DECISION of the GENERAL INSURANCE COUNCIL OF MANITOBA (“Council”) respecting BASIL GALARNYK (“Licensee”) INTRODUCTION The General Insurance Council of Manitoba (the “Council”) derives its authority from The Insurance Act C.C.S.M. c.140 (“Act”) and the Insurance Councils Regulation 227/91. Following receipt of information from Manitoba Public Insurance (“MPI”) with respect to contravention of the Freedom of Information and Protection of Privacy Act (“FIPPA”), by the Agency, an investigation was conducted pursuant to sections 375(1) and 396.1(7)(e) of the Act and s. 7(2)(e) of Regulation 227/91. The purpose of the investigation was to determine whether the Licensee’s activity violated the Act and/or the General Insurance Agent Code of Conduct (“Code of Conduct”). During the investigation the Licensee was notified of the complaint and given an opportunity to make submissions. On February 24, 2016, during a meeting of Council, the evidence compiled during the investigation and the position of the Licensee were reviewed. Pursuant to section 375(1) of the Act and Regulation 227/91, the Council now confirms its decision and corresponding reasons. ISSUE 1. Did the Licensee access Manitoba Public Insurance (“MPI”) – Autopac customer accounts without first obtaining customer approval, in violation of their privacy? Page 1 of 4
FACTS AND EVIDENCE 1. The Licensee has held an agent’s licence since October 29, 1984 and was at all material times the General Operating Agent/Broker/3. 2. Early October 2015, the weekly report reviewed by the MPI - Broker Services Administrator listed 42 times that the Licensee accessed customer information without performing any transactions. 3. Included in this listing were the following files: a) K G – accessed twice on Oct 6 th and once on the 7 th b) N B – accessed twice on Oct 6 th and once on the 7 th c) T P – accessed twice on the 6 th and once on the 7 th d) R S – accessed once on the 9 th and again on the 10 th 4. There were no customer comments provided in the Insurance Work Station (“IWS”), and the MPI Broker Services Administrator could determine no discernible reason for accessing the files. 5. In keeping with the Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canadian Anti-Spam Legislation (CASL), the Autopac Agency Appointment & Operating Standards states: “Manitoba Public Insurance’s customer information is to be accessed by agency staff only in order to respond to a customer inquiry or process a transaction for the customer.” Agents are permitted to access the customer’s Autopac On-Line file only if the customer is in the office or the customer’s identity is verified by customer contact. Subject to parameters, payments on account can be made by others. The policy specifically states, “Autopac agents are not to access any customer’s Autopac On-Line file under any other circumstance, such as to determine if a customer has renewed their policy.” 6. In his email response to MPI dated October 15, 2015, the Licensee advised that he did not record information when trying to find a missing sticker for customers K G, N B and T P, and in dealing with a Bill of Sale breach for customer R S. 7. With respect to the remainder of the unauthorized accesses, the Licensee stated that he was simply answering customer questions. Page 2 of 4
8. MPI advised the Licensee that his authority to transact MPI business or provide customer advice was suspended for one week commencing October 24, 2015, for accessing customer information without authorization. 9. In his submission to the Council, dated November 18, 2015, the Licensee confirmed that he failed to make comments in the Customer Comments to enquiries, and he noted he would adhere to the required practice in the future. 10. With respect to the four specified individuals, the Licensee noted he was trying to clear up a breach and find missing inventory. He noted that he did not retain or share any of this information. 11. The Licensee stated that once informed of his wrong doing and upcoming suspension by MPI, he reviewed the Broker Procedures for Compliance to FIPPA and spoke with each of his staff. ANALYSIS The Licensee admitted that he had accessed customer accounts to seek a lost sticker and to deal with a breach regarding a Bill of Sale. This is supported by MPI records which reflect eleven transactions for these specific activities. The remaining thirty-one activities were to obtain information, without obtaining authorization and without recording Customer Comments. These were violations of the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection and Electronic Documents Act (PIPEDA). Customer information is protected by these privacy acts, thus the Licensee violated s. 5 of the Code of Conduct. The Licensee violated S. 375 (1) (e) of the Act – untrustworthiness, and s. 10 of the Code of Conduct by acting in a manner which showed lack of trust in the Licensee’s actions with regard to consumer privacy, and acting in a manner contrary to good faith to the insurer. The Licensee knew, or should have known, the requirements for protection of privacy of information and the rules regarding the use of MPI customer files in conducting business. PENALTY AND FINAL DECISION Council’s Intended Decision dated March 15, 2016, outlined the foregoing background, analysis and conclusions on a preliminary basis. Having regard to its initial determination that the foregoing violations had occurred, Council imposed the following penalty and sanction pursuant to sections 375 (1.1) of the Act and section 7 (1) of Regulation 227/91: 1. The Licensee be fined $1,000.00 and assessed partial investigation costs of $225.00. Page 3 of 4
2. The Licensee complete the MPI – Privacy module within thirty (30) days of acceptance of the intended decision and provide proof of completion to the Council. As part of its Intended Decision, Council further informed the Licensee of his right to request a hearing to dispute Council’s determinations and its penalty/sanction. The Licensee expressly declined his right to a Hearing and chose not to pursue a Statutory Appeal; he instead duly paid the levied fine and partial investigation costs and completed the educational requirement. The Decision is therefore final. In accordance with Council’s determination that publication of its decisions are in the public interest, this will occur, as fully contemplated by section 7.1(1) of Regulation 227/91. Dated in Winnipeg, Manitoba on the 13th day of April, 2016. Page 4 of 4
You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.