- Privacy Impact Assessment Guidelines for Insurers Looking to Implement Usage-Based Insurance Programs (PDF)
Usage-based insurance (UBI) is a type of automobile insurance where insurers consider additional rating factors to determine the level of insurance premiums to be paid by policy holders.
UBI programs involve the collection, use and disclosure of personal information pertaining to the operation of a motor vehicle by individuals. While insurers have a need to collect personal information in order to operate their UBI programs, they must ensure that their collection of personal information about drivers complies with Alberta’s privacy legislation.
In Alberta, the Personal Information Protection Act (PIPA) governs how private sector organizations, including insurance companies, can collect, use, disclose and retain the personal information of individuals.
This document provides practical guidance to the insurance industry regarding the collection, use, disclosure and retention of personal information related to UBI.
How UBI Works
Insurers generally collect data to support UBI programs by:
- Having individuals connect a dongle to their vehicle that may also transmit the data to the insurer
- Relying on a smartphone app that individuals install on their devices
Do you have to tell individuals you are collecting their personal information?
Before, or at the time personal information is collected from individuals, an insurer:
- Must notify individuals, orally or in writing, of its purpose(s) for collecting the information
- Must clearly specify that it is requesting the information for the purposes of operating the UBI program
- Must identify any other purpose and if applicable, obtain consent for each of these other purposes
- Must provide the name or title of a person who is able to answer questions on behalf of the insurer about the collection
- Must consider additional requirements under PIPA if the insurer relies on a service provider outside of Canada
Out of Country Service Providers
PIPA requires organizations that rely on service providers outside Canada to:
- Detail in their policies and procedures in which countries the collection, use, disclosure or storage of personal information by service providers may occur or is occurring, and the purposes for these service providers’ collection, use or disclosure of personal information
- Notify individuals as to how they may access information about these policies and procedures or ask questions about these service providers’ involvement on behalf of the organization
Do you need to get consent to collect personal information from individuals?
Unless otherwise authorized, before collecting, using or disclosing the personal information of an individual in relation to a UBI program, an insurer must first obtain consent. Consent may be in writing (including in electronic form) or oral. However, insurers need to consider how they will keep a record of the consent, produce a paper form of the consent if it is obtained electronically, how individuals can withdraw their consent and any implications for the individual’s participation in the UBI program. Further guidance on consent is available here.
Consent is not a silver bullet. An organization cannot collect, use or disclose personal information for a purpose that is not reasonable, even with consent.
What personal information can you collect?
PIPA limits the personal information insurers can collect, stating that information can be collected only for purposes that are reasonable and only to the extent that is reasonable for meeting the purpose of operating the UBI program. PIPA defines “reasonable” as “what a reasonable person would consider appropriate in the circumstances.
In relation to UBI programs, this means insurers must only collect information about individuals and their driving behaviours. Specifically, they must not collect information about an individual unless the individual is operating a vehicle that is insured under the UBI program the individual enrolled in.
How about using the personal information collected?
Insurers may use the personal information only for the purposes for which it was collected, or as authorized by law. Specifically, insurers must not use the information for secondary purposes, such as marketing, unless they have consent from the individuals to do so. PIPA prohibits organizations from requiring individuals to consent to collection, use or disclosure beyond what is necessary to provide a product or service.
UBI programs that rely on smartphone apps to collect driving data about enrolled individuals must be set up so that these mobile apps only collect data while individuals are operating a vehicle, and the operation of that vehicle is insured under the UBI policy.
Who can you share this personal information with?
Finally, insurers must not disclose the personal information of individuals collected in a UBI program, unless authorized by law, or for a reasonable purpose with the consent of these individuals. Any disclosure must be limited to the amount and type of information that is reasonable for that purpose.
How long should you keep personal information?
Under PIPA, insurers have an obligation to maintain accurate and complete records of information. Insurers may retain this information only as long as reasonably required for legal and business purposes. Insurers should determine the length of time they are required to retain the information to meet the identified purposes and set the retention based on that. It is recommended that insurers implement and communicate a policy that specifies the retention period, make the policy available to employees, policyholders, and any service providers and destroy the information at the end of the prescribed retention period. Alternatively, insurers may render the personal information non‑identifying so that it can no longer be used to identify an individual. This process must be considered carefully given the challenges of effectively de-identifying personal information.
Do you have to protect the personal information you collected?
Throughout the lifecycle of the information, from collection to disposition, insurers must make reasonable security arrangements to protect it. This is a requirement under PIPA and it applies regardless of the format of the information or the location of the server it is stored on. For example, this means restricting access to the information to only employees and service providers with “a need to know”, encrypting electronic devices that contain personal information, as well as implementing binding agreements in relation to any service providers that may store or process the information on behalf of insurers operating UBI programs in Alberta.
If insurers become aware of a privacy breach, they must notify the OIPC where there is a real risk of significant harm to individuals. A privacy breach means a loss of, unauthorized access to or unauthorized disclosure of personal information.
The How to Report a Privacy Breach webpage has more information on breach notification.
Access to and Correction of Personal Information
Under PIPA, individuals have the right to request access to the personal information about them in the control of an insurer, to request a correction of their personal information and to ask questions about the use and disclosure of their personal information. Upon receiving such a request from individuals enrolled in an UBI program, an insurer must respond to the individual, as specified under PIPA. These requirements also apply to any information that service providers may have in their custody on behalf of an insurer.
Insurers looking to implement UBI programs in Alberta are encouraged to use the OIPC’s Privacy Impact Assessment Guidelines for Insurers Looking to Implement Usage-Based Insurance Programs. Given the complexity of UBI programs, the OIPC recommends that insurers who are concerned about the compliance of their UBI programs with PIPA submit a PIA to the OIPC for review.
Otherwise, please contact the OIPC.
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Freedom of Information and Protection of Privacy Act, Health Information Act and Personal Information Protection Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King’s Printer.