For years now, all insurance companies incorporated in Canada have been required to establish procedures for dealing with complaints, as per sections 165 and 486 of the federal Insurance Companies Act.4 This is also required by Canadian banks pursuant to sections 157 and 455 of the Bank Act.5 The process is not fixed, but it must include a designated individual to deal with those complaints, often referred to either as the Complaints Officer or Ombudsman.6
Nothing dictates what the complaint process should look like, and as such the internal complaint process is distinct from company to company. By necessity there is at least some level of investigation, and my experience has been that this investigation will result in the generation of personal information.
The question then arises: does personal information generated in the course of the complaint become subject to PIPEDA?
The insurer took the position that the complaint process was a formal dispute resolution process, and therefore, the personal information was exempted from disclosure.
Decision #2016-006,7decided in February 2016 and published on August 25, 2016, concerned an insured who filed a complaint with her insurer's internal complaints office. As part of that complaint, the insured made phone calls to the insurer which were recorded. The insured then requested disclosure of these phone calls pursuant to PIPEDA.
The insurer took the position that the complaint process was a formal dispute resolution process, and therefore, the personal information was exempted from disclosure. The insurer (through its parent company, being a bank) provided information indicating that the complaint process was independent and impartial, and also provided statistics showing the process was effective.
The Privacy Commissioner disagreed, focusing on the requirement of the process to be “formal”:
The regulatory structure for banks and insurance companies referenced by the Respondent requires them to provide an internal complaints resolution process and to require customers to exhaust the internal process first. However, our Office is of the view that this regulatory structure does not speak to the formality of those processes; it requires banks and insurance companies to have a process in place, but does not provide any framework of what this process must entail. Banks and insurance companies retain considerable flexibility as to the kind of internal processes adopted.
... on the refusal to release personal information related to dealings with the ombudsman, our view is that while the ombudsman provides a means for resolving complaints, it lacks the framework and structure that would qualify it as a “formal process.” As a result, the company's use of the exemption in paragraph 9(3)(d) was not justified.
As of February 2016, the Privacy Commissioner determined that internal complaints processes – required by insurers and banks by legislation – do not qualify as formal dispute resolution processes. Insurers and banks must now be aware that any documentation generated through their internal processes is subject to disclosure requirements under PIPEDA.
Although the decision is relatively unsurprising in result, but its analysis is interesting. There very well may be dispute resolution processes put in place by regulation which meet the formality requirements to be exempt.
For now, the decision simply reiterates that each PIPEDA request must be viewed in its own context to determine whether a disclosure exemption applies.
1 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
2 PIPEDA, s. 9(3)(d).
3 See Case Summary #2003-147.
4 S.C. 1991, c. 47. This is not to be confused with the provincial Insurance Act, R.S.O. 1990, c. I.8. Insurers are incorporated pursuant to federal jurisdiction, whereas they are regulated and licensed pursuant to provincial jurisdiction.
5 S.C. 1991, c. 46.
6 In Ontario, these individuals are identified and listed on the FSCO website.
7 Decision #2016-006