Background

The Office of the Privacy Commissioner of Canada (“OPC”) investigated a complaint made to its Office after an insurance company refused to provide a policyholder access to her personal information relating to a joint home insurance policy she held with her husband. The policyholder had made her original request for access pursuant to the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”), which the insurance company had denied.

The policyholder then made a complaint about the denial of access to the Office of the Ombudsman (“Ombudsman”) for the insurance company’s parent company, which is a bank (“Bank”). The insurance company continued to deny the policyholder access, and also denied the policyholder access to any subsequent information generated following her complaint filed with the Ombudsman. The policyholder had sought access to a recorded telephone conversation along with emails, internal reports and other communications related to a claim. The policyholder then complained to the OPC, which investigated.

In its submissions, the Respondent insurance company attempted to rely on three exemptions to disclosure in order to support its refusal to provide access to the complainant: first, the Respondent relied on s. 9(1) of PIPEDA, which allows access to be denied if such access would reveal personal information about a third party (in this case, the Respondent argued that the complainant’s spouse’s consent was required); second, the Respondent argued that the Ombudsman’s services were not a “commercial activity” and therefore beyond the scope of PIPEDA (which applies to those organizations in respect of personal information which the organization collects, uses or discloses in the course of commercial activities). Finally, the Respondent relied on paragraph 9(3)(d) of PIPEDA which exempts from disclosure information generated in the course of a “formal dispute resolution process”.

Finding

The Commissioner, in its Report of Findings #2016-006, found that the Respondent violated PIPEDA when it refused access to the complainant’s personal information. The Commissioner rejected the Respondents arguments.

Regarding third party information, the OPC found that despite the fact that the home insurance policy was held jointly with the complainant’s spouse, the Respondent’s proper response would have been to remove the third party’s personal information (the complainant’s spouse) and to provide access to the rest.

With respect to the claim regarding commercial activity, the Respondent relied on the OPC’s past decision, which was the subject of judicial review in State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736, to argue that the Ombudsman’s activity was not a “commercial activity”. In that decision, the Federal Court held that personal information collected by an insurer for the purpose of defending a claim against its insurer was not subject to PIPEDA. The OPC distinguished State Farm from the facts at hand as the complainant in that case was not a client of State Farm, and thus, there was no commercial relationship between them. However, the dominant purpose for the information collected by the Ombudsman in this dispute resolution process arose out of a direct commercial relationship between the complainant and the Respondent.

Formal dispute resolution process

The OPC spent a fair bit of time in its analysis of this aspect of the complaint. The Respondent had argued that the Bank’s Ombudsman role had all the hallmarks of a “formal” dispute resolution system:

  1. Legislatively required and governed

The Respondent advised that the Bank Act and the Insurance Companies Act both require federally regulated financial institutions and insurance companies to, among other things, establish formal procedures and processes for resolving customer complaints. It also advised that the Financial Consumer Agency of Canada Commissioner’s Guidance Document No. CG 12 states that all federally regulated financial institutions “are required by legislation to have dedicated procedures as well as personnel in place to deal with consumer complaints.” Finally, Respondent noted that the Financial Services Commission of Ontario (“FSCO”) General Insurance Bulletin No. G-02/03 states that customers must attempt to resolve their complaints directly with their insurer before accessing the Office of the Insurance Ombudsman. Moreover, the FSCO General Insurance Bulletin No. G-05/96 requires all insurance companies to have in place a “Consumer Complaint Handling Protocol” for dealing with consumer complaints and to appoint an Ombudsman Liaison Officer to liaise with the Office of the Insurance Ombudsman.

The OPC, however, was of the view that this regulatory structure did not speak to the formality of those processes; it simply required banks and insurance companies to have a process in place, but did not provide any framework of what this process must entail. Banks and insurance companies retained considerable flexibility as to the kind of internal processes adopted.

2. Independent and impartial

The Respondent submitted that the Ombudsman is an independent and impartial office which reports to the Deputy General Counsel of the Bank and is not associated with or aligned to any business line within the Bank. The Ombudsman has the mandate to independently review the concerns of the Bank customers that remain unresolved after the dispute has been addressed by the Bank’s internal complaints resolution process. The Respondent further advised that the role of the Ombudsman is primarily as a mediator and settlement facilitator between the Bank and its customers, who investigates and attempts to fairly and impartially resolve issues relating to customers’ concerns. The goal of the Ombudsman, according to the Respondent, is to apply principles of fairness to find an acceptable resolution, without any interference, direction or influence from the Bank.

The OPC found that despite the foregoing, the Ombudsman nonetheless “remains an internal function of the Bank and is led by an employee of the Bank, who reports to the Deputy General Counsel of the Bank. It is questionable whether the Ombudsman is capable of being perceived as independent of the Bank.”

3. Generates information subject to settlement privilege

The Respondent argued that the information generated during the course of resolving a dispute is subject to settlement privilege. The Respondent indicated that one of the functions of the Ombudsman is to negotiate with both parties and recommend settlement terms. The current Ombudsman process requires that all communications with the Ombudsman are kept private and confidential between the customer, the Bank and the Ombudsman, meaning that the customer and the Bank agree not to seek to have the Ombudsman representative(s) produce its files and records, nor to testify or give evidence. According to the Respondent, the courts have consistently recognized the privilege surrounding settlement negotiations, including mediation.

The OPC, however, was of the opinion that the Respondent did not make out a case for the application of settlement privilege. The OPC went on to say that to the extent that PIPEDA may allow organizations to withhold information covered by settlement privilege, this issue would be more appropriately dealt with pursuant to paragraph 9(3)(a) of PIPEDA, which provides an exemption on the basis of information protected by solicitor-client and litigation privilege.

In the end, the OPC determined that the Respondent’s “formal dispute resolution process” was not formal for the purposes of PIPEDA. Noting the PIPEDA’s quasi-constitutional status, the OPC ultimately found that any interpretation of a restriction on the rights recognized under PIPEDA should be interpreted narrowly. The OPC noted that a formal dispute resolution process required the presence of a framework, either legislated or agreed to by the parties to the dispute. No such framework existed.

Company Disagrees with Finding

It is the practice of the OPC to issue a Preliminary Report of Investigation (“PRI”), to which an organization may respond. In the PRI, the OPC makes “recommendations” that the organization may or may not agree with. It is unusual for an organization to reject outright the OPC’s recommendation.

In this case, the OPC issued a PRI recommending that the Respondent provide the complainant with access to all information generated during her complaint to the Ombudsman, unless another exemption pursuant to PIPEDA applied to the information.

The Respondent respectfully disagreed with the OPC’s finding that the Ombudsman is not a “formal dispute resolution process” pursuant to paragraph 9(3)(d). However, notwithstanding this position and without prejudice to future matters, the Respondent did provide the complainant with access to her personal information generated in the course of her complaint to the Ombudsman.

Guidance for Business

This decision highlights two important takeaways for organizations to consider when dealing with PIPEDA requests.

First, notwithstanding the fact that an organization may have an ombudsman or other sophisticated dispute resolution mechanism in place, it may nonetheless not qualify for an exemption from the access requirements under PIPEDA. Organizations which have been relying on the protections that privilege may afford under such processes may be surprised to find that the same information is subject to disclosure under PIPEDA, particularly if privilege is overlooked as a ground of exemption from such disclosure.

Second, even if a request for personal information may disclose the personal information of a third party, the proper procedure is to redact and remove all references to the third party and to provide the complainant with access to the remainder.