Audit indicates ICBC information sharing program could be improved

Drew McArthur, acting information and privacy commissioner of British Columbia, confirmed today the Insurance Corporation of British Columbia (ICBC) is fulfilling its duty under the Freedom of Information and Protection of Privacy Act (FIPPA) for the most part.

The act is intended to protect the personal information of British Columbians.

ICBC has access to millions of B.C. residents’ personal information in order for the Crown corporation to give out a driver’s licence, register or insure a vehicle, or process an insurance claim.

Each year, approximately 900,000 insurance claims are processed and approximately 1.6 million driver licence-related transactions are conducted by ICBC.

“We have to provide our personal information to government in order to access the programs we need. That information is collected, shared, used, and shared again – sometimes without our knowledge or consent.” said McArthur. “ICBC holds one of B.C.’s most complete personal information data sets and shares that data with many other organizations, from bailiff services and municipalities, to parking lot operators and tow companies.”

The audit assessed whether ICBC has an adequate policy framework for the approval, drafting, and monitoring of information sharing agreements. It also looked at whether the organization is meeting its obligations under FIPPA for the collection, use, disclosure, and retention of personal information.

“For the most part, disclosures of personal information by ICBC to approved third parties are reasonable and proportionate to their intended use.” explains McArthur. “But there is more that ICBC could, and should, do to protect the personal information of British Columbians.”

Here are some of the recommendations made by the report:

• amending ISAs (Information Sharing Agreement) regularly to incorporate collection authority, rationale for disclosure, custody and control, breach management, training, and notification to ICBC in the event of staff termination;
• tracking and reviewing third-party access to personal information held by ICBC, including removing duplicate and outdated user IDs, and ensuring that an ISA is in place before granting access to third parties; and
• conducting additional compliance monitoring with third parties, as well as internal audits and reviews of ICBC systems, policies, and information sharing governance.

McArthur says ICBC has contacted him and indicated they will immediately undertake efforts to address his recommendations.