CLHIA Comments on PIPEDA data breach notification & reporting regulations consultation

Date de parution : 05/30/2016
Personne(s)-ressource(s) : Anny Duval

May 30, 2016

Sent by email to:

Data Breach Consultation
Privacy and Data Protection Policy Directorate
Innovation, Science and Economic Development Canada
235 Queen Street
Ottawa, ON K1A 0H5

Dear Sir or Madam:

Consultation Paper on Data Breach Notification and Reporting Regulations

The Canadian Life and Health Insurance Association (CLHIA) is pleased to provide comments on the March 2016 Consultation Paper on Data Breach Notification and Reporting Regulations. In this letter, we will emphasize the importance of harmonization of PIPEPA with other private sector privacy legislation and we will comment on some of the questions raised in the discussion paper.

The CLHIA, established in 1894, is a voluntary association with member companies which account for 99 per cent of Canada's life and health insurance business. The life and health insurance industry is a significant economic and social contributor in Canada. It protects 28 million Canadians and makes over $83.5 billion a year in benefit payments to residents in Canada (of which 90 per cent goes to living policyholders as annuity, disability, supplementary health or other benefits and the remaining 10 per cent goes to beneficiaries as death claims). In addition, the industry has $721 billion invested in Canada's economy. In total, 105 life and health insurance providers are licensed to operate in Canada.

Canada's life and health insurers have been handling the personal information of Canadians for more than a century and, over the years, have taken a leadership role in protecting the personal information of consumers. For example, in 1980, our industry was the first in Canada to put in place "right to privacy guidelines", which represented the first privacy code to be adopted by any industry group in Canada. Since then, we have participated actively and provided input on all major privacy initiatives, including in the mid-'90s when Quebec introduced its private sector legislation, and later in the development and updates of the Personal Information Protection and Electronic Documents Act (PIPEPA), as well as BC's and Alberta's Personal Information Protection Act (PIPA). Of relevance to the current consultation, we provided input to the Office of the Privacy Commissioner (OPC) as it developed its voluntary data breach reporting program about a decade ago and some of our members have looked to this program as a source for developing their internal practices for data breach management.

One of the industry's overarching objectives is to achieve harmonization in the treatment of personal information across Canada. Given that Alberta already has in place mandatory data breach reporting requirements, many of our comments on the Consultation Paper will be geared to achieving this objective, as much as possible...