Who can you share this personal information with?
Finally, insurers must not disclose the personal information of individuals collected in a UBI program, unless authorized by law, or for a reasonable purpose with the consent of these individuals. Any disclosure must be limited to the amount and type of information that is reasonable for that purpose.
How long should you keep personal information?
Under PIPA, insurers have an obligation to maintain accurate and complete records of information. Insurers may retain this information only as long as reasonably required for legal and business purposes. Insurers should determine the length of time they are required to retain the information to meet the identified purposes and set the retention based on that. It is recommended that insurers implement and communicate a policy that specifies the retention period, make the policy available to employees, policyholders, and any service providers and destroy the information at the end of the prescribed retention period. Alternatively, insurers may render the personal information non‑identifying so that it can no longer be used to identify an individual. This process must be considered carefully given the challenges of effectively de-identifying personal information.
Do you have to protect the personal information you collected?
Throughout the lifecycle of the information, from collection to disposition, insurers must make reasonable security arrangements to protect it. This is a requirement under PIPA and it applies regardless of the format of the information or the location of the server it is stored on. For example, this means restricting access to the information to only employees and service providers with “a need to know”, encrypting electronic devices that contain personal information, as well as implementing binding agreements in relation to any service providers that may store or process the information on behalf of insurers operating UBI programs in Alberta.
If insurers become aware of a privacy breach, they must notify the OIPC where there is a real risk of significant harm to individuals. A privacy breach means a loss of, unauthorized access to or unauthorized disclosure of personal information.
The How to Report a Privacy Breach webpage has more information on breach notification.
Access to and Correction of Personal Information
Under PIPA, individuals have the right to request access to the personal information about them in the control of an insurer, to request a correction of their personal information and to ask questions about the use and disclosure of their personal information. Upon receiving such a request from individuals enrolled in an UBI program, an insurer must respond to the individual, as specified under PIPA. These requirements also apply to any information that service providers may have in their custody on behalf of an insurer.
Questions
Insurers looking to implement UBI programs in Alberta are encouraged to use the OIPC’s Privacy Impact Assessment Guidelines for Insurers Looking to Implement Usage-Based Insurance Programs. Given the complexity of UBI programs, the OIPC recommends that insurers who are concerned about the compliance of their UBI programs with PIPA submit a PIA to the OIPC for review.
Otherwise, please contact the OIPC.
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Freedom of Information and Protection of Privacy Act, Health Information Act and Personal Information Protection Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer. |