A recent decision from the Office of the Privacy Commissioner of Canada (OPC) may affect the way banks, insurance companies and other financial services firms address customer complaints and disclose related information.

Specifically, the OPC determined that the internal ombudsman’s office established by the insurance company in this case did not constitute a “formal dispute-resolution process” – a ruling that has significant implications.

“The [OPC] took no issue with the ombudsman process, but [took issue with the fact] that it lacks formality,” says Anthony Gatensby, an associate lawyer with McCague Borlack LLP in Toronto. “We have never had a decision before that focuses on informal or formal [processes].”

The distinction is critical. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), companies must disclose to a client in full and in a timely manner what personal information the client has provided during the course of business when that client asks for that information.

There’s an exception to this rule, however. If the personal information arises during the course of a formal dispute-resolution process, that personal information does not need to be released to the client. This exemption, among others, was what the insurance company argued during the hearing held by the OPC.

At issue in OPC decision No. 2016-006, which was released late this past summer, was a complaint involving a dispute regarding a client’s home insurance claim. The insurance company’s ombudsman determined that the issue could not be resolved because the information the client requested included the recording of a telephone conversation that also involved a third party (her spouse), even though both spouses jointly owned the insurance policy.

When the customer took her concerns to the OPC, the insurer argued that the information requested is exempt under PIPEDA because the ombudsman’s office was a formal process and a third party was involved. The OPC did not buy into either argument.

“Reading between the lines, it’s clear that the OPC is going to interpret the exemptions narrowly to try to give as much effect to the right of access [as possible],” says Kris Klein, partner with the law firm nNovation LLP in Ottawa.

Simple solution

Specifically, the OPC found that there was a simple solution to the insurer’s concern about a third party being part of the requested telephone transcript: remove the third-party’s personal information and provide the client access to the rest of the call.

“The [insurance] company ultimately did so,” the OPC’s decision notes, “but more than a year after [the client’s] initial request and only after a complaint was filed with our office.”

Such a delay violates PIPEDA, which requires organizations to provide an individual with access to his or her personal information upon request.

Furthermore, the OPC determined in its decision that the insurer’s ombudsman, which represents the third and final stage in the firm’s complaint-resolution procedure, did not constitute a formal process. That finding has shifted the landscape for financial services firms.

“[Companies] can’t look to the [complaint] process as a shield,” Gatensby says.

The only option open to firms may be to set up their dispute-resolution process “in a much more formal way than a regular complaint-resolution process that most companies use,” Klein notes.

However, doing so may be difficult to do in practice. According to the lessons highlighted in the OPC decision, a framework or structure must be in place that’s either legislated or agreed to by the parties to the dispute in order to qualify as a formal dispute-resolution process under PIPEDA.

“In other words, the resolution of the dispute must take place in accordance with recognized rules,” the OPC’s decision states.

The OPC also addressed the insurance company’s contention that because the insurer is required to establish a process for dealing with complaints under the federal Insurance Companies Act (and banks under the Bank Act), the insurer is exempt from PIPEDA and its process was indeed a “formal” one.

A process in place

The OPC dismissed this contention in its decision: “Our office is of the view that this regulatory structure does not speak to the formality of those processes; [PIPEDA] requires banks and insurance companies to have a process in place, but does not provide any framework of what this process must entail. Banks and insurance companies retain considerable flexibility as to the kind of internal processes adopted.”

The bottom line, says Gatensby, is that firms “need to be prepared to disclose the required information.”

The OPC’s decision also makes clear that disclosure includes information in which a third party is involved. In such cases, that information can be removed and the remaining documentation provided.

For insurers and other financial services institutions, this means “not being able to hide behind the fact that there’s third-party information to try to deny access,” says Klein.

In the case before the OPC, the insurer also argued that because the ombudsman’s services are not a “commercial activity,” they’re beyond PIPEDA’s scope. However, the OPC decision disagreed with that contention.

© 2016 Investment Executive. All rights reserved.