PRIVACY TRAINING For CAILBA members
What Privacy Laws Apply to Us? The Personal Information Protection and Electronic Documents Act (“PIPEDA”), a federal act, governs collections of customer information and Advisor information. “Substantially similar” legislation in Alberta, BC and Quebec. (Ontario, New Brunswick and Newfoundland and Labrador have substantially similar law for health information).
Why is This Important? The confidence and trust that our insurers and Advisors place in us to protect the privacy of their customers and the confidentiality of their personal information is critical to our ongoing success as a business.
PIPEDA Summary We must obtain an individual’s consent to collect, use or disclose his/her personal information (“PI”). The person has a right to access it and to challenge its accuracy. PI can only be used for the reasons we collected it. We must get consent for any new use. We must assure individuals that we will protect their PI with specific safeguards like locked cabinets, computer passwords, encryption.
Non-Compliance Individuals can complain to the Office of the Privacy Commissioner of Canada (“OPCC”) about alleged breaches. The OPCC can also initiate a complaint. A person can ask the courts to order us to change our practices or award damages. OPCC can audit us.
Offences It is an offence to: Destroy PI that an individual has requested. Retaliate against an employee who complains or refuses to contravene Sections 5 to 10. Obstruct a complaint investigation or audit by OPCC.
Our Role in Collecting PI We collect customer PI from Advisors on behalf of insurers and under the consents insurers and Advisors obtain. We act as an arm of the insurer. We collect Advisor PI directly through the CLHIA screening form, which provides express consent, and any follow up screening.
PIPEDA’s 10 Principles Accountability Identify Purposes for Collection Consent Limit Collection of Information Limit Use, Disclosure and Retention of PI Accuracy Safeguards Openness Access Recourse
Principle 1 - Accountability Requirements: Appoint a Privacy Compliance Officer Protect all PI we hold or transfer to a 3rd party Develop and implement policies and procedures
How Do We Comply? We have a Privacy Compliance Officer - add name We use written agreements for handling of PI we hold or transfer to any 3rd party for processing and require the same level of PI protection as what we provide in house. We have a Privacy Policy and Privacy Compliance Program.
Principle 2 - Identify Purposes for Collection Requirements: Identify why PI is needed before or when we collect it and tell the individual how it will be used Document why PI is collected Get new consent for any new purpose for using PI
How Do We Comply? See our Privacy Policy. We do not collect PI directly from customers. When we collect PI from an Advisor in order to screen for initial and ongoing suitability, we use the consent provided by the CLHIA for screening Advisors, which meets the standard. If we were to identify a new purpose for PI, we would obtain consent prior to use.
Principle 3 - Consent Requirements: Explain clearly the purposes for collecting, using or disclosing PI. Obtain consent before or at time of collection or when we want to use PI for a new purpose.
How Do We Comply? See our Privacy Policy and Principle 2 above.
Principle 4 - Limit Collection of Information Requirements: Do not collect PI indiscriminately. Do not mislead people about the reasons for collecting PI.
How Do We Comply? See our Privacy Policy. We collect only that customer information required by insurers and Advisors, including information required for legal and regulatory purposes. We collect Advisor information required to screen for suitability and fit with the organization, information needed to meet regulatory requirements and to pay Advisors.
Principle 5 - Limit Use, Disclosure, Retention Use/disclose PI only for the purpose for which it was collected, unless the individual consents or the Act authorizes use or disclosure. Keep it only as long as needed for the stated purposes. Implement procedures for retaining and destroying PI. Keep PI used to make a decision about an individual for reasonable time so he/she can get information seek redress. Destroy information no longer required for a stated purpose or legally required.
How Do We Comply? We collect, use and retain PI in order to perform our functions as stated in our Privacy Policy. Insurers must inform us of their record retention requirements for customer information. We retain Advisor information for at least 18 months after the end of any contractual relationship, in keeping with the intention of the CLHIA Guidelines on screening and reporting Advisors.
Principle 6 - Accuracy Requirement: Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to 3rd parties.
How Do We Comply? We vet insurance applications/forms in order to be able to submit applications on customers in good order. We follow CLHIA protocol for screening and reporting Advisors, which was designed to minimize the possibility of erroneous or defamatory information regarding an Advisor being collected and disseminated.
Principle 7 - Safeguards Requirements: Protect PI against loss or theft. Safeguard PI from unauthorized access, disclosure, copying, use or modification. Protect PI regardless of the format in which it is held.
How Do We Comply? How we safeguard PI is very likely the most critical element of our privacy efforts. PI owned by Advisors, employees and customers is maintained in paper and electronic format in our offices. We have the following controls in place to safeguard this information.
Principle 8 - Physical Safeguards We secure our premises with (Select all that apply and add any additional) Locks Alarms Fire suppression Access cards Reception areas Paper files holding PI are kept in locked file cabinets with controlled access. Other
Operational Safeguards Select all that apply and add any additional: a clean desk policy. policies and procedures regarding information security. policies and procedures regarding access to PI in work-at-home arrangements. record retention and destruction schedules: (Note that we must retain customer records according to insurers’ records retention policies). clear outsourcing agreement for our 3rd party arrangements, which requires the same safeguards as those we employ. We prohibit the removal of PI from our offices. We train staff on information security and the need to safeguard PI. We provide access to PI on a need-to-know basis, generally based on the roles that staff performs within the MGA We regularly backup our electronic records and provide for their secure storage.
Technological Safeguards Select all that apply and add any additional: Our systems are programmed to scan for viruses. We use encryption for transmission of all sensitive information by electronic means. We have rules for the use of faxes and our fax equipment is housed in a protected location away from public view. We ensure the use of passwords on our systems.
Principle 9 – Individual Access Requirements: When requested, inform individuals if we have any PI about them and provide access. Explain how it is/has been used and provide a list of any organizations to which it has been disclosed. Correct/amend any PI if its accuracy and completeness is challenged and found to be deficient. Provide a copy of the PI requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act. Note any disagreement on the file and advise 3rd parties where appropriate.
How Do We Comply? Procedures for Customer Access Requests - Any customer PI we hold is held on behalf of the insurer and/or Advisor. These requests will be rare. Ask the requestor to name the insurer(s) involved. Do not volunteer this information as it is actually PI. We do not have an authentication process to determine who is making the request. Notify the PC Officer of the request. The PC Officer should notify the Advisor and/or insurer(s)’ contact person directly and ask for written instructions on handling any PI in our possession, including whether the information needs to be provided in a certain format, the deadlines for providing the information, etc. Ensure that the Advisor understands the process to be followed and that customer PI held for the insurer is not released directly to the Advisor.
How Do We Comply? Advisor or Employee Access Requests: Notify the PC Officer, who will handle all such requests or delegate as needed. Requires special handling and care because of heightened sensitivity and need for confidentiality.
Principle 10 – Provide Recourse The requirements: Develop simple and easily accessible complaint procedures. Inform complainants of their avenues of recourse. These include our MGA's own complaint procedures, those of insurers and industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Investigate all complaints received. Take appropriate measures to correct information handling practices and policies.
How Do We Comply? If we receive a privacy-related complaint directly from a customer or through an Advisor on a customer’s behalf: Acknowledge receipt of the complaint immediately and indicate that the individual will have to contact the insurer(s) involved directly. Ask the requestor to name the insurer(s) but do not volunteer this information as it is PI. Provide the contact information for the insurer(s) named. Do not engage in discussions about the complaint. You don’t want to inadvertently help individuals to “crystallize” their complaints. Notify the PC Officer, who should notify the insurer(s) involved and ask for written instructions if our assistance is required in providing PI or resolving the complaint. The PC Officer will ask the insurer to keep us apprised so that we can record the decision and make any necessary changes to our policies and procedures and close the complaint off in our complaint log.
How Do We Comply? Advisor or employee inquiries or complaints: Notify the PC Officer, who will handle all such inquiries or complaints or delegate as needed. These require special handling.
Privacy Breaches If you become aware that any PI has been lost, stolen, inadvertently destroyed, or disclosed improperly, notify your PC Officer immediately. This is very serious and requires immediate action. Privacy Breach Notifications: Alberta, Ontario, Newfoundland and Labrador and New Brunswick require data breach notification requirements for health-related information. Alberta also requires privacy-breach notification for non-health information. Under PIPEDA, notification is voluntary at this time.
Process for Breaches PC Officer may ask you to gather information about the incident We need to contain the breach immediately and prevent any more PI loss. The PC Officer will assess the breach. Insurers will be notified of any customer PI breaches as they will have to follow their own process. See our Compliance Program for details.
Regulatory Audits The OPCC can audit if it has “reasonable grounds” to believe we are contravening PIPEDA. The PC Officer - will direct our response to the audit. - be the lead contact with the OPCC. - may ask you to assist in compiling information. - will prepare you if the OPCC needs to interview you.
Questions or Concerns? Contact your PC Officer Name Phone email