Privacy key in electronic age

By Bryan Borzykowski | May 25, 2007 | Last updated on May 25, 2007
4 min read

Privacy breaches are nothing new, but in the fast-paced digital era, where everything’s done through the internet, protecting a client’s information is more important than ever. Advisors who don’t already have one should start developing a privacy policy now.

“We hear more and more about breaches,” said Sandra Dolson, wholesale compliance manager at Sun Life Financial at CLIEDIS’s annual general meeting earlier this month. “You have to assess the risk and change things. (Do you want to) wake up in the morning and see your company name splashed across the paper?”

Privacy policies have been a hot topic in the financial industry since 2004, when the Personal Information and Electronic Documents Act came into force. PIPEDA is in place to ensure that customer information is kept safe, and not shared without a client’s consent. This forced many advisors, dealers and carriers to develop a thorough privacy policy. Still, breaches occur.

One reason for these security violations is a lack of communication. Dolson said MGAs and carriers need to talk to advisors and stress the importance of a strong privacy policy. “It’s important to dialogue with advisors,” she said in her presentation. “They’re busy people, and they want to do the right thing, but make sure they keep (these things) in mind.”

Dolson said advisors are in a position to collect a lot of personal information. Clients need to understand this, and know who will have access to their files. If the privacy policy is not spelled out, there’s a risk of losing business. “Respecting the protection of personal information is really important in the private sector,” said Dolson. “You want to have the consumer confidence.”

But not everyone does a good job of explicitly outlining their policies — especially when it comes to insurance industry websites. David Nash, a lawyer at Mackenzie Lake Lawyers in London, Ont., has looked at many insurance company websites and found that a lot of them don’t sufficiently state that they’re sharing customer information with third parties.

“One issue with insurance companies is cross marketing and cross referencing,” said Nash. “That really shouldn’t happen without the policy holder’s informed consent.”

Nash takes particular issue with sites where client information is automatically shared. “The policyholder has to take steps to agree,” he said. “If it said we’re going to use the info unless you disagree, there are certainly ethical issues there. You’re not supposed to function that way.”

The best way to approach the issue of sharing information with third parties is, simply, to ask the client to give their consent. If this is done online, make sure the client can click somewhere to show that they’ve agreed to the privacy policy. “This is an issue that’s out there and you have to be vigilant and recognize that it’s not going to go way,” said Nash. “Companies are getting bigger and bigger, offering a wider array of products. They’re going to want to use these marketing schemes.”

For this reason, it’s imperative that advisors keep their privacy policies up-to-date. Terry Zavitz, president of London, Ont.-based Zavitz Insurance, just updated her policy last Monday. “You’re constantly evolving the process,” she said. “It’s tough because every time you think you have it nailed down you realize there’s another improvement.”

Zavitz first developed her policy in 2004 by using the template found in Advocis’ best practices manual, and charged an employee to handle all privacy-related tasks. After coming up with a plan, she told her clients in a newsletter that a policy was in place. Somewhat surprisingly, no one reacted to the document. “My feeling is that clients just expect that now,” she said. “They understand privacy policies.”

In Zavitz Insurance’s policy, clients are told that the company keeps a variety of policy forms, which they can choose to have destroyed. “Only one client has ever said that they didn’t want us to keep it,” she said. “So we shredded it.”

While Zavitz’s policy is comprehensive — an advisor needs three passwords to access the company’s computers — it doesn’t stipulate what to do in the case of a breach.

Jamie McGeachin, vice-president of operations at HUB Financial, said that companies should come up with a plan if something goes wrong. “Our privacy policy includes what we would do if there’s a breach,” she said. “Who would we start a conversation with? Who needs to be notified right away? Getting in touch with the carriers who’ve been affected would definitely be part of the process.”

As good as it is to have these policies in place, no one is saying that developing a plan is easy. But Dolson said with technology constantly evolving — especially in the insurance industry — companies can’t ignore the importance of privacy. “As we start to automate and do things differently, we need to look at this. Whether it’s at the firm, carrier or advisor levels, you have to assess the threats and common incidences that can cause harm to a client and their business.”

Filed by Bryan Borzykowski,,


Bryan Borzykowski