PROTECTION OF PERSONAL INFORMATION

Similar documents
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

3. Consent for the Collection, Use or Disclosure of Personal Information

The Manitoba Child Care Association PRIVACY POLICY

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

Personal Information Protection and Electronic Documents Act (PIPEDA)

Taking care of what s important to you

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Protecting your privacy

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law.

Personal Information Protection and Electronic Documents Act

Corporate Policy. Data Protection for Data of Customers & Partners.

M&T BANK CANADIAN PRIVACY POLICY

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

HOME TRUST COMPANY PRIVACY NOTICE/PRIVACY CODE for Creditworx/Home Owner Merchant Express

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

CODE GOVERNANCE COMMITTEE CHARTER. 1 Functions and responsibilities of the Code Governance Committee

How To Ensure Health Information Is Protected

Model Business Associate Agreement

Taking care of what s important to you

Personal Information Protection Act. Information Sheet 5: 1. Personal Employee Information

Privacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

AlixPartners, LLP. General Data Protection Statement

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

ChangeIt Privacy Policy - Canada

HIPAA BUSINESS ASSOCIATE AGREEMENT

INDIVIDUALS WITH DISABILITIES EDUCATION ACT NOTICE OF PROCEDURAL SAFEGUARDS

Credit Reporting Privacy Policy of Baybrick Pty Ltd

Detailed Notice of Privacy Practices Effective Date: September 20, 2013

Client complaint management policy

SAMPLE RETURN POLICY

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

HIPAA BUSINESS ASSOCIATE AGREEMENT

EHR Contributor Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

PUBLIC INTEREST DISCLOSURE (WHISTLEBLOWER PROTECTION) ACT

PERSONAL INFORMATION PROTECTION ACT

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Your Family s Special Education Rights

ALL NATION FINANCE PTY LTD ATF THE ALL NATION UNIT TRUST TRADING AS ALL NATION FINANCE

COUPONS.COM INCORPORATED CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

GSK Public policy positions

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

AIRBUS GROUP BINDING CORPORATE RULES

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

At Cambrian, Your Privacy is Our Priority. Regardless of how you deal with us on the phone, online, or in person we have strict security measures

Data Protection and Data security Policy

Kingsway Financial Services Inc. Privacy Policy

BUSINESS ASSOCIATE AGREEMENT

Special Education Procedural Safeguards

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

Personal Information Protection Act (PIPA) Privacy & Landlord - Tenant Matters Frequently Asked Questions

Our standard terms and conditions for Your Advanced Personal Loan.

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

The United States Federal Trade Commission ("FTC") and the Office of the Data Protection Commissioner of Ireland (collectively, "the Participants"),

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Business Associate and Data Use Agreement

Data Protection Policy.

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

HIPAA BUSINESS ASSOCIATE AGREEMENT

INSURANCE BROKERS ASSOCIATION OF CANADA

Part B PROCEDURAL SAFEGUARDS NOTICE

PRIVATE HEALTH INSURANCE INTERMEDIARIES PRACTICE CODES JUNE 2015 VERSION 2

Part B PROCEDURAL SAFEGUARDS NOTICE

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

Privacy Statement. What Personal Information We Collect. Australia

Transcription:

PROTECTION OF PERSONAL INFORMATION

Definitions Privacy Officer - The person within the Goderich Community Credit Union Limited (GCCU) who is responsible for ensuring compliance with privacy obligations, including this policy, with respect to the collection, use, disclosure and handling of personal information by GCCU, its employees, contractors, officers and authorized agents and representatives. Collection - The act of gathering, acquiring, recording or obtaining personal information from any source, by any means. Consent - Voluntary agreement to the collection, use and disclosure of personal information for the defined purpose. Consent can be expresses or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of GCCU. Implied consent can be reasonably inferred from an individual s action or inaction. Disclosure - The act of making personal information available to others outside GCCU, including related organizations. Personal Information - Information about an identifiable individual that is recorded in any form, not including the individual s name, business title, business address or business phone number. Personal information does not include aggregate information that cannot be associated with a specific individual. Retention - Refers to the act of keeping personal information as long as necessary to fulfill the stated purposes, or as long as otherwise specified by law. Third Party - Any individual or organization aside from GCCU, its representatives and its members. Use - Refer to the treatment, handling and management of personal information by GCCU. 2

Code For The : Goderich Community Credit Union Ltd. (the credit union) has adopted the Credit Union Code for the (the Code) effective October, 2003. The requirements of the Code establish the credit union s operational use of personal information as well as use of employee information. The following ten privacy principles are derived from the Code specified in the Personal Information Protection and Electronic Documents Act, and form the basis of the Code: 1. Accountability The credit union is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for the credit union s compliance with the principles of the Code. 2. Identifying Purposes The purpose for which personal information is collected shall be identified by the credit union at or before the time the information is collected. 3. Consent The knowledge and consent of the member are required for the collection, use and disclosure of personal information, except in specific circumstances as described within this Code. 4. Limited Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the credit union. Information shall be collected by fair and lawful means. 5. Limiting Use, Disclosure and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the member or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. 6. Accuracy Personal information shall be as accurate, complete, and up-todate as is necessary for the purpose for which it is to be used. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The credit union will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature. 8. Openness The credit union shall make readily available to members specific, understandable information about its policies and practices relating to the management of personal information. 9. Individual Access Upon request, a member shall be informed of the existence, use, and disclosure of their personal information, and shall be given access to that information. A member is entitled to question the accuracy and completeness of the information and have it amended as appropriate. 10. Challenging Compliance A member shall be able to question compliance with the above principles to the Privacy Officer accountable for the credit union s compliance. The credit union shall have policies and procedures to respond to the member s questions and concerns. 3

Board of Directors Resolution for The Whereas, Canada is part of a global economy based on the creation, processing and exchange of information which provides a number of benefits that improve the quality of our lives, but also gives rise to concerns about the protection of privacy rights and the individual s right to control the use and exchange of personal information; and Whereas, the credit union is a member-owned and controlled financial institution and, as such, has an inherent responsibility to be open and accessible while at the same time, demonstrating the greatest respect for protection of the member s privacy; Therefore be it resolved, the Credit Union Code for the Protection of Personal Information is adopted by the Board of Directors of Goderich Community Credit Union Limited. Dated at Goderich this day of October 2003. 4

Credit Union Policies for the : Principle 1: Accountability The credit union is responsible for personal information under its control and the Board of Directors will designate a Privacy Officer, who will have primary day-to-day responsibility for compliance with the Code. The Board of Directors will also designate a Deputy Privacy Officer to act on behalf of the Privacy Officer. This Privacy Officer appointed must be a senior manager within the credit union. The Privacy Officer appointed should not be the designated Compliance Officer under the federal regulations for the Proceeds of Crime (Money Laundering) Act. Preferably the Privacy Officer appointed should not have a potential conflict of interest over aspects of personal information protection such as marketing, sales, human resources or responsibility of technical safeguards. The Privacy Officer will take steps to ensure that: sound policies and procedures are in place and reviewed annually; staff is trained on their privacy responsibilities; and third parties adequately safeguard any personal information shared with them. The Privacy Officer will prepare a Quarterly Report for the Board or a delegated subcommittee of the board that identifies matters concerning non-compliance with the credit union s Code principles, policies or procedures that are likely to require input from the Board. Furthermore, the Privacy Officer will prepare an Annual Review of the effectiveness of the Board policies to ensure compliance with the Code and to recommend any revisions as deemed appropriate. Privacy Officer Shannon Bosch Deputy Privacy Officer Amanda Johnston Principle 2: Identifying Purposes The purpose for which personal information is collected shall be identified by the credit union at or before the time the information is collected. The primary purpose for collecting personal information is to deliver appropriate products and services to members. The Privacy Officer will document all purposes for which personal information is collected, used or disclosed including existing and new purposes. The Privacy Officer prior to the collection of the information must approve all new purposes. The credit union will make reasonable efforts to ensure that members are aware of the purpose, for which their personal information is collected, including any disclosure of their personal information to Third Parties. 5

The credit union will ensure that all employees are aware of the purpose, for which employee information is collected, including any disclosure of their personal information to Third Parties. This will be communicated verbally at the time of employment. Whenever the credit union receives a resume or other personal information from an individual seeking employment, this shall constitute implied consent solely to determine the qualifications of the job candidate for employment. The information shall not be used for any other purpose and shall not be disclosed to any other organization. Resumes or similar information received by the credit union shall be retained a maximum period of twelve months from the date of reception. To detect and prevent fraud, and to help safeguard the financial interests of the credit union and its members, the credit union can collect, use or disclose personal information to combat fraud, collect debts, or otherwise protect the financial interests of the credit union without the knowledge or consent of the individual. Principle 3: Consent The knowledge and consent of the member are required for the collection, use and disclosure of personal information unless a legal exception to consent exists. Due to the highly sensitive nature of personal information, expressed consent in writing, primarily through the use of applications, signed forms and contracts, will be used for obtaining consent from the collection, use or disclosure of such personal information. The credit union will not require a member to consent to the information, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes. Where additional information that is non-essential to the product or service is sought from members, this shall be collected only as optional information, at the discretion of the member. Refusal to provide this optional information will not influence the member s consideration for a product or service. Implied consent will be used for marketing purposes. The credit union will obtain a written request (signed and dated) from a member who seeks to withdraw consent. The written request must acknowledge that the member has been advised that the credit union may subsequently not be able to provide the member with a related product, service or information that could be of value to the member. Principle 4: Limiting Collection of Personal Information The credit union limits the collection of personal information to that which is necessary for the indentified purposes. Personal information is collected directly from the member or from other sources where permitted by law including but not limited to employers, personal references or credit agencies. 6

Principle 5: Limiting Use, Disclosure and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the member or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. The credit union shall protect the interests of its members by taking reasonable steps to ensure that: a) Orders or demands comply with the laws under which they are issued b) Only the personal information that is legally required is disclosed and nothing more c) Casual requests for personal information are denied; and d) Personal information disclosed to third parties is strictly limited to the limited purpose for which it was collected. The Privacy Officer will ensure that guidelines and procedures with respect to the retention of personal information are maintained within the credit union. Personal information no longer necessary or relevant for the identified purposes, or no longer required to be retained by law, is securely destroyed, erased or made anonymous. The credit union maintains reasonable and systematic controls, schedules and practices for such information. Principle 6: Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used. The credit union relies upon its members to ensure accuracy of the personal information provided to the credit union. Principle 7: Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The credit union will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature. The credit union security safeguards will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure or destruction. With the use of appropriate physical, organizational and technical security the credit union will protect personal information regardless of the format in which it is held. Safeguards are set out in employee procedures and other relevant internal documents. 7

The Privacy Officer will periodically remind employees, officers and directors of the importance of maintaining the security and confidentiality of personal information. Employees, officers and directors are individually required to sign an Oath of Ethical Conduct annually, including a commitment to keep member s personal information secure and strictly confidential. Third Party Agents or Suppliers will be required to safeguard personal information disclosed to them in a manner consistent with the policies of the credit union. Principle 8: Openness The credit union shall make readily available to members specific, understandable information about its policies and practices relating to the management of personal information. Openness can be accomplished through the use of brochures, information sheets, online information, and must include the following information: a) The name or title and the address of the Privacy Officer who is accountable for the compliance with the credit union s policies and procedures and to whom complaints or inquiries can be directed; b) The means of gaining access to personal information held by the credit union c) A description of the type of personal information held at the credit union, including a general account of its use; d) A copy of any brochures or other information that explains the credit union polices and information handling practices; and e) The types of personal information made available to related organizations such as subsidiaries or other suppliers of services. Principle 9: Individual Access Upon request, a member shall be informed of the existence, use, and disclosure of their personal information, and shall be given access to that information. A member is entitled to challenge the accuracy and completeness of the information and have it amended as appropriate. All access requests must be submitted in writing and include adequate proof of the individual s identity or right to access, and sufficient information to allow the credit union to locate the requested information. The credit union shall respond to a member s request within 30 days; this timeframe can be expanded upon written notice to the member. At the Privacy Officer s discretion, the credit union may impose a fee at a stated hourly rate where collection of the requested information requires exceptional time and 8

effort. The member must be informed of an estimate of costs prior to commencement of the request. The credit union shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual s file. Where appropriate, the credit union shall transmit to third parties having access to the information in question, any amended information or information regarding the existence of any unresolved differences. In certain situations, the credit union may not be able to provide access to all the personal information it holds about a member. Exceptions to the access requirement will be limited and specific and include the following: a) Providing access would reveal personal information about a Third Party; b) The personal information to which the member has requested access has been requested by a government institution for the purposes of enforcing any laws, carrying out an investigation related to the enforcement of any law, the administration of any law, the protection of national security and the defense of Canada or the conduct of international affairs c) The information is protected by solicitor-client d) Providing access might threaten the life or security of another individual e) The information was collected without the knowledge or consent for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or f) The information was generated in the course of a formal disputed resolution process. Principle 10: Challenging Compliance A member shall be able to question compliance with the above principles to the Privacy Officer accountable for the credit union s compliance. The credit union shall have policies and procedures to respond to the member s questions and concerns. The Privacy Officer will create and maintain documented procedures to respond to credit union member or employee s questions or concerns. These procedures must be readily accessible to credit union members and employees, and must be simple to use. Inquiries and complaints must be in writing, with a formal process in place to receive and track them and the credit union must respond as quickly as possible within 30 days. Upon a written request or complaint the Privacy Officer will contact the appropriate business area for investigation and respond to the request. All complaints must include the name and contact information of the person making the grievance. It must also 9

clearly state the nature of the complaint and the details relevant to the matter. It should also include to whom the issue has already been discussed. The Privacy Officer is responsible for ensuring appropriate measures are taken when a complaint is found to be justified, these measures will include: a) Written response to the complainant within the specified time frame of 30 days; b) Revision of the challenged personal information; c) If required, revision to policies and procedures; d) Review of any complaint that requires disciplinary action against a credit union employee with the appropriate Manager(s); e) Reporting of the non-compliance to the Board of Directors, including the actions proposed or taken to resolve the issue, as specified in Accountability. See attached the following member/compliance forms: 1. Decline to Share Personal Information for the Purpose of Marketing 2. Opt In Personal Information for the Purpose of Marketing 3. Use of Social Insurance Numbers 4. Agreement to Safeguard Personal Information 5. Board of Directors Quarterly Report 6. Non Compliance with the Policy Report 7. PIPEDA & Privacy Act Compliant Form 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information