be required by a medical health practitioner duly appointed under the Schedule prior to the conducting of an assessment.

However, what can be contained in that consent is still a matter of great ambiguity. Justice Beaudoin in Beaudry simply indicated that the form of the consent must be "reasonable":

[25] The requirement of reasonableness inevitably turns on the circumstances of any particular case and this will necessitate negotiations between the parties. ...

Arbitrator Wilson in Luther seemed to elude to the fact that the consent should cover only the actual conduct of the assessment itself:

[21] An FAE by its very nature is challenging and may cause an individual to feel pain, and possibly more serious consequences. Likewise for the physiatry assessment, Dr. Clifford's consent form indicates that "some parts of the Physical Examination may cause you to feel pain" and that "on a few occasions, the movement will be passive – that is, Dr. Clifford will move a relaxed joint."

[22] However much they may be minimized, it is clear that examinations may involve both pain and touching. In the absence of consent, or other legal justification, at common law a battery would take place.

The College of Physicians and Surgeons of Ontario, being the regulatory body for medical doctors in Ontario, recommends that a consent form be signed.

Out of an abundance of caution, given the case law above and the recommendations of the CPSO, we always recommend that a consent be presented to an applicant regarding the conduct of the examination in order to protect the physician as well as the insurer.

C. Disclosure from the Independent Medical Assessor and Independent Medical Examination Centre

Insurers will typically retain an IME centre to oversee the administration of the assessment. Administration includes the retaining of the appropriate medical health practitioner and clearing conflicts with the same, arranging for the assessment itself in terms of notice, transportation, venue and interpreter etc., and the organization of payment. The IME centre will also often employ quality assurance measures, such as editing for grammar and flow (not substantive changes for the opinion).

The IME centre itself typically does not employ IME assessors directly. Rather, the centre ordinarily has a roster of medical health practitioners which have contracted their services to the centre. The IME centre often integrates quality assurance measures into its roster as well to ensure high quality reports, timeliness, responsiveness, etc.

A growing issue is what needs to be disclosed to the applicant by the IME assessor, and the IME centre generally, when faced with a request under Principle 4.9 of PIPEDA. We have seen relatively innocuous requests for clinical notes and records of assessors on the mild end, all the way to the internal business contract between the insurer and the IME centre!

Needless to say, referencing PIPEDA does not automatically entitle a free-for-all in terms of disclosure.

The best guidance we have was provided to us by the Federal Court of Appeal in Wyndowe v. Rousseau.16 This was not an accident benefits decision, however, it involved a PIPEDA request for disclosure made to a physician, Dr. Wyndowe, for his notes and records as a result of an assessment conducted on behalf of a disability benefits insurer, being Maritime Life.

This area of insurance is of course nowhere near as regulated as automobile insurance and statutory accident benefits, but it does concern an IME.

The Federal Court of Appeal, in ordering the physician's notes be disclosed, offered the following guidance:

49. In light of the Privacy Commissioner's recognition that there are in the notes information which is personal to Mr. Rousseau and information which is not, it may be said that in the end, Mr. Rousseau has a right of access to the information he gave the doctor, and to the final opinion of the doctor in the form of the report to the insurer. In accordance with Principle 4.9.1. of Schedule I to the PIPED Act, this enables Mr. Rousseau to correct any mistakes in the information he gave the doctor or which the doctor noted, as well as any mistakes in the doctor's reasoned final opinion about his medical condition. But the process of getting to that final opinion from the initial personal information of Mr. Rousseau belongs to the doctor.

It can therefore be said that information relating to process is information that is personal to the physician and therefore not disclosable.

Importantly, the right to information given to the physician would be satisfied by the production of the final report. This is because the information given to the assessor verbally during the assessment and any documentation reviewed for the same will be contained explicitly in the final report. The final report is both a catalogue of information and a final opinion.

For example, the College of Physicians and Surgeons of Ontario requires that all background information reviewed and relied upon be listed in said report:

Physicians should ensure that they have obtained and reviewed all available clinical notes, records and opinions relating to the patient or examinee that could impact the findings of the report, including the physician's final opinion and/or recommendations.

To allow for optimal clarity, the College advises physicians to outline the basis for their professional opinion, and the information or observations on which they have relied in forming that opinion.17

Draft medical reports, notes and records, quality assurance documentation etc. is all not disclosable as process. Further, the information given to the physician by the insured will be listed in the report along with the final opinion. The medical documentation reviewed by the physician is typically returned to the IME centre and not retained in the possession of the assessor.

Of course, an applicant is often entitled to draft reports through by way of arbitral Order. It is important to keep in mind what an applicant is entitled to under the Schedule is separate and distinct from the remedies available under PIPEDA.

Therefore, everything that the insured is entitled to under PIPEDA from an IME physician is satisfied by production of the final report by the insurer.18 The question therefore remains as to what the insured is entitled to from the IME centre itself.

Everything in the possession of the IME centre which is producible is already accessible from the insurer directly. This is an important fact. The IME centre and the IME physician are carrying out functions pursuant to Schedule on behalf of the insurer. To this extent, the IME centre and physician are merely independent agents of the insurer.

Justice Décary in Wyndowe recognized the principle of agency was at work in an IME setting, albeit not one crafted under the Schedule:

36. In the context of these two commercial relationships – between Dr. Wyndowe's corporation  and Maritime Life on the one hand and between Mr. Rousseau and Maritime Life on the second hand – I find it hard to believe that by introducing a third relationship – between Dr. Wyndowe and Mr. Rousseau – the commercial nature of the overall transaction is defeated. In my view, Dr. Wyndowe is merely the medical agent of Maritime Life. If Dr. Wyndowe worked as a full time doctor for Maritime life, there would be no question the transaction is commercial; being examined by him would merely be a step which Mr. Rousseau had to follow to collect his benefits. In that sense the examination would be akin to filling out a form required by Maritime Life in order to begin collecting benefits.  Just because Dr. Wyndowe is an independent consultant hired by Maritime Life does not change the fact that the overall transaction retains its commercial nature. It also does not change the fact that Mr. Rousseau was only doing what his contract with Maritime Life required him to do to maintain his benefits, i.e. submitting to an IME.

As of now, we have taken the position that a PIPEDA request cannot be made to the IME centre directly without involving the insurer. The requirement that the insured advance a PIPEDA request to the insurer allows the insurer to adjust the claims file and adhere to its duty of good faith by not creating an external relationship between the assessor and the applicant directly.

D. Correcting Reports Under PIPEDA

It is clear that PIPEDA cannot simply be inserted into the accident benefits process without disruption of this comprehensive scheme. One of the most disruptive elements which has come to light in our recent experience is the request by insureds to "correct" independent medical examination reports by demanding changes from the assessor directly.

The ability to "correct" personal information is indicated under principle 4.9.5:

4.9.5 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

As stated earlier, the assessor functions as the medical agent of the insurer the purpose of completing an examination under the Schedule. The assessor merely carries out the functions of the Schedule delegated to it by the insurer who is in turn empowered by legislation and regulation.

The insured cannot contact and demand changes to a report, or an addendum, outside of the processes of the Schedule. Doing so not only frustrates the ability of the insurer to adjust the claim fairly, it allows the insured to step between the insurer and its own agent thereby creating a separate relationship not contemplated by the Schedule. Arguably, exercising this right is a breach of the duty of good faith of the insured to the insurer, which we have noted earlier to be reciprocal.

In addition, questioning the IME assessor outside of the insurer and outside of the arbitral process allows for an attempt to cross-examine their report in an unmitigated fashion. Such attempts are properly left to the trial or arbitration of the matter and have been found to be inappropriate.19

In effect, the insured would be entitled to "correct" a report vis-à-vis the insurer, who again is using that information to adjust the claims file. The insurer is then responsible under principle 4.9.5 to transmit said amended information to the assessor for an addendum pursuant to s. 44, which it would be obligated to do anyways under its duty of good faith.


Privacy is an important but infantile area of law; while there is currently limited case law on the application of PIPEDA, this will change rapidly in the coming years.

Should an issue concerning an applicant's right to privacy arise in the course of the adjusting of an accident benefits, whether that be after a complaint or before one is alleged at all, it is vital that legal advice be sought in order for the insurer to maintain its duty of good faith and be in compliance at all times with applicable privacy law.


1 Jones v. Tsige, 2012 ONCA 32.
2 Jane Doe 464533 v. N.D., 2016 ONSC 541.
3 Jones v. Tsige, 2012 ONCA 32 at para. 67.
4 Privacy Act, RSC 1985, c P-21.
5 Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31.
6 Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M. 56.
7 Personal Information Protection and Electronic Documents Act, SC 2000, c 5. [PIPEDA]. PIPEDA came into force between 2001 and 2004 in stages.
8 PIPEDA, supra, s. 4(1).
9 PIPEDA, supra at  s.2(1). .
10 PIPEDA, supra s. 2(1).
11 Wyndowe v. Rousseau, 2008 FCA 39 at paras. 42 and 43. [Wyndowe Appeal]
12 Subject to minor exceptions, such as artistic or literary purposes.
13 PIPEDA Report of Findings #2015-003.
14 2012 CarswellOnt 8237.
15 2016 ONSC 6127.
16 Wyndowe Appeal, supra note 46 at TAB U.
17 Third Party Reports: Reports by Treating Physicians and Independent Medical Examiners, Policy Statement #2-12 (November 2002) at TAB FF
18 Of course, the insured could apply for an arbitral Order for production of the same. It is for this reason that PIPEDA requests seeking these documents appear to be a litigation strategy to place administrative costs on the IME assessors and undermine the relationship between the insurer and the insured through a third party.
19 See e.g. Babakar v. Brown, 2010 ONSC 255.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions