In her 2009 Annual Report to Parliament, the Privacy Commissioner of Canada reported on an audit of selected mortgage brokers conducted by her office. Within a few months during 2008, 14 mortgage brokers in Ontario advised the Office of the Privacy Commissioner (OPC) of breaches involving personal information, raising concerns about the privacy practices of these mortgage brokers.
Section 18 of the Canadian federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides that
“The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization is contravening a provision of Division 1 or is not following a recommendation set out in Schedule 1 …”
Due to the serious and systemic nature of the incidents, the commissioner determined there were reasonable grounds to warrant an audit of the personal information handling practices of selected mortgage brokers under Section 18.
The audit reviewed the policies, procedures and safeguards implemented by the brokers and their head offices. The OPC also met with various other stakeholders such as industry associations, the financial services regulator of Ontario and law enforcement officials.
The commissioner noted that the mortgage brokers had, to some degree, implemented some elements of privacy compliance; however, none of them were fully compliant with PIPEDA.
In relation to safeguarding personal information, the audit found that physical security was lacking in some instances. For example, paper files were stored in unlocked filing cabinets or openly stored on desks. While electronic files were protected by means of passwords and encryption, the Web-based systems used by the brokers had not been tested for vulnerabilities, there were no proactive systems or processes in place to monitor for suspicious activity by agents and no methods in place to restrict the amount of access (i.e. number of reports that could be downloaded) by agents.
In spite of the fact that PIPEDA has been in effect since 2001, the existence and availability of privacy notices was inconsistent; they ranged from detailed privacy notices posted on Web sites to posted policies that lacked sufficient detail to brokers that had a policy that had not been posted online or made available to clients. The mortgage brokers’ practices relating to obtaining consent were also not always consistent with PIPEDA. In some cases, credit reports were accessed prior to consent having been obtained. In other cases, verbal consent was obtained and then written consent obtained after credit reports were accessed. And, there were examples where there was no record of consent having been obtained at all. Where used, the consent forms did not allow clients to opt-out of secondary uses of personal information, e.g. for marketing purposes.
The audit also revealed significant shortcomings with the mortgage brokers’ lack of organizational awareness of their accountabilities for privacy. It identified shortcomings such as a lack of awareness of the role and responsibilities of the designated privacy officer (each of the brokers had designated a chief privacy officer), a lack of training for agents, a lack of a formal breach reporting policy and weak hiring processes that relied too heavily on interviews and the candidate’s knowledge and did not include measures such as confirming the candidate’s licensing status and good standing within the industry association.
As a result of this audit, the OPC is now working with the industry associations to develop relevant guidance material that will inform Canadians about the exercise of their rights when dealing with mortgage brokers and will help brokers meet their obligations under privacy legislation.
This audit is a good example of the circumstances under which the OPC will initiate an audit of a business or an industry and the significant scope such an audit entails.
