PIPEDA Case Summary #2017-005: Insurance company required to delete individual’s personal information after individual withdraws consent
An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.
- Withdrawal of consent for the continued use of personal information
- Deletion of personal information from an organization's records
- Deletion of personal information from third-party records after lawful disclosure
- Accountability for information disclosure policies and procedures
Complaint partially well-founded and resolved, partially well-founded and conditionally resolved, and partially not well-founded.
The company contravened PIPEDA by not having clear policies regarding third-party disclosures and by initially refusing to delete the individual's information upon withdrawal of consent. The company resolved the deletion issue by deleting the data and committed to improving its policies. The office found no contravention regarding third-party record deletion as the disclosure was lawful.
AI-generated summary for reference only. Always verify against the official decision ↗
The company deleted the complainant's personal information from its records and committed to developing and making available a document explaining its policies and procedures for disclosing personal information to third parties.
- Principle 4.1.4(d) PIPEDA
This summary is informational only and not legal advice.