Privacy Law for Insurance Brokers in Canada
By Yong Du
PIPEDA and provincial PIPA obligations for Canadian insurance brokers — what applicant and claims data you hold, breach reporting for health and financial records, and compliance requirements under provincial insurance regulation.
What makes insurance brokers distinct
Insurance applications require clients to disclose personal information that spans health history, financial details, property conditions, and driving or claims history — depending on the line of business. This disclosure is necessary for underwriting but creates a dataset that combines health information, financial information, and identity details in a single file.
Claims files are even more sensitive: they often include medical reports, income documentation, property damage evidence, and legal correspondence — all in a context where the client is already in a vulnerable position following a loss event.
Which laws apply
| Jurisdiction | Applies when | Regulator |
|---|---|---|
| PIPEDA | The broker handles personal information in commercial activity; or clients are in provinces without substantially similar legislation | OPC — priv.gc.ca |
| Alberta PIPA | Clients or employees are Alberta residents | OIPC Alberta — oipc.ab.ca / breachnotice@oipc.ab.ca |
| BC PIPA | Clients or employees are BC residents | OIPC BC — oipc.bc.ca |
Provincial regulatory overlay: Insurance brokers in Alberta are licensed by the AIC; in BC by the Insurance Council of BC. Both regulators have professional conduct requirements. A privacy breach may trigger professional disclosure obligations — contact your regulator to determine what reporting is required following a breach involving client data.
What personal information insurance brokers hold
Life and health insurance applications: Name, date of birth, SIN (for some life products), health history (diagnoses, medications, treatments, surgeries, mental health history), smoking status, occupation and income, beneficiary information.
Property and casualty applications: Name, address, property description, vehicle information, driving record, prior claims history, security system details, business operations (for commercial lines).
Claims files: Incident descriptions, medical records and reports, treatment history, income documentation (for disability or income replacement claims), repair estimates, photographs, witness statements, legal correspondence.
Client policy records: Policy numbers, coverage details, premium payment history, renewal history.
Employee information: SINs, banking details, licensing records, employment records.
Common breach scenarios
Phishing: A broker's email account contains years of client applications, policy documents, and claims correspondence. Compromised broker email is a direct path to sensitive health and financial information about every active client. See Phishing and Business Email Compromise.
Ransomware: Insurance brokerage management systems holding application and claims files are high-value ransomware targets. Every client whose file was in the affected system is a potential affected individual. See Ransomware Attack: What Canadian SMEs Must Do.
Brokerage management platform breach: Cloud-based brokerage management systems (Applied Epic, Broker Management System, etc.) that hold client files are vendor breach scenarios if the platform is compromised. See Vendor or Third-Party Breach.
Improper disposal: Printed applications, medical reports in claims files, or policy documents not securely destroyed. See Physical Records Breach.
RROSH in an insurance broker breach
Health information: Any breach involving health history from insurance applications — diagnoses, medications, mental health treatment — is almost certain to meet the RROSH threshold. Health information exposure creates risk of discrimination (employment, social relationships), stigma, and significant personal distress.
Claims files: Claims files often contain the most sensitive personal information in a client's relationship with the broker — medical records, income details, and details of the loss event. RROSH is present in virtually every breach involving active claims files.
Combined health and financial data: Life and disability insurance applications combine health history with income and net worth information. This combination elevates RROSH above either category alone.
Core compliance obligations
Privacy officer: Designate a named individual responsible for PIPEDA compliance. Their contact must appear in the brokerage's privacy policy.
Privacy policy: Describe what client information is collected for each line of business, why, which insurers and third parties it is shared with, how it is protected, and how clients can access their information. Must be available to clients before collection begins.
Client consent: Clients must consent to the collection of their personal information — including health information on life and health applications — before you collect it. Consent must be informed: clients must understand what they are disclosing and to whom it will be transmitted. For sensitive health information, express consent is required.
Retention: Insurance regulatory requirements and the applicable limitation period for professional liability claims govern minimum retention periods for client files. Contact your provincial insurance regulator for specific retention guidance. After the minimum period, files must be securely destroyed.
Insurer and vendor contracts: Every insurer portal and brokerage management platform must have written privacy and security obligations. Confirm that insurers receiving client applications acknowledge their own accountability for the data they receive.
Safeguards: Encrypted storage for client files and claims documents, MFA on all brokerage management platforms, access limited to brokers and staff serving each client, secure destruction of paper files and printed reports.
Client notification specifics: When notifying clients of a breach involving health information, describe specifically what health information was involved. Advise clients to monitor their existing health and financial accounts for unauthorized activity. For breaches involving SINs (life insurance applications), advise placing a fraud alert with both national credit bureaus.
Experienced a breach at your brokerage? ClearBreach walks insurance brokers through their RROSH assessment across PIPEDA, Alberta PIPA, and BC PIPA and generates regulator reports and client notification letters in under 15 minutes. Start your assessment →
Related guides
- PIPEDA Breach Reporting Requirements
- Alberta PIPA Breach Notification
- BC PIPA Breach Reporting
- Ransomware Attack: What Canadian SMEs Must Do
- Vendor or Third-Party Breach: What Canadian Organizations Must Do
- How to Write a Privacy Policy for a Canadian Business
This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for insurance brokers. AIC and Insurance Council of BC professional conduct obligations are separate and not covered here. Quebec's Law 25 is not covered here.
Frequently asked questions
Does PIPEDA apply to insurance brokers?
Yes. Insurance brokers collect and use personal information in the course of commercial activity. PIPEDA applies. Alberta PIPA and BC PIPA apply for clients who are Alberta or BC residents. Insurance brokers are also regulated provincially — by the Alberta Insurance Council (AIC) in Alberta and by the Insurance Council of BC (ICBC) in BC — and those regulators have professional conduct requirements that run alongside PIPEDA.
Insurance applications ask about health history — does PIPEDA apply to that information?
Yes. Health information collected on insurance applications — medical conditions, medications, treatment history, smoking status — is personal information subject to PIPEDA. It is also among the most sensitive categories recognized under PIPEDA, requiring heightened safeguards. A breach of insurance application data that includes health history is almost certain to meet the RROSH threshold. The insurer receiving the application also has accountability for the health information it receives — both the broker and the insurer may have notification obligations.
A claims file containing medical records and financial details was accessed — what are our obligations?
Conduct a RROSH assessment immediately. A claims file may contain medical reports, treatment records, financial loss documentation, witness statements, and legal correspondence. This information is highly sensitive and its exposure can cause significant harm — insurance fraud, privacy violations that affect the claimant's employment or relationships, and financial harm. RROSH is almost certainly present. Notify the OPC, the applicable provincial regulator, and the affected client directly.
We use the insurer's portal to submit applications — who is responsible for the data?
Both parties may be accountable for the personal information involved. As the broker, you collected the information from the client and transmitted it to the insurer. Your accountability under PIPEDA covers the collection and transmission. The insurer is accountable for the information it holds on its systems. If the insurer's portal is breached, notify the insurer immediately and determine jointly whether you have independent notification obligations based on what data you transmitted and what was affected.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.