Audit Finds ICBC Could Improve Information Sharing Program

VICTORIA, Canada, Sept. 13 -- The Office of the Information & Privacy Commissioner for British Columbia issued the following news release:

Acting Information and Privacy Commissioner Drew McArthur has confirmed that, for the most part, the Insurance Corporation of British Columbia (ICBC) is fulfilling its duty under the Freedom of Information and Protection of Privacy Act (FIPPA) to protect the personal information of British Columbians. The findings were published today in Audit & Compliance Report F17-01: Insurance Corporation of British Columbia Information Sharing Agreements.

Millions of BC residents are required to provide their personal information to ICBC to obtain a driver's licence, register or insure a vehicle, or process an insurance claim. Each year the Crown corporation conducts approximately 1.6 million driver licence-related transactions and processes approximately 900,000 insurance claims.

We have to provide our personal information to government in order to access the programs we need. That information is collected, shared, used and shared again - sometimes without our knowledge or consent,‖ says McArthur. ICBC holds one of BC's most complete personal information data sets and shares that data with many other organizations, from bailiff services and municipalities to parking lot operators and tow companies.

For these reasons, I selected ICBC for this special report, the fifth examination conducted by my Audit & Compliance team.

The audit assessed whether ICBC has an adequate policy framework for the approval, drafting, and monitoring of information sharing agreements (ISAs), as well as whether the organization is meeting its obligations under FIPPA for the collection, use, disclosure, and retention of personal information.

Auditors reviewed ICBC policies and practices on sharing and protecting the information of drivers, vehicle owners, and insurance policy holders. They also examined a random sample of 94 information sharing agreements, analyzed user lists, and interviewed key ICBC staff.

Under FIPPA, public bodies in BC may only collect what is necessary and they must protect the personal information they collect,‖ said McArthur. ―For the most part, disclosures of personal information by ICBC to approved third parties are reasonable and proportionate to their intended use. But there is more that ICBC could - and should - do to protect the personal information of British Columbians.‖

The Commissioner made 12 recommendations in the report, including:

* amending ISAs regularly to incorporate collection authority, rationale for disclosure, custody and control, breach management, training and notification to ICBC in the event of staff termination;

* tracking and reviewing third party access to personal information held by ICBC, including removing duplicate and outdated userIDs, and ensuring that an ISA is in place before granting access to third parties; and

* conducting additional compliance monitoring with third parties as well as internal audits and reviews of ICBC systems, policies, and information sharing governance.

ICBC has contacted me and indicated that they will immediately undertake efforts to address all of my recommendations,‖ says McArthur.

Audit & Compliance Report F17-01 Insurance Corporation of British Columbia Information Sharing Agreements is available for download at https://www.oipc.bc.ca/media/16956/ac-f17-01-icbc-final.pdf

The Commissioner's office has created a guidance document to help public bodies and organizations create ISAs and understand their obligations under FIPPA and PIPA.

Information Sharing Agreements Guidance Document is available for download at

https://www.oipc.bc.ca/guidance