PRIVACY POLICIES AND PROCEDURES
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to all organizations engaged in commercial activities across Canada, except in those provinces that have substantially similar laws. PIPEDA also applies to the federally-regulated private sector regardless of where situated and to personal information (“PI”) in inter-provincial and international transactions. Because virtually all insurers with which MGAs do business are federally regulated, the customer information we collect, use and retain on behalf of insurers is subject to PIPEDA. The information we collect on Advisors is protected by PIPEDA or by substantially similar provincial regulation.
PIPEDA applies to employee information only in organizations that are engaged in federal works, undertakings or businesses, such as most insurers. Because MGAs are provincially licensed and regulated, provincial laws govern personal information we might collect on employees.
We must obtain an individual’s consent when we collect, use or disclose the individual’s personal information (“PI”). An individual has a right to access PI we hold on them and to challenge its accuracy. PI can only be used for the purposes for which it was collected. If we wish to use it for another purpose, we must obtain consent again. We also need to assure individuals that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.
Complaints: An individual may complain to us or the OPCC about any alleged breaches of the law. The OPCC may also initiate a complaint, if there are reasonable grounds.
Application to the Federal Court: After receiving the OPCC’s investigation report, a complainant may apply to the Federal Court for a hearing under certain conditions set out in the Act. The OPCC may also apply to the Court, which can order us to change our practices and/or award damages to a complainant, including damages for humiliation suffered.
Audits: With reasonable grounds the OPCC may audit our PI management practices.
Offences: It is an offence to:
- destroy PI that an individual has requested;
- retaliate against a covered employee who has complained to the OPCC or who refuses to contravene Sections 5 to 10 of the Act; or
- obstruct a complaint investigation or an audit by the OPCC.
Definition of PI:
PI includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, DNA or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Provincial Privacy Laws – Variations
Currently Alberta, Quebec and British Columbia have substantially similar privacy laws. Ontario, New Brunswick, and Newfoundland and Labrador have each enacted a law that is substantially similar in its treatment of personal health information. PIPEDA applies in all other respects in these provinces.
Generally, the provinces have been granted greater “coercive powers” and provincial acts appear to have more teeth. The Quebec Act reflects the fact that privacy is a right guaranteed by Quebec’s Charter of Rights and Freedoms.
Insurers’ Contractual Requirements
We receive, use and retain information gathered about Advisors during screening and by Advisors about their customers on behalf of insurers pursuant to written contracts. We do not obtain direct consent from end customers and we may not use the information for any purpose for which the Advisor and/or insurer has not obtained consent. When it comes to handling customer information, for all intents and purposes, we act as an arm of the insurer when processing applications for submission and as part of the delegated monitoring we do on behalf of insurers when reviewing additional customer information that Advisors might house on our systems or produce in response to our requests.
It is critically important that Advisors’ consents include sharing information with us. The Advisor Privacy Statement and Consent template we provide on our website covers Advisors’ obligations.
While we may not use this PI for any purpose, we will retain it in our systems. Any additional customer information to which we might have access should be provided to us under the consent that the Advisor receives.
Insurers’ privacy policies typically indicate that they hold their service providers to their privacy standards. While this expectation is not always explicit in our contracts with insurers, we endeavor to meet these standards at all times.
The Compliance Program
In addition to adhering to the 10 Principles of PIPEDA we are required to have a specific privacy compliance program in place. The required elements of the program are consistent with the compliance regime requirements under The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “Act”).
Appointed Compliance Officer
Privacy Policies and Procedures
Because we obtain customer information on behalf of insurers and are generally covered by their consents when processing applications for submission to them, providing services in connection with those applications and any policies, or when monitoring Advisors, any activity we undertake relating to customers’ personal information obtained for these purposes must be accomplished through or on behalf of the insurance company. We may access other customer information that Advisors house on our systems or provide to us in order to assist the Advisor in a sales function, for example.
When we receive an access request from a customer, we must determine whether the information requested was collected on behalf of the insurer or Advisor. For example, when a Advisor performs a needs analysis with a customer, he or she collects quite a bit of information that is not provided to the insurer that is ultimately asked to provide insurance. We may provide software support to the Advisor to house his or her client files, including needs analyses. In addition, we may access these client files from time to time in order to fulfill our monitoring obligation delegated by the insurers or to support a Advisor in the sale. If a customer wishes to access the needs analysis only, the Advisor will have to respond to the request. Realistically, any access request will be more general and will involve information collected on behalf of both insurer and Advisor. In contacting both Advisor and insurer, from time to time we may be asked to respond on their behalf. If we do so, we require written instructions from both parties.
The following rules apply:
- The response to a customer’s access request must be made within 30 days. This can be extended for a maximum of 30 additional days, if:
- responding to the request within the original 30 days would unreasonably interfere with the parties’ activities
- more time is necessary to conduct consultations or to convert PI to an alternate format.
- If a time extension is needed, the individual must be notified within 30 days of receiving the request, and of his or her right to complain to the OPCC.
- Assistance must be provided to any customer who needs to prepare a PI request.
- The individual may be asked to supply enough information to enable the parties to account for the existence, use and disclosure of PI.
- Access must be provided at minimal or no cost to the individual.
- The individual must be notified of the approximate costs before processing the request and asked to confirm that the individual still wants to proceed with the request.
- The requested information must be understandable and acronyms, abbreviations and codes must be explained.
- The parties must send any information that has been amended, where appropriate, to any 3rd parties that have access to the information. This includes MGAs.
- The individual must be informed in writing when an access request is refused, setting out the reasons and any recourse available.
Customer Access Request Procedures – – If we receive a request directly from a customer or through a Advisor on a customer’s behalf:
- Ask the requestor to name the insurer(s) involved. Do not disclose any information to the requestor. We have no regular contact with customers and cannot set up an authentication process that is robust enough to allow us to release PI. Even confirming the existence of insurance policies is inappropriate because we have not authenticated the requestor and ensured that he or she is entitled to the information.
- Do not attempt to discuss any concerns that might have given rise to the request. Remember that well-meaning conversation with customers can often help them “crystallize” a complaint when in fact their original intention was not to complain.
- If the requestor is the Advisor, ensure that the Advisor understands the process to be followed and that any customer PI collected on behalf of the insurer is not released directly to the Advisor.
- Anyone, including the Advisor, making a request on someone else’s behalf needs written authorization from the owner of the PI. Make sure the requestor knows this.
- Notify the Compliance Officer of the request.
- The Compliance Officer should notify the Advisor and/or insurer(s)’ contact person directly and ask for written instructions as to whether they will handle the request or require us to be involved. We will require instructions on handling any PI in our possession, including whether the information needs to be provided in a certain format, the deadlines for providing the information, etc.
Advisor or Employee Access Requests: Notify the Compliance Officer, who will handle all such requests or delegate as needed.
Inquiries and Customer Complaints
If we receive a privacy-related complaint directly from a customer or through a Advisor on a customer’s behalf:
- Do not volunteer information about policies or insurers involved. Explain that the complaint will have to be made directly to the Advisor and/or insurer(s) involved. Ask the requestor to name the insurer(s).
- Do not engage in discussions with the complainant about the complaint. Once again, you don’t want to be in the position of helping individuals “crystallize” their complaints.
- Notify the Compliance Officer. The Compliance Officer should:
- notify the insurer(s)/Advisor involved and ask for written instructions if our assistance is required in providing PI or resolving the complaint;
- ask the parties to keep us apprised so that we can record the decision and make any necessary changes to our policies and procedures and close the complaint off in our complaint log.
Advisor or employee inquiries or complaints: Notify the Compliance Officer, who will handle all such inquiries or complaints or delegate as needed.
How we safeguard PI is very likely the most critical element of our privacy efforts, given the sensitive nature of information that we collect directly and indirectly, which we use and retain.
We must have appropriate safeguards to ensure that PI is protected from loss, theft and inadvertent destruction, among other things.
PI owned by Advisors, employees and customers is maintained in paper and electronic format in our offices. We have the following controls in place to safeguard this information:
Physical Safeguards – we ensure that our premises are secure through use of
- Fire suppression
- Access cards
- Our paper files holding PI are kept in locked file cabinets
- Reception areas
- a clean desk policy.
- policies and procedures regarding information security.
- policies and procedures regarding access to PI in work-at-home arrangements.
- record retention and destruction schedules.
- outsourcing agreement for our 3rd party arrangements, which requires the same safeguards as those we employ.
- We prohibit the removal of PI from our offices.
- We train staff on information security and the need to safeguard PI.
- We provide access to PI on a need-to-know basis, generally based on the roles that staff performs within the MGA
- We regularly backup our electronic records and provide for their secure storage.
- Our systems are programmed to scan for viruses.
- We use encryption for transmission of all sensitive information by electronic means, where it is available
- We have rules for the use of faxes and our fax equipment is housed in a protected location away from public view.
- We ensure the use of passwords on our systems
A privacy breach occurs when there is an unauthorized access to, or collection, use or disclosure of PI that contravenes privacy legislation. Typically breaches occur because PI is lost, stolen, disclosed in error or as a consequence of an operational breakdown.
Procedure to Follow for Privacy Breaches:
- Notify our Compliance Officer immediately. The Compliance Officer in turn may notify outside Privacy Counsel and seek advice.
- Gather information about the incident:
- Date of occurrence
- Date discovered
- How discovered
- Location of the incident
- Cause of the incident
- Any other information you can quickly assemble
- Contain the breach immediately – don’t let any more information escape.
- Stop the unauthorized practice
- Recover the records
- Shut down the system that was breached
- Revoke or change computer access codes or
- Correct weaknesses in physical or electronic security.
- Assess the breach –very likely the Compliance Officer will take this on, as the person who conducts the investigation must have authority in the MGA and be able to make recommendations.
- The OPCC states that “if the breach appears to involve theft or other criminal activity, notify the police. Do not compromise the ability to investigate the breach. Be careful not to destroy evidence that may be valuable in determining the cause or allow you to take appropriate corrective action.”
- If customer information was involved, notify the Advisor and Insurers involved and work with them to determine who needs to be apprised of the incident internally and externally. Seek instructions on how the insurer would like to proceed. The insurer should determine whether affected individuals should be notified, how they will be notified and by whom. The OPCC states “Typically, the organization that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a third party service provider that has been contracted to maintain or process the personal information.” The decision as to whether to notify the affected individuals may have to be delayed in order for a full risk assessment to be conducted.
- Evaluate the risks associated with the breach. Find out:
- What PI was involved
- How sensitive the information is. Generally, the more sensitive the information, the higher risk of harm. Consider these high risk forms of PI:
- Health information
- Government-issued ID such as SINs, driver’s license and health care numbers
- Bank account and credit card numbers
- If a combination of PI was involved, as this is typically more sensitive. The combination of certain types of sensitive PI along with name, address and DOB suggest a higher risk.
- How this PI can be used. Can it be used for fraud or other harmful purposes (i.e. identity theft, financial loss, loss of business or employment opportunities, humiliation, damage to reputation or relationships)?
- Is there a reasonable risk of identity theft or fraud (usually because of the type of information lost, such as an individual’s name and address together with government-issued identification numbers or date of birth)?
- Is there a risk of physical harm (if the loss puts an individual at risk of physical harm, stalking or harassment)?
- Is there a risk of humiliation or damage to the individual’s reputation (e.g.,
- the PI includes mental health, medical or disciplinary records)?
- Whether the PI was adequately encrypted, made anonymous or otherwise not easily accessible.
- What is the ability of the individual to avoid or mitigate possible harm?
- The cause of the breach.
- The extent of the breach – how many individuals have been affected?
- Who are they?
- What harm can result to the MGA? (Loss of trust, assets, financial exposure, legal proceedings).
- Do I have to report the breach to a regulator?*
- Do a thorough post mortem in order to prevent future breaches. What steps are needed to correct the problem? Is this a one-off issue or is it systemic?
If Advisor or employee information was involved, notify the Compliance Officer immediately. There will likely be no need to notify the insurers, but the Compliance Officer will generally follow the same steps as above with appropriate consideration given to the special sensitivities around employee and Advisor PI.
* Privacy Breach Notifications: Alberta, Ontario, Newfoundland and Labrador and New Brunswick require data breach notification requirements for health-related information. Alberta also requires privacy-breach notification for non-health information. According to Gowlings, organizations subject to Alberta’s law must notify their privacy commissioner if personal information is lost, accessed or disclosed without authorization, or has in any way suffered a privacy breach, where a real risk of significant harm to an individual exists as a result of the breach. Under PIPEDA, notification is voluntary at this time.
Processing Personal Data across Borders
If we or one of our service providers process personal information of customers across provincial or national borders, insurers will take a great interest. We will need to have excellent contracts with your providers, perform regular due diligence and ensure that we are aware of and adhere to the guidance provided by the OPCC. See Processing Personal Data across Borders (OPCC Guideline).
Assessing the Program
We assess our controls as often as necessary but in no event less often than every two years. A gap analysis is prepared, which identifies where we have found weaknesses and includes the management action plan and timetable for resolution.
We provide front-line and management training to keep them informed, so that they can answer the following questions:
- How do I respond to public inquiries regarding our privacy policies?
- What is consent? When and how is it to be obtained?
- How do I recognize and handle requests for access to PI?
- To whom should I refer privacy complaints?
- What are my MGA’s privacy initiatives?
- What do I do if I discover a privacy breach?
OPCC Contact Information
Website: www.priv.gc.ca – This website contains extensive contact information for all provincial privacy regulators and ombudsmen. It is kept up to date and should be our first source of regulatory contact information.
General Inquiries: Toll-free: 1-800-282-1376
Phone: (613) 947-1698
Fax: (613) 947-6850
TTY: (613) 992-9190Hours of service are from 8:30 a.m. to 4:30 p.m.
To report a breach:
By e-mail: email@example.com;By phone: 613-995-2042; or, By mail: Notification Officer
Office of the Privacy Commissioner of Canada
112 Kent Street
Place de Ville, Tower B, 3rd Floor
- Assessed On: January 23, 2017
- Revised On: January 23, 2017
- Privacy Compliance Officer: Shelley A. Humphries, CCO
- (include contact information) firstname.lastname@example.org 416-901-0305 Direct