Perspectives on Privacy
Is installing a telematics device in an insured's vehicle an unreasonable invasion of privacy? Two lawyers debate the issues
Is telematics data collected through usage-based insurance (UBI) considered “personal information” under the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5?
D. Maxwell: We need to consider what “personal information” is defined as under PIPEDA. Personal information means “information about an identifiable individual.” The data that is collected by a telematics device will not be able to tell who is operating the vehicle. However, for vehicles that have only one listed driver, or a limited number of drivers who typically use the car, then it is simple to narrow down who is using the vehicle at a particular time. On that basis, the telematics data should be considered personal information, thereby bringing this data under the provisions of PIPEDA.
H. Borlack: Telematics data would likely be considered personal information in instances where there is only one person listed under the policy; however, where there is more than one listed driver under a policy, it is difficult to determine which driver the telematics data related to. In these instances, the data should not be considered personal information, as it is defined in PIPEDA.
Should UBI enrollment be voluntary in order to qualify for insurance coverage?
D. Maxwell: Yes, UBI enrollment should be voluntary. The purpose behind UBI is to offer premium discounts to consumers. It is not predicated on whether one qualifies for insurance. Those consumers who have good driving habits and are willing to have a telematics device installed into their vehicle should avail themselves of UBI’s benefits. Conversely, those who seek to limit the amount of personal information available to their insurers should have the option of purchasing more traditional insurance products.
H. Borlack: At present, UBI enrollment is voluntary. However, once UBI is available in Ontario for an extended period, it would not be surprising to see it become the standard for insurance policies. We must consider the benefits posed by UBI. It incentivizes consumers to drive safely and avoid risky behaviour, such as hard braking and acceleration. Furthermore, it encourages drivers to consider other environmentally friendly options in order to decrease the mileage clocked by their vehicle.
How long should insurers keep telematics data?
D. Maxwell: Insurers should only keep data for as long as required in order to calculate the insured’s premium discount for the relevant policy period. Once the insured decides to cancel UBI, the telematics device should be removed immediately, and the information should be destroyed within a year of cancellation.
H. Borlack: UBI could potentially improve driving habits and result in safer roads. Insurers should be permitted to use the data collected for research purposes, in order to determine UBI’s impact on safe driving. Therefore, telematics data should be collected for several years.
What should consent provisions contain in order to comply with PIPEDA?
D. Maxwell: Insurers should obtain meaningful consent from consumers when they apply for UBI. For consent to be meaningful, consumers need to know exactly what information will be collected, where it will be stored, who will access it and how long it will be retained for before it is destroyed. Consent should always be explicit, not implied. Furthermore, consumers should understand that UBI will only affect their premiums and not their eligibility for insurance. They should also be aware of exactly how premiums will be impacted by their driving habits, as well as the habits of other drivers using the insured vehicle. One concern that could arise is when there are multiple drivers listed under a policy. A good privacy practice is ensuring that the primary insured has obtained consent from everyone listed under the policy to agree to UBI’s terms.
H. Borlack: Consumers interested in UBI know that their data will be collected. As long as insurance companies alert consumers to the kinds of data that will be collected and the uses for that data, they will have discharged their obligations under PIPEDA. Consumers always have the option of cancelling the service if they do not agree with the information that is collected, used and disclosed.
To whom should UBI telematics data be disclosed?
D. Maxwell: The data should only be disclosed to those entities for whom the consumer has provided consent. In most instances, the insured’s expectation is that the data will only be collected, used and disclosed by their insurance company. Disclosure to any third parties, such as marketers, should be strictly prohibited unless the consumer explicitly provides consent to this usage.
H. Borlack: Enrollment in UBI will likely necessitate disclosure of consumer’s personal information to entities other than their insurance company. For instance, one of the benefits of UBI is that subscribers can monitor their driving habits online through a website or emails provided by their insurer. Consequently, the insurance company will contract with service providers in order to host the website and deliver weekly emails. Consumers should know that insurance companies may have to share their personal information with third-party service providers in order to effectively implement UBI.
Does insurance companies’ collection, use and disclosure of telematics data comply with PIPEDA?
D. Maxwell: In order to comply with PIPEDA, insurance companies must ensure that they follow the 10 principles outlined in the act. Those principles include: appointing individuals to ensure that the insurer remain accountable for its privacy practices, clearly identifying the reasons for the insurer’s collection of the information, obtaining the consumer’s consent before collecting the data, limiting the collection of data to only that which is necessary to deliver UBI, ensuring that the retained data is used and disclosed only for the purposes for which the insured provided his or her consent, destroying the data when it is no longer needed, and providing insureds with the opportunity to access their data and request corrections, and recourse if they disagree with the insurer’s privacy practices. The more data collected by the insurer, the more opportunities for the data to become compromised or misused. Insurers should exercise caution when deciding to collect personal information from their customers. Compliance with all the principles outlined in PIPEDA is vital to ensuring that UBI is helpful to consumers without compromising their privacy rights.
H. Borlack: The most significant principles that insurance companies must consider when implementing telematics is that the individual has knowledge that their personal information is being collected, and that they consent to this collection. The purpose of PIPEDA is to help ensure commercial activity and protection of privacy co-exist. Telematics strikes this balance.
Is UBI a good idea? Are there other less intrusive alternatives to provide the same benefit to consumers without privacy concerns?
D. Maxwell: Telematics provides consumers with more affordable options for their car insurance. It allows insurers to offer greater selection in insurance products. Finally, it may encourage safer driving habits for those looking to save on their insurance premiums. Telematics can benefit the consumer and the industry, provided that consumers have given explicit, informed consent as to how their information will be collected, used, disclosed and retained.
H. Borlack: UBI is not a new concept; it has been available in the United States and Europe for some time. Its recent introduction in Ontario will raise some initial concerns regarding privacy. However, telematics will gain popularity as an affordable option with minimal invasion of one’s privacy.
Copyright 2014 Rogers Publishing Ltd. This article first appeared in the February 2014 edition of Canadian Insurance Top Broker magazine