How UBI Works
Insurers generally collect data to support UBI programs by:
Usage-based insurance (UBI) is a type of automobile insurance where insurers consider additional rating factors to determine the level of insurance premiums to be paid by policy holders.
UBI programs involve the collection, use and disclosure of personal information pertaining to the operation of a motor vehicle by individuals. While insurers have a need to collect personal information in order to operate their UBI programs, they must ensure that their collection of personal information about drivers complies with Alberta’s privacy legislation.
In Alberta, the Personal Information Protection Act (PIPA) governs how private sector organizations, including insurance companies, can collect, use, disclose and retain the personal information of individuals.
This document provides practical guidance to the insurance industry regarding the collection, use, disclosure and retention of personal information related to UBI.
Out of Country Service Providers
PIPA requires organizations that rely on service providers outside Canada to:
Before, or at the time personal information is collected from individuals, an insurer:
Unless otherwise authorized, before collecting, using or disclosing the personal information of an individual in relation to a UBI program, an insurer must first obtain consent. Consent may be in writing (including in electronic form) or oral. However, insurers need to consider how they will keep a record of the consent, produce a paper form of the consent if it is obtained electronically, how individuals can withdraw their consent and any implications for the individual’s participation in the UBI program. Further guidance on consent is available here.
Consent is not a silver bullet. An organization cannot collect, use or disclose personal information for a purpose that is not reasonable, even with consent.
PIPA limits the personal information insurers can collect, stating that information can be collected only for purposes that are reasonable and only to the extent that is reasonable for meeting the purpose of operating the UBI program. PIPA defines “reasonable” as “what a reasonable person would consider appropriate in the circumstances.
In relation to UBI programs, this means insurers must only collect information about individuals and their driving behaviours. Specifically, they must not collect information about an individual unless the individual is operating a vehicle that is insured under the UBI program the individual enrolled in.
UBI programs that rely on smartphone apps to collect driving data about enrolled individuals must be set up so that these mobile apps only collect data while individuals are operating a vehicle, and the operation of that vehicle is insured under the UBI policy.
Insurers may use the personal information only for the purposes for which it was collected, or as authorized by law. Specifically, insurers must not use the information for secondary purposes, such as marketing, unless they have consent from the individuals to do so. PIPA prohibits organizations from requiring individuals to consent to collection, use or disclosure beyond what is necessary to provide a product or service.
Finally, insurers must not disclose the personal information of individuals collected in a UBI program, unless authorized by law, or for a reasonable purpose with the consent of these individuals. Any disclosure must be limited to the amount and type of information that is reasonable for that purpose.
Under PIPA, insurers have an obligation to maintain accurate and complete records of information. Insurers may retain this information only as long as reasonably required for legal and business purposes. Insurers should determine the length of time they are required to retain the information to meet the identified purposes and set the retention based on that. It is recommended that insurers implement and communicate a policy that specifies the retention period, make the policy available to employees, policyholders, and any service providers and destroy the information at the end of the prescribed retention period. Alternatively, insurers may render the personal information non‑identifying so that it can no longer be used to identify an individual. This process must be considered carefully given the challenges of effectively de-identifying personal information.
Throughout the lifecycle of the information, from collection to disposition, insurers must make reasonable security arrangements to protect it. This is a requirement under PIPA and it applies regardless of the format of the information or the location of the server it is stored on. For example, this means restricting access to the information to only employees and service providers with “a need to know”, encrypting electronic devices that contain personal information, as well as implementing binding agreements in relation to any service providers that may store or process the information on behalf of insurers operating UBI programs in Alberta.
If insurers become aware of a privacy breach, they must notify the OIPC where there is a real risk of significant harm to individuals. A privacy breach means a loss of, unauthorized access to or unauthorized disclosure of personal information.
The How to Report a Privacy Breach webpage has more information on breach notification.
Under PIPA, individuals have the right to request access to the personal information about them in the control of an insurer, to request a correction of their personal information and to ask questions about the use and disclosure of their personal information. Upon receiving such a request from individuals enrolled in an UBI program, an insurer must respond to the individual, as specified under PIPA. These requirements also apply to any information that service providers may have in their custody on behalf of an insurer.
Insurers looking to implement UBI programs in Alberta are encouraged to use the OIPC's Privacy Impact Assessment Guidelines for Insurers Looking to Implement Usage-Based Insurance Programs. Given the complexity of UBI programs, the OIPC recommends that insurers who are concerned about the compliance of their UBI programs with PIPA submit a PIA to the OIPC for review.
Otherwise, please contact the OIPC.
Copyright 2021 OIPC. All rights reserved.