Privacy Resources

Insurance brokers collect, store and share clients' personal information necessary for the binding and renewal of insurance coverage and related services.

Here are links to authorities and resources to assist insurance brokers in complying with privacy statutes and contractual requirements for proper handling of clients' personal information.



Nearly all businesses in Canada must comply with the Personal Information Protection & Electronic Documents Act. The Office of the Privacy Commissioner of Canada website includes guidelines, fact sheets and other tools; some highlights include:



The Personal information Protection Act establishes privacy requirements for all private-sector organizations in B.C. It aligns with the PIPEDA and goes beyond it in areas such as how businesses must safeguard the personal information of its employees.

 The Office of the Privacy Commissioner of B.C. website provides a wide range of guidance documents for businesses and organizations. Some highlights include:



As agents of a Crown corporation (ICBC) Autoplan brokers are also subject to the provisions of the Freedom of Information and Protection of Privacy Act. One of the key provisions of this statute is the requirement to store electronic data in Canadian storage facilities. Autoplan brokers will find information on their privacy requirements on the ICBC Extranet.



Merchants using electronic payment systems for taking debit/credit-card payments at point of sale must meet system requirements known as Payment Card Industry Data Security Standards. These standards are maintained and enforced by the PCI Council, a body founded by major credit card providers American Express, Visa, MasterCard and others. In 2015, the PCI Council released new v3.1 requirements for Transport Layer Security (TLS). Merchants using SSL and early TLS (v1.0 and 1.1) must discontinue the use of those systems and devices before June 30, 2016. Only TLS v1.2 is PCI DSS compliant.

The Centre for Study of Insurance Operations provides a range of guidance and services to assist brokerages in enhancing their technology for more efficient integration with insurers and broker management systems. These include:
Qualified Security Assessor (QSA) organizations have been qualified by the PCI Council to assess compliance to the PCI DSS standard. One provider of QSA services is Telus.



In 2015 the Insurance Council of B.C. incorporated Client Confidentiality Guidelines into the licensees' Code of Conduct.



The Digital Privacy Act of 2015 (Bill S-4) amended the PIPEDA and introduced new requirements for reporting security breaches. Regulations are being drafted, so these requirements are not yet in force, but will be soon. See Canada's Digital Privacy Rethink.



Canada's anti-spam legislation (CASL), which came into effect July 1, 2014, requires that businesses sending out commercial electronic messages obtain prior consent, and provide opt-out (“unsubscribe”) mechanisms.