The Insurance Corporation of B.C. has deals to share your personal information with almost 250 government and police agencies, parking, tolling and towing companies, law firms, and bailiffs.
But the Crown auto insurer and driver licensing agency is not doing enough to keep control of third party access to its databases, according to a Sept. 13 compliance audit by B.C.’s Information and Privacy Commissioner.
The report said that ICBC “does not conduct compliance monitoring with those who have direct access to ICBC databases.” Nor does it track third party data breaches or require the majority of third parties to report breaches involving ICBC-collected personal information.
“Only 31% of [information sharing agreements] reviewed required third parties to report breaches to ICBC,” the report said.
“One of the big issues in terms of government having more and more information about all of us is who has access to it and that it should only be for people to the extent that they need that information for doing thier job or as authorized,” said Vince Gogolek, executive director of the B.C. Freedom of Information and Privacy Association.
Data collected and stored by ICBC about 3.4 million licensed drivers and the owners and operators of 3.5 million registered vehicles includes: contact details, personal information and photographs, driver licence information, financial and business information, vehicle idenifiers and insurance coverage.
The report, quoting an unnamed ICBC staff member, said that ICBC “has one of the most complete data sets in B.C.” but doesn’t know what to do with all of it.
“We are a Crown corporation and we perform many functions – like driver licensing – that in most provinces are performed by core government, so we have some obligation to provision data to other branches of government but it’s really not clear what that obligation is, how far it goes, and how much of our resources to put into data sharing when it’s not a core function of our business. It’s becoming a bigger and bigger issue for us.”
Acting Commissioner Drew McArthur launched the audit in February after former New Westminster claims centre adjuster Candy Elaine Rheaume was charged with fraudulent and unauthorized access of the ICBC database.
Rheaume was accused of querying licence plates of people connected to the Justice Institute and accessing personal information that was eventually used by Vincent Eric Gia-Hwa Cheung in a 2011-2012 firebombing spree. In July 2016, Cheung was jailed 13 and a half years.
More than 70% of the 247 ICBC information sharing agreeements are with municipal governments, police agencies and provincial ministries. ICBC also shares personal information with police and other organizations without an ISA. OIPC auditors sampled 94 of the agreements between ICBC and third parties, and found the most-common use of personal information was for law enforcement (51%), followed by debt collection (46%).
ICBC’s dirty secret
The report does not specifically mention it, but ICBC maintains a hotline for law enforcement agencies to call for information about drivers and their vehicles.
The so-called Secure Police Line is permitted by a section of the FOI law for routine police investigations and urgent circumstances. A Surrey Claims Contact Centre phone number, changed every six months, is available for officers to call-in, provide their badge number and gain access to a trove of personal information about drivers. The report said that information sharing agreements generally restrict foreign storage and information disclosure, but not for the Canadian Council of Motor Transport Administrators and Canadian Police Information Centre, which have legal authority to disclose information in foreign jurisdictions.
“The law enforcement provisions of the law are actually very broad, that’s one of the problems,” Gogolek said. “We want that for [investigating] vehicle thefts and amber alerts, so it’s a question of where do you draw the line? The line has been drawn pretty far over in terms of law enforcement getting access to what they want.”
theBreaker obtained 582 pages of police line call logs from January 2015 to June 2015 under the freedom of information laws. The police line’s existence was confirmed by citizen Daryl Cook when he cross-examined a Burnaby Mountie during a 2006 speeding ticket dispute. Cook’s interest was piqued when a police officer called him on his unlisted phone number.
Canadian law enforcement officers have been caught accessing databases for nefarious reasons. One of the biggest cases resulted in the 2012 jailing of Baljinder Singh Kandola for 15 years for his part in a cocaine smuggling operation. The Canada Border Services Agency officer illegally accessed a database and shared information with cocaine smugglers who had paid $16,000 in bribes for him to let them cross the border from the U.S. into Canada, without inspection.
According to B.C. Supreme Court documents: “On July 24, 2006, Kandola, using his access code, made an unauthorized access of one of the CBSA’s databases and discovered that [co-accused Shminder] Johal was suspected of importing cocaine in the cars and car parts that he, or his companies, regularly imported into Canada. On seeing this, Kandola immediately advised Johal of this suspicion by the authorities.”