Privacy Information for Advisors

Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors

What Privacy Laws Apply to Us? The Personal Information Protection and Electronic Documents Act (“PIPEDA”), a federal act, governs collections of customer information and Advisor information. “Substantially similar” legislation in Alberta, BC and Quebec. (Ontario, New Brunswick and Newfoundland and Labrador have substantially similar law for health information).

Why is This Important? The confidence and trust that insurers and customers place in you to protect their privacy and the confidentiality of customers’ personal information is critical to your ongoing success.

PIPEDA Summary You must obtain an individual’s consent to collect, use or disclose his/her personal information (“PI”). The person has a right to access it and to challenge its accuracy. PI can only be used for the reasons you collected it. You must get consent for any new use. You must assure individuals that you will protect their PI with specific safeguards like locked cabinets, computer passwords, encryption.

Non-Compliance Individuals can complain to the Office of the Privacy Commissioner of Canada (“OPCC”) about alleged breaches. The OPCC can also initiate a complaint. A person can ask the courts to order you to change your practices or award damages. OPCC can audit you.

Offences It is an offence to: – Destroy PI that an individual has requested. – Retaliate against an employee who complains or refuses to contravene Sections 5 to 10. – Obstruct a complaint investigation or audit by OPCC.

PIPEDA’s 10 Principles 1.Accountability 2.Identify Purposes for Collection 3.Consent 4.Limit Collection of Information 5.Limit Use, Disclosure and Retention of PI 6.Accuracy 7.Safeguards 8.Openness 9.Access 10.Recourse

What is the Advisor Required to Do? 1. Adhere to the 10 PIPEDA Principles; 2. Establish and maintain a Compliance Program that includes: Appointing a Compliance Officer Written Privacy Policies and Procedures that cover at a minimum – Receiving and Processing Access Requests – Receiving and Responding to Inquiries/Complaints – Safeguarding Information Assessing the Program Regularly Training Staff Privacy Breach Procedures

What Else? Make sure that you develop a consent form that covers the work you do for the customer. Not all information goes to the insurer. Anything you retain and use requires explicit consent. Make sure that the MGA is covered by this consent!

Our MGA’s Privacy Program Our Privacy Policy covers how we handle your PI and your customers’ PI. It is posted on our website and included in contracting packages. Our Compliance Program covers the same elements that you will have to cover in your program.

Appointed Compliance Officer Place Name and Contact Information for MGA Compliance Officer here We can make a Compliance Officer job description and appointment template available to you from CAILBA.

MGA Role in Collecting PI We collect customer PI from Advisors on behalf of insurers and generally under the consents they obtain. We don’t have our own consents for customer PI. Sometimes we collect information on behalf of the Advisor. Make sure your consent covers our MGA. We collect Advisor PI directly through the CLHIA screening form, which provides express consent, and any follow up screening.

Why We Collect and Use Your PI We are required to screen you for suitability initially and on an ongoing basis We need information for licensing and contracting We need information in order to pay you.

Requirements for Access Requests When requested, inform individuals if we have any PI about them and provide access. Explain how it is/has been used and provide a list of any organizations to which it has been disclosed. Correct/amend any PI if its accuracy and completeness is challenged and found to be deficient. Provide a copy of the PI requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act. Note any disagreement on the file and advise 3rd parties where appropriate.

Our Procedures for Customer Access Requests 1.Ask the requestor to name the insurer(s) involved. Do not volunteer this information as it is actually PI. We do not have an authentication process to determine who is making the request. 2.Notify the PC Officer of the request. 3.The PC Officer should notify the Advisor and/or insurer(s)’ contact person directly and ask for written instructions on handling any PI in our possession, including whether the information needs to be provided in a certain format, the deadlines for providing the information, etc.

Requirements for Responding to Complaints and Inquiries Develop simple and easily accessible complaint procedures. Inform complainants of their avenues of recourse. These include our MGA's own complaint procedures, those of insurers and industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Investigate all complaints received. Take appropriate measures to correct information handling practices and policies.

Procedures for Handling Customer Complaints and Inquiries Ask the requestor to name the insurer(s) but do not volunteer this information as it is PI. Notify the PC Officer, who should notify the Advisor and/or insurer(s) involved and ask for written instructions if our assistance is required in providing PI or resolving the complaint. The PC Officer will ask the parties to keep us apprised so that we can record the decision and make any necessary changes to our policies and procedures and close the complaint off in our complaint log.

Procedure for Advisor Access Requests and Complaints Privacy Compliance Officer handles all of these as they require special handling because of sensitivity of information.

Privacy Breach Process If you become aware that any PI has been lost, stolen, inadvertently destroyed, or disclosed improperly, notify our PC Officer immediately. This is very serious and requires immediate action. Privacy Breach Notifications: Alberta, Ontario, Newfoundland and Labrador and New Brunswick require data breach notification requirements for health-related information. Alberta also requires privacy-breach notification for non-health information. Under PIPEDA, notification is voluntary at this time. You are also required to have your own Privacy Breach policy. We can make ours available to you as a template.

Privacy Breaches PC Officer may ask you to gather information about the incident. We need to contain the breach immediately and prevent any more PI loss. The PC Officer will assess the breach. Insurers will be notified of any customer PI breaches as they will have to follow their own process.

Self-Assessment of Our Privacy Program At least every two years Requires gathering evidence of how we comply including sampling files and testing our systems You are also required to self-assess your privacy program. We can make our material available as a template for you.

Training At least annually for existing staff. At hiring for new staff. See CLIFE product offerings and be on the lookout for training sessions. We may make additional training available from time to time, including our staff training module, which you can use with any staff.

Regulatory Audits The OPCC can audit if it has “reasonable grounds” to believe you are contravening PIPEDA. Our PC Officer will: direct our response to the audit. be the lead contact with the OPCC. or may ask you to assist in compiling information. prepare you if the OPCC needs to interview you.

Recommendations to Advisors Take this seriously. As an independent, you have your own regulatory obligations and risks that you have to manage.

Recommendations to Advisors 1.Draft your own Privacy Policy for your customers. 2.Create an inventory of all the PI you collect, why you collect it, where you keep it, how you protect it. 3.Develop your own consent form for the advice and service part of your role. Don’t rely on insurer consents alone. Make sure that you cover off sharing information with the MGA. 4.Use formal documents such as needs analyses, which guide you in asking required, consistent questions and are more likely to result in accuracy. 5.Advocis and other associations have Privacy programs to share. Join a professional association and take advantage of the compliance support they offer.

Safeguards - Recommendations Use encryption for sensitive information. Password protect your computer and all devices Keep customer PI locked up and away from public view. Ensure that your premises are secure. Have strict fax policies and keep your fax equipment out of public areas. Destroy material no longer needed. Use a shredder. Train your staff.

Questions or Concerns? Contact our Privacy Compliance Officer Name Contact Information