Personal Information Protection Policy
INTRODUCTION
The Wawanesa Life Insurance Company (“Company”) is committed to protecting the personal information of its Customers. The Company has developed this Personal Information Protection Policy (the “Policy”) to provide information regarding the Company's approach to the management and control of personal information collected in the course of its business.
This Policy, in compliance with all applicable privacy legislation, including without limitation the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), British Columbia's Personal Information Protection Act, Alberta's Personal Information Protection Act, and Quebec's An Act respecting the protection of personal information in the private sector (collectively, the “Privacy Laws”), addresses two broad issues:
- the way in which Wawanesa collects, uses, discloses and protects personal information; and
- the right of Customers to have access to personal information about themselves and, if necessary, to have the information corrected.
The Company strives to balance its Customers' right of privacy concerning their personal information with its own need to collect, use or disclose personal information in the course of its business.
The ten interrelated principles set out in PIPEDA (the “Privacy Principles”) form the basis of this Policy. Each principle is accompanied by a commentary that elaborates on the principle. To the extent that this Policy
- conflicts with the Privacy Laws or other applicable legislation, the provisions of such legislation shall prevail; or
- omits any rights or obligations of either the Company or its Customers under the Privacy Laws or other applicable legislation, such provisions are deemed to be incorporated into this Policy.
DEFINITIONS
The following definitions apply in this Policy:
“Collection” means the act of gathering, acquiring or obtaining personal information from any source, including third parties, by any means. Personal information necessary to carry on the business of the Company may be collected by the Company, its agents and brokers, or their authorized agents.
“Consent” means voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the Company. Implied consent arises where consent may reasonably be inferred from the action or inaction of the Customer. For further information, please refer to the commentary accompanying Principle Three.
“Customer” means an individual about whom the Company collects personal information in order to carry on its business and includes individuals who are insureds, former insureds, applicants, claimants, individuals involved in a claim, individuals insured as part of a group or corporate policy, and mortgagors who have made a mortgage to the Company.
“Personal information” has the meaning ascribed to it by the Privacy Laws and related regulations, and includes an individual's name, address, telephone number, date of birth, family status, marital status, occupation, medical and health records, assets, liabilities, income, credit rating, credit and payment records, banking information, previous insurance experience (including claims history) and driving record, as well as information concerning whether or not credit or insurance were previously extended or refused to the individual.
1. PRINCIPLE ONE: ACCOUNTABILITY
The Company is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the Company's compliance with the Privacy Principles.
1.1 The individual designated to oversee Company's compliance with this Policy is:
Privacy OfficerThe Wawanesa Life Insurance Company
236 Carlton St
Winnipeg, Manitoba R3C 1P5
(the “Designated Individual”).
1.2 Accountability for Company's compliance with this Policy rests with the Designated Individual, even though other individuals within the Company may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the Company may be delegated to act on behalf of the Designated Individual.
1.3 The Company is responsible for personal information in its possession or custody, including information that has been transferred to a third party service provider for processing or storage. In such circumstances, the Company will provide only the information necessary to perform such services and will use contractual or other means to provide a comparable level of protection while information is being processed or stored by the third party service provider. In the event that the third party service provider is located in a foreign jurisdiction, it is bound by the laws of that jurisdiction, which may require it to disclose personal information to the courts, law enforcement agencies, or national security authorities of the jurisdiction. Information concerning the Company's policies and practices with respect to service providers outside Canada may be obtained from the Company's website or by contacting the Designated Individual.
1.4 The Company has implemented and will maintain policies and procedures to give effect to the Privacy Principles, including the following:
- procedures to protect personal information; and
- procedures to receive and respond to complaints and inquiries.
Additionally,the Company
- has developed information to explain Company's policies and procedures; and
- trains staff and provides them with information about Company's policies and procedures.
2. PRINCIPLE TWO: IDENTIFYING PURPOSES
The purposes for which personal information is collected shall be identified by Company before or at the time the information is collected.
2.1 Company will collect personal information only for the purposes of
- establishing and maintaining communications with Customers;
- underwriting risks on a prudent basis;
- investigating and paying claims;
- detecting and preventing fraud;
- offering and providing products and services to meet Customer needs;
- compiling statistics;
- complying with the law;
- receiving payments on account of insurance premiums, investment contributions, policy loan repayments and mortgage payments;
- depositing funds into Customer's accounts;
- approving and administering mortgages; and
- undertaking a business or activity permitted by applicable federal, provincial or territorial legislation.
The Company takes a global approach to these purposes. In other words, the Company is not collecting personal information just for any one of the purposes (e.g. underwriting a policy). Instead, the Company is collecting the personal information for all of the purposes so that, in effect, a Customer can expect that although the Company may initially use the data for underwriting a policy, it may later use it for claims purposes, and vice versa.
2.2 The Company understands that, in collecting information for the purposes referred to in principle 2.1, the Company or its designates may collect only that information which is necessary for such identified purposes.
2.3 The identified purposes will be communicated to Customers orally or in writing (e.g. on an application form, or through pamphlets or other suitable media).
2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified before use. Unless the new purpose is required by law, the consent of the Customer will be obtained before the information is used for that purpose.
2.5 Individuals collecting personal information on behalf of the Company are able to explain to Customers the purposes for which the information is being collected.
3. PRINCIPLE THREE: CONSENT
The knowledge and consent of the Customer are required for the collection, use, or disclosure of personal information, except where inappropriate.
3.1 The Customer's “knowledge and consent” are required for the collection, use, or disclosure of personal information. Accordingly, the Company will make a reasonable effort to ensure that the Customer is advised of the purposes for which the information will be used. The purposes will be stated in a manner that can be reasonably understood by the Customer.
3.2 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when the Company wants to use information for a purpose not previously identified).
3.3 The Company will not, as a condition of the supply of a product or service, require a Customer to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes. The Company may refuse to deal with a Customer who will not consent to the collection, use and disclosure of the information for the explicitly specified and legitimate purposes. For example, life insurers provide insurance at specified rates and on certain terms and conditions based on, among other things, analysis of an individual's personal information, including date of birth, health and existing insurance. If this information is not obtained, the life insurer cannot determine the basis for insurance coverage and, therefore, cannot provide insurance to the Customer. Consent will not be obtained through deception.
3.4 A Customer can reasonably expect that the Company will use personal information in determining the Customer's insurability and in assessing the Customer's claim.
3.5 Where the Company seeks express consent, it can be given in many ways. For example,
- an application form may be used to seek consent, collect information and inform the Customer of the use that will be made of the information. By completing and signing the form, the Customer is giving consent to the collection and the specified uses;
- a checkbox on a form may be used to allow Customers to request that their names and addresses not be given to other organizations for marketing purposes. Customers who do not place a mark in the checkbox are assumed to consent to the transfer of this information to third parties;
- consent may be given orally when information is collected over the telephone;
- consent may be given by agreement; and
- consent may be given by action on the part of the Customer (for instance, by using, acquiring or accepting a product or service).
3.6 Consent can be given by an authorized representative (such as a person having a power of attorney, or a legal guardian). Consent can also be given by an individual on behalf of another individual. For example, where individuals apply for life or health insurance for themselves as well as for their family members, such applicants are giving consent for the collection, use and disclosure of personal information both for themselves and for their family members, even though their family members are not present during the application process. A similar situation arises where an employer, on behalf of its employees, applies for a group life and health insurance policy which provides insurance benefits to the employees. The employer is giving consent for the collection, use and disclosure of personal information for the employees even though the employees are not present during the application process.
3.7 The life insurance business has certain unique features which make express consent impossible to obtain in some circumstances. For instance,
- group insurance policies may be administered by parties other than the Company (e.g. the employer or a third party administrator may provide plan administration, including the collection of all personal information necessary to administer the plan. In this situation, the Company does not have a direct relationship with its Customers and therefore is not able to obtain their express consent); and
- Customers may voluntarily provide personal information to the Company to update information previously provided. If express consent for the use of this information is not provided, consent will be implied if express consent was provided at the time of provision of the original information.
Given these constraints, it is reasonable for the Company to infer that by dealing with it on insurance related matters, Customers have given implied consent for the collection, use or disclosure of personal information necessary for the identified purposes (see principle 2.1).
3.8 In limited circumstances, personal information can be collected, used or disclosed without the knowledge and consent of the Customer. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the Customer might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the Customer is a minor, seriously ill, or mentally incapacitated. In addition, where there is no direct relationship with the Customer, the Company may not always be able to seek consent.
3.9 In certain situations, the express written consent of the Customer will be obtained for the collection, use or disclosure of personal information (e.g. medical or hospital records, employment records or income tax returns).
3.10 Consent is valid for the length of time needed to achieve the identified purposes. The Customer may withdraw consent on reasonable notice, subject to legal or contractual restrictions and the requirement that the Company maintain the integrity of the statistics and data necessary to carry on its business.
3.11 Any restriction or withdrawal of the Customer's consent may result in the Company being unable to provide the Customer with the product or service being applied for, or having to terminate the policy.
4. PRINCIPLE FOUR: LIMITING COLLECTION
The collection of personal information shall be limited to that which is necessary for the purposes identified by the Company. Information shall be collected by fair and lawful means.
4.1 The Company will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified. The Company obtains personal information primarily from insurance customers, but also from others, including other life insurers, brokers, employers and underwriting or claims information networks.
4.2 The Company will not obtain consent with respect to collection through deception. The Company will not mislead or deceive individuals about the purposes for which information is being collected.
5. PRINCIPLE FIVE: LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the Customer or as required by law. Personal information shall be retained for only as long as necessary for the fulfillment of those purposes.
5.1 There are situations specific to the life insurance business where the Company may provide personal information to others, as dictated by prudent insurance practices. Examples of such situations include the following:
- Risk-Sharing. As part of the underwriting and claims handling process, the Company may transfer personal information to other insurance companies, including reinsurance companies which share in the risk. This would include situations where the Customer has made a fraudulent application for, or renewal of, a policy of insurance.
- Information Services. The Company may transfer personal information to providers of information processing and storage, programming, printing, mailing and distribution services in the course of its business.
- Insurance Services. The Company may provide personal information to businesses that provide goods and services to insurance companies, such as paramedical, inspection and investigative firms; medical, psychiatric and dental consultants; MIB Inc.; rehabilitation specialists; lawyers; claims examiners; and motor vehicle driving records.
- Insurance Intermediaries. The Company may provide personal information to its insurance intermediaries, such as brokers and agents, to provide service to Customers.
In these situations, the third parties will be provided with only the information appropriate to the circumstances.
5.2 If the Company uses personal information for a new purpose, it will document this purpose.
5.3 The Company has implemented and will maintain policies and procedures with respect to the retention of personal information, including minimum and maximum retention periods. Personal information that has been used to make a decision about a Customer will be retained for a sufficient period to permit the Customer access to the information after the decision has been made. Life insurers may be subject to legislative requirements with respect to retention periods.
5.4 Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased or made anonymous. The Company has implemented and will maintain guidelines and procedures to govern the destruction of personal information.
6. PRINCIPLE SIX: ACCURACY
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
6.1 The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the Customer. Information will be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the Customer.
6.2 The Company will not routinely update personal information unless it is necessary to fulfill the purposes for which it was collected.
6.3 Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
7. PRINCIPLE SEVEN: SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
7.1 Company's security safeguards protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The Company protects personal information regardless of the format in which it is held.
7.2 The nature of the safeguards varies depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. More sensitive information is safeguarded by a higher level of protection.
7.3 The methods of protection include the following:
- physical measures, such as locked filing cabinets and restricted access to offices;
- organizational measures, such as security clearances and limiting access on a "need to know" basis; and
- technological measures, such as the use of passwords and encryption.
7.4 The Company makes its employees aware of the importance of maintaining the confidentiality of personal information.
7.5 Care is used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
8. PRINCIPLE EIGHT: OPENNESS
The Company shall make readily available to Customers specific information about its policies and practices relating to the management of personal information.
8.1 The Company is open about its policies and practices with respect to the management of personal information. A Customer will be able to acquire information about the Company's policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
8.2 The information made available will include the following:
- the contact information of an individual to whom complaints or inquiries, including inquiries concerning
- Company's collection of personal information; or
- the collection, use, disclosure or storage of personal information by service providers outside Canada on Comapny's behalf;
- the means of gaining access to personal information held by Company;
- a description of the type of personal information held by Company, including a general account of its use;
- a copy of any brochures or other information explaining Company's policies, standards or codes; and
- what personal information is made available to related organizations.
8.3 The Company may make information concerning its policies and practices available in a variety of ways. For example, the Company may choose to make brochures available at its place of business, mail information to its Customers, provide online access, or establish a toll free telephone number.
9. PRINCIPLE NINE: CUSTOMER ACCESS
Upon written request, a Customer shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A Customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1 Upon written request, the Company will inform a Customer whether or not it holds personal information about the Customer. The Company will allow the Customer access to this information; however, the Company may choose to make sensitive medical information available through a medical practitioner. In addition, the Company will provide an account of the use that has been made, or is being made, of this information, as well as an account of the third parties to which it has been disclosed.
9.2 The Company will respond to a Customer's request within a reasonable time and at minimal or no cost to the Customer. The requested information will be provided or made available in a form that is generally understandable
9.3 A Customer may be required to provide sufficient information to permit the Company to provide an account of the existence, use, and disclosure of personal information. The information provided will only be used for this purpose.
9.4 In providing an account of the third parties to which it has disclosed personal information about a Customer, the Company will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about a Customer, the Company will provide a list of organizations to which it may have disclosed such information.
9.5 When a Customer successfully demonstrates the inaccuracy or incompleteness of personal information, the Company will amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
9.6 In certain situations, the Company may not be able to provide access to all of the personal information it holds about a Customer. Exceptions to the access requirement will be limited and specific. Exceptions may include prohibitive cost, personal information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
If the request is denied, the Customer will be given reasons for the denial as well as
- an invitation to send a letter to the Company's President & CEO requesting reconsideration of such denial;
- a commitment by the Company to promptly open a dialogue with the Customer; and
- a commitment by the Company to participate in an independent mediation process, should the parties be unable to resolve the dispute.
9.7 When a challenge is not resolved to the satisfaction of the Customer, the substance of the unresolved challenge will be recorded by the Company. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
10. PRINCIPLE TEN: CHALLENGING COMPLIANCE
A Customer shall be able to challenge the Company's compliance with the Privacy Principles.
10.1 The Designated Individual is accountable for the Company's compliance with the Privacy Principles.
10.2 The Company has implemented and will maintain procedures for receiving and responding to complaints or enquiries about its policies and practices relating to the handling of personal information. The complaint process is available at the Company's website and at its place of business.
10.3 The Company will inform Customers who make enquiries or lodge complaints of the existence of relevant complaint mechanisms. A range of these mechanisms may exist. For example, some regulatory bodies accept complaints about the personal information handling practices of the companies they regulate.
10.4 The Company will investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, the Company will take appropriate measures, including amending its policies and practices, if necessary.
10.5 Customers of the Company who are dissatisfied with the manner in which their complaints have been handled may contact the appropriate public official designated in relevant provincial legislation, or if none, the Privacy Commissioner of Canada.