Insurance Brokers Snooping

December 16, 2016 - Ron Kruzeniski, Information and Privacy Commissioner

One thing my office does is investigate breaches of the disclosure of personal information or personal health information.  Once upon a time that would have involved accessing paper files appropriately, determining why medical files were found in a dumpster, why paper files were stolen while in a brief case in someone’s car.  Those things can still happen but the electronic age has resulted in many organizations developing databases, which contain a lot of information about you and me.  Organizations need that information to operate but at the same time not every employee in that organization needs to see information about me, his neighbor, her mother, his girlfriend, and her ex’s new girlfriend.  But people do access that information and it is viewed as a breach and generally called snooping.

Snooping has become a problem across Canada. There are many reported cases of health workers or others snooping. Some of the more egregious ones get media attention. Where it is serious, the person usually gets fired.

Is this happening in Saskatchewan? Yes it is. It is happening in the insurance brokerage business and is mainly happening by staff in insurance brokers’ offices inappropriately accessing SGI data bases.

In my Report 131-2015, Saskatchewan Government Insurance (SGI) proactively reported to the Office of the Information and Privacy Commissioner (OIPC) that a number of individual’s privacy may have been breached by Lestock Agencies. SGI investigated and determined that a number of breaches had occurred when Lestock Agencies accessed the Auto Fund database without a legitimate business purpose.  A number of preventative measures were proposed by SGI.  I was satisfied with a number of steps taken by SGI but determined that he could not be fully satisfied until the prevention plans proposed by SGI were fully implemented.  I recommended that SGI provide the OIPC with a quarterly update on its progress implementing the preventative measures.  SGI agreed to this recommendation.  

In my Report 173-2015, Saskatchewan Government Insurance (SGI) proactively reported to the Office of the Information and Privacy Commissioner (OIPC) that it had received a complaint alleging that an employee of an insurance broker agency in the province had inappropriately accessed the personal information of two individuals on the SGI Auto Fund database. Following its investigation, SGI determined that a privacy breach had occurred and provided a copy of its investigation report to the OIPC.  I was satisfied with the steps taken by SGI to address the privacy breach and recommended that SGI provide the OIPC with a quarterly update on its progress implementing the preventative measures. SGI agreed to this recommendation.

In my Report 189-2015, Saskatchewan Government Insurance (SGI) proactively reported a breach involving its Auto Fund Database (SAM). An employee of an Issuer, Hometown Insurance Brokers in Vonda, Saskatchewan, had been making unauthorized accesses of personal information in SAM since 1995.  I raised concerns about SGI’s response to this breach, the safeguards in place to protect the personal information in SAM and its monitoring and auditing programs.  He made some recommendations to address his concerns including implementing data sharing agreements.

Access to the SGI database needs to be viewed as a privilege by Brokers and their staff. In the instances that occurred, SGI responded appropriately but the damage to the perception that one’s driver or vehicle information is protected has been done.  It is a risk to SGI and to Brokers that public confidence in the safeguarding of their personal information not be eroded.  If pressed by the public or my office, SGI would have to consider tighter restrictions on who gets access.  That might not be good for the Broker’s business.  So I suggest that Brokers and their associates be proactive in showing they are aware of the risks of snooping and are taking action.

What action can they take? Well, if they don’t now, require each new employee to take privacy training and each employee to take a refresher on privacy. They can require each employee to sign a confidentiality agreement. They can work with SGI to implement a random audit of employees.

If the training modules do not now exist, the brokers or their associations can work with SGI to develop online training modules.

Finally, Brokers need to say to their staff, over and over again, only access information on the database when you need to know that information to do your job.

 

Categories: Blog

Back to Blog