REPORT UNDER THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT CASE MANITOBA FINANCE - INSURANCE COUNCIL OF MANITOBA

Similar documents
REPORT UNDER THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT CASE CITY OF WINNIPEG ACCESS COMPLAINT: REFUSAL OF ACCESS

2017 REVIEW OF THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT (FIPPA) COMMENTS FROM MANITOBA OMBUDSMAN

DATA MATCHING AGREEMENTS ACT 1 B I L L

PERSONAL INFORMATION PROTECTION ACT

The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales).

ASSOCIATION OF PROFESSIONAL ENGINEERS AND GEOSCIENTISTS OF BRITISH COLUMBIA,

Part 3 Authority to Practise Law

Terms of Use. Last modified: January Acceptance of these Terms of Use

the general policy intent of the Privacy Bill and other background policy material;

MANITOBA FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY RESOURCE MANUAL

TORONTO POLICE SERVICES BOARD REGULATED INTERACTION WITH THE COMMUNITY AND THE COLLECTION OF IDENTIFYING INFORMATION

CANADIAN ANTI-SPAM LAW [FEDERAL]

KEY DIFFERENCES BETWEEN THE UNIFORM LAW AND THE NEW SOUTH WALES AND VICTORIAN LEGAL PROFESSION ACTS

ARTICLE 29 Data Protection Working Party

Public and Licensed Access Review. Consultation on Changes to the Public and Licensed Access Rules

Order BRITISH COLUMBIA GAMING COMISSION

Information Privacy Act 2000

Liquor Amendment (Kings Cross Plan of Management) Act 2013 No 76

MEMBER REGULATION NOTICE COMPLAINT HANDLING MFDA POLICY NO. 3

The Real Estate Institute of New Zealand Incorporated. The Real Estate Agents Act 2008 Exemption Request:

ACCESSING GOVERNMENT INFORMATION IN. British Columbia

Information exempt from the subject access right (section 40(4) and

REPUBLIC OF SOUTH AFRICA

Website Disclaimer. All Fired up Heating Ltd

Rules Notice Request for Comment

Regulatory Activity (Section 31)

Privacy. Purpose. Scope. Policy. Appendix A

Submission to the Joint Committee on the draft Investigatory Powers Bill

BERMUDA VIRTUAL CURRENCY BUSINESS ACT 2018 BR/ 2018: TABLE OF CONTENTS PART 1 PRELIMINARY

F R E Q U E N T L Y A S K E D Q U E S T I O N S

TekSavvy Solutions Inc.

BILL NO. 42. Health Information Act

Indicative Sanctions Guidance

Freedom Of Access To Information Act For The Republika Srpska 18/5/2001

CITY OF VANCOUVER BRITISH COLUMBIA

CODE OF CONDUCT AND ETHICS (the Code ) Approved on February 23, 2017

COMFLO WEBSITE TERMS OF USE

Health Information Privacy Code 1994

DRAFT. The Prearranged Funeral Services Act Regulation

Ownership of Site; Agreement to Terms of Use

SECURITY SERVICES AND INVESTIGATORS ACT

Saskatoon Zoo Foundation Inc. Ticket Purchase Policies, Donation Policies and Privacy Policies

OMBUDSMAN FOR BANKING SERVICES AND INVESTMENTS TERMS OF REFERENCE

IMPRESS: The Independent Monitor for the Press CIC Regulatory Scheme

Fragomen Privacy Notice

Recruiter Accreditation Scheme Compliance Framework. December 2016

UNITED STATES PATENT AND TRADEMARK OFFICE TRADEMARK MANUAL OF EXAMINING PROCEDURE (TMEP) Chapter 600 Attorney, Representative, and Signature

SDL Web Click Wrap DEVELOPER SOFTWARE AND DISTRIBUTION AGREEMENT RESTRICTED TO USE BY DEVELOPERS. Terms and Conditions

BY-LAW 14. Made: May 1, 2007 Amended: June 28, 2007 April 30, 2009 May 21, 2009 (editorial changes) September 29, 2010 October 28, 2010

Victims of Crime (Rights, Entitlements, and Notification of Child Sexual Abuse) Bill [HL]

ICE Trade Vault Rulebook

PROFESSIONAL ETHICS COMMITTEE PROCEDURES MANUAL

The Health Information Protection Act

Complaints Against Judiciary

closer look at Rights & remedies

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

AIA Australia Limited

Application to appoint authorised individual; Head of Legal Practice; or Head of Finance and Administration

APPENDIX ORDER. AND WHEREAS it is important that inquiries be made with respect to matters within Alberta s jurisdiction;

GUEST WIFI NETWORK. Terms and Conditions and Acceptable Use Protocol

BULGARIAN STOCK EXCHANGE-SOFIA RULES AND REGULATIONS PART II MEMBERSHIP RULES

Criminal Convictions. AAT is a registered charity. No

REGULATED HEALTH PROFESSIONS ACT

Communications Authority

6 Prohibition on providing immigration advice unless licensed or exempt

FILMS AND PUBLICATIONS AMENDMENT BILL

Order F08-15 COLLEGE OF PSYCHOLOGISTS OF BRITISH COLUMBIA. Michael McEvoy, Adjudicator. September 4, 2008

LEGAL TERMS OF USE. Ownership of Terms of Use

Recruitment, selection and disclosure policy and procedure

2ND SESSION, 41ST LEGISLATURE, ONTARIO 66 ELIZABETH II, Bill 166. (Chapter 33 of the Statutes of Ontario, 2017)

Indicative Sanctions Guidance

Annual Report of the Saskatchewan Conflict of Interest Commissioner And Registrar of Lobbyists. Ronald L. Barclay, Q.C.

ACCESS TO INFORMATION ACT

March 2016 INVESTOR TERMS OF SERVICE

Liquor Amendment (3 Strikes) Act 2011 No 58

Security and Investigation Agents Act 1995

Data Protection Bill [HL]

c. References herein to the singular includes the plural and vice versa; and

Intellectual Property Laws Amendment Act 2015

(28 February 2014 to date) FINANCIAL ADVISORY AND INTERMEDIARY SERVICES ACT 37 OF 2002

Regulating influence and access: Submission to the Inquiry into the Lobbying Code of Conduct by the Senate Finance and Public Affairs Committee

Number 31 of 2001 STANDARDS IN PUBLIC OFFICE ACT 2001 REVISED. Updated to 13 April 2017

Inquiry into Comprehensive Revision of the Telecommunications (Interception and Access) Act 1979

RESPONSIBLE ENERGY DEVELOPMENT ACT GENERAL REGULATION

Freedom Of Access To Information Act For The Federation Of Bosnia and Herzegovina

Website Terms of Use. Last Updated: June 5, 2018

New Zealand Institute of Chartered Accountants RULES OF THE NEW ZEALAND INSTITUTE OF CHARTERED ACCOUNTANTS EFFECTIVE 26 JUNE 2017 CONTENTS

Data Protection Bill [HL]

DATA PROCESSING AGREEMENT. (1) You or your organization or entity as The Data Controller ( The Client or The Data Controller ); and

Civil and Administrative Tribunal Amendment Act 2013 No 94

FREEDOM OF INFORMATION. Gillian Duggin and Felicity Millner, Environmental Defender s Office

Conveyancers Licensing Act 2003 No 3

Disciplinary Procedures. Publication and Disclosure Policy

APPLICATION AND RECRUITMENT PROCESS EXPLANATORY NOTE

FLOORBALL CANADA BY-LAWS

THE RIGHT OF ACCESS TO INFORMATION: SOME RAMIFICATIONS FOR THE HEALTH SECTOR

APPLICATION FOR ADMISSION AS A CANADIAN LEGAL ADVISOR

CONFLICT OF INTEREST ACT

Internet and E-Commerce Law in Canada

EDEN HOUSING ASSOCIATION LIMITED DISCLOSURE AND BARRING SERVICE (DBS) POLICY

Transcription:

REPORT UNDER THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT CASE 2018-0077 MANITOBA FINANCE - INSURANCE COUNCIL OF MANITOBA PRIVACY COMPLAINT: DISCLOSURE OF PERSONAL INFORMATION PROVISIONS CONSIDERED: 42(1), 42(2) REPORT ISSUED ON MAY 22, 2018 SUMMARY: An individual made a complaint under the Freedom of Information and Protection of Privacy Act (FIPPA or the act) against Manitoba Finance - Insurance Council of Manitoba (ICM or the public body). The complainant alleged that the online posting of disciplinary decisions by the ICM was not authorized under FIPPA. In the course of our investigation, the ICM proposed changes to its policies and procedures, which would allow the ICM to comply with its requirements under FIPPA while fulfilling its mandates to enforce standards for the profession and to initiate programs for consumer protection. Our office considered the suggested revisions to the ICM policies and processes to be a reasonable balance between the requirements of FIPPA and the mandate and responsibilities of the ICM as well as a reasonable exercise of the ICM s discretion relating to publication of its disciplinary decisions under the Insurance Council Regulation. Therefore, the complaint was resolved. COMPLAINT On February 20, 2018 our office received a complaint made under the Freedom of Information and Protection of Privacy Act (FIPPA of the act) alleging an unauthorized disclosure of personal information. The complaint was made against Manitoba Finance - Insurance Council of Manitoba, a public body under the act.

2 In information provided to our office, the complainant explained that he was at one time employed as an insurance agent in Manitoba. In 2009, the complainant was advised that he was the subject of an investigation by the council for an alleged contravention of the Insurance Act. The complainant chose to accept the disciplinary decision of the council without a hearing and accept the disciplinary action imposed. The complainant further explained that, recently, he became aware that his name and other personal information appears on the ICM website on publicly accessible pages relating to disciplinary decisions made by the council. The complainant explained that he does not dispute the accuracy of the disciplinary decision but was unaware that the decision would be disclosed publicly by posting it on the ICM website. When the complainant inquired of the ICM if there was process whereby his name could be removed from the ICM web pages, he states he was informed that the posting would remain online forever. The complainant noted to us that he is no longer active or employed in the industry and has not been since 2009. Further, in his view, the decision has been posted without context and, with the present capabilities of online search engines, can be expected to create difficulties for him in obtaining future employment (in any area) and also, to cause embarrassment for the complainant among friends and family. Under subsection 59(3) of FIPPA an individual who believes that his personal information has been disclosed in violation of FIPPA may make a complaint to the ombudsman. A complaint investigation was opened by our office on February 21, 2018. STATUTORY REQUIREMENTS FOR DISCLOSURE OF PERSONAL INFORMATION The general duties of public bodies with regard to the disclosure of personal information are set out in section 42 of FIPPA: General duty of public bodies 42(1) A public body shall not use or disclose personal information except as authorized under this Division. Limit on amount of information used or disclosed 42(2) Every use and disclosure by a public body of personal information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

3 INVESTIGATION AND ANALYSIS On receiving the complaint, our office reviewed the ICM website (including posted disciplinary decisions and the ICM mandates) as well as the provisions of the Insurance Act and the Insurance Councils Regulation (IC Regulation), which govern the conduct of disciplinary investigations by the ICM. We noted that subsection 7.1(1) of the IC Regulation provides that: Publishing information about administrative decisions 7.1(1) After an administrative decision is made in respect of an agent or adjuster, the insurance council that made the decision may, subject to subsections (2) and (3), publish the following information about the decision: (a) the name and address of the agent, adjuster or applicant for a licence about whom the decision was made, as shown in the records maintained under subsection 9(1) of the Act; (b) a summary of the decision, including a description of the action to be taken in respect of the agent, adjuster or applicant; (c) a statement of the reasons for the decision; (d) any other information about the administrative decision that the insurance council considers necessary for it to be properly understood by members of the public. 7.1(2) Information published under this section must not include information (a) about a person that (i) except as permitted by clause (1)(a), is personal information, or (ii) is personal health information; or (b) by which a complainant or a person other than the agent or adjuster could be identified. In view of this provision of the IC Regulation it appeared to our office that authority for disclosure of the complainant s personal information could exist under clause 44(1)(e) of FIPPA, which reads: Disclosure of personal information 44(1) A public body may disclose personal information only (e) in accordance with an enactment of Manitoba or Canada that authorizes or requires the disclosure; However, our office also noted that subsection 42(2) of FIPPA requires that every disclosure of personal information must be limited to the minimum amount of information necessary to accomplish the purpose for disclosure. Our office considered the potential purpose for the

4 disclosure of the complainant s personal information in light of the ICM mandates to enforce standards for the profession and to initiate programs for consumer protection. We recognised that the publishing of disciplinary decisions would support this. Nonetheless, we also noted the IC Regulation does not require that information about the council s decisions be published online. We further noted that the IC Regulation was enacted in 1991, before the World Wide Web was invented and before the development of HTML, the modern browser interface and instantaneous web search engines. We also noted that prior to posting decisions online, council decisions were published in the Council Report, which had limited accessibility. It appeared to our office that the regulation which was the source of the authority to publish decisions for the purpose of enforcing standards for the profession and consumer protection was not initially enacted in contemplation of world wide search engine discoverability for an indefinite period. Further to our consideration of this complaint, our office also consulted Manitoba Ombudsman s Privacy Guidelines for Administrative Tribunals on the Online Publication of Decisions and the Privacy Commissioner of Canada (OPC) publication Electronic Disclosure of Personal Information in the Decisions of Administrative Tribunals. Our office noted the advice to strike an appropriate balance in the posting of decisions. This includes a consideration of the possibility that an individual to whom the information relates may be unfairly exposed to monetary, reputational or other harm as a result of a disclosure and the gravity of any harm that could come to an individual affected as a result of the disclosure of personal information. In light of the foregoing, our office contacted the ICM. Our office explained that, in our view, the use of the word may in subsection 7.1(1) of the IC Regulation indicated that the ICM has discretion in the matter of the online posting of disciplinary decisions. We submitted that the seriousness of the offence and the length of time that has passed since a disciplinary decision was issued should be relevant in determining the duration for the online posting of the names of those disciplined for a regulatory offence under the the Insurance Act. Accordingly, in light of the limiting provision of subsection 42(2) of FIPPA, we requested the ICM to provide information which would explain why it had chosen not to exercise its discretion to limit the online availability of disciplinary decisions. RESPONSE OF THE PUBLIC BODY In responding to our office, the ICM recognized our concerns regarding the ongoing online availability of its disciplinary decisions. The council noted the trend of regulatory bodies toward greater transparency, openness and communication with the public as a means of achieving consumer protection. The ICM explained that it has been publishing the full decisions of its disciplinary actions online since 2014. The council submitted that amendments to the IC Regulation (most recently in 2014) were made with the knowledge (and the legislative intent)

5 that the publication of disciplinary decisions would include the publication of those decisions in an online environment. However, the council also noted that the interest in transparency and openness must be balanced with the increasing and seemingly contradictory requirements for protection of privacy and personal information. The ICM also explained that any actions it takes with regard to the online posting of disciplinary decisions must be made in consideration of its participation in a national joint initiative of the Canadian Insurance Services Regulatory Organization (CISRO) (of which the ICM is a member) and the Canadian Council of Insurance Regulators (CCIR). These national organizations have created a searchable database of published insurance disciplinary decisions in Canada called the Canadian Insurance Regulators Disciplinary Actions database (CIRDA). The CIRDA database is intended to provide an amalgamation of published disciplinary and enforcement action information from all Canadian jurisdictions from 2008 and onward, and provides important access to information for all regulators and for consumers. The CIRDA database includes information about actions against insurance companies, insurance intermediaries and individuals licensed to sell insurance products and is searchable online. The ICM currently uploads all of its disciplinary decisions to the CIRDA website, which is housed through Decisia/Lexum, an online platform for publication of legal decisions, which is used by over 80 courts, tribunals and boards across Canada. Additionally, the ICM maintains a separate database, which carries its own disciplinary decisions, also housed through Decisia/Lexum. Links to both databases exist on the ICM website. The ICM explained that in publishing its decisions it has been mindful that the information published remains within the limitations of section 7.1 of the IC Regulation while ensuring that the decision can be understood by members of the public and while also not disclosing unnecessary personal information about the subject of the discipline. Further to meeting its responsibilities under subsection 42(2) of FIPPA, the ICM advised that it had begun consultations with its information technology providers regarding the potential of web exclusion protocols to limit the discoverability of the decisions posted on its website. Research conducted by our office has determined that these protocols are known as the robots exclusion standard, also known as the robots exclusion protocol or simply robots.txt. Web search engines (such as Google) use web crawling or spidering software robots to collect information from posted web sites in order to update their indices of web content. The standard 1 specifies how to inform the web crawling robot about which areas of a website should not be processed or scanned. A robots.txt file on a website will function as a request that specified robots ignore specified files or directories when crawling a site, for example, out of a preference for privacy from search engine results. The standard, however, is not infallible. Links to pages 1 Some major search engines following this standard include Ask, AOL, Baidu, Bing, DuckDuckGo, Google, Yahoo!, and Yandex.

6 listed in robots.txt can still appear in search results if they are linked from another page that has been crawled and indexed. Further, not all robots cooperate with the standard; email harvesters, spambots, malware, and robots that scan for security vulnerabilities may even start with those portions of the website that they have been asked to ignore. Our office understands that, as an alternative, a web administrator could also configure the server to automatically return failure (or pass alternative content) when it detects a connection using one of the crawler robots. In order to allow the ICM to comply with its requirements under FIPPA while fulfilling its mandate for public protection and participation in the national CIRDA initiative, the ICM suggested that the concerns of our office could be addressed by the adoption of internal policy and procedures on the publication of disciplinary decisions as follows: Disciplinary decisions will continue to be written within the requirements of section 7.1 of regulation 227/91 with the view and intent of full publication; After expiration of all appeal periods within the act and regulations, all disciplinary decisions in their full text form will continue to be published to ICM s website through the CIRDA and ICM databases maintained through Decisia/Lexum; These decisions will be fully name searchable through search engines or other broad public search query methods for a period of seven years; Upon expiration of seven years from the year the decision was made, the ICM will reduce the broad public accessibility of its decisions and, as far as is technologically possible, reduce the ability of public search engine queries by name to return decisions older than seven years. Older decisions would still be accessible by going directly to the ICM website or to the CIRDA database; Even if no longer broadly searchable through general search engines, the decisions would still reside on the ICM website and be searchable by name directly through the CIRDA and ICM databases (i.e. if a member of the public or other regulator wished to access the decision, it would be fully searchable directly on the ICM website through links to the Decisia/Lexum databases); Only upon request to the ICM by a license holder or former license holder, and after that seven year period, the relevant industry council would review the individual case to determine whether, in that specific instance, the individual would be unfairly exposed to harm that would outweigh the public benefit of consumers being able to view the decision. The relevant industry council s discretion would therefore be exercised on a case by case basis;

7 If determined that the potential for individual harm to the licensee or former licensee would be greater than the public benefit of maintaining public disclosure of the decision, the text of the decision would be removed from the ICM website (either through removal from databases or other technological means), but would still exist as a disciplinary record with the ICM. Our office asked the ICM to explain the rationale for the seven year time period in its suggested policy and process. The ICM explained that in determining the length of time of full web search-ability of disciplinary decisions, council reviewed a variety of sources to seek guidance, including the Office of the Privacy Commissioner, the Canadian Judicial Council, FINTRAC (the Financial Transaction and Reports Analysis Centre of Canada), and the Canada Revenue Agency. The council noted that there is no specific overall time frame that is sanctioned with regard to retention of records in the insurance industry. There are a number of statutory and regulatory requirements that differ, depending on the nature of the record, the statute, limitation periods and the jurisdiction. Because of this, it was council s intent to simplify the time frame to a period that would be familiar and understandable to the industry the period of seven years is the time frame for which tax records should be maintained, which also serves as a form of maximum length of time that would cover limitation periods and other statutory requirements. This length of time was perceived as a balance between a period which would allow for a maximum length of public protection, while recognizing the reasonable protection of individual privacy rights. Our office considers the suggested revisions to policy and process to be a reasonable balance between the requirements of FIPPA and the mandate and responsibilities of the ICM as well as a reasonable exercise of the ICM s discretion relating to publication of its disciplinary decisions under IC Regulation 227/91. Our office notes that the suggested process to limit online discoverability would apply to the disciplinary decision regarding the individual complainant in the matter at hand, as the decision was from 2009. Further, if the complainant wished to submit a request for removal of a decision from the databases of the ICM, the council would consider the case on an individual basis, and if determined appropriate, could remove the decision from publications through the ICM and CIRDA databases. It would, however, continue to exist as a disciplinary record within the ICM. Our office contacted the complainant and explained the ICM s proposal and the complainant was satisfied with this resolution to his complaint. In view of the foregoing commitments by the ICM to revise its policies and procedures, our office considers this complaint to be resolved. Manitoba Ombudsman May 22, 2018

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback