1. Purpose of the Policy
The Personal Information & Privacy Breach Policy (the “Policy”) sets out the guidelines and procedures that A & A Insurance Brokers Ltd and its employees will follow in connection with the collection, use and disclosure of personal information.
2. What is Personal Information?
“Personal information” means information about an identifiable individual but does not include personal information about an employee.
3. Roles and Responsibilities
The protection of personal information is a collaborative effort. A & A Insurance Brokers Ltd relies on its employees to maintain the principles and procedures listed in this Policy.
The following outlines the roles and responsibilities of A & A Insurance Brokers Ltd employees and management:
• Ensure that all collection of personal information conforms to the Policy and that when necessary, proper consents for collecting, using and/or disclosing personal information are received and recorded;
• Express written or verbal consent should be obtained for sensitive personal information such as financial or medical information.
• Ensure that no unnecessary personal information is collected;
• Personal information should only be used and disclosed for the purposes for which it was collected;
• Employees must only access personal information on a need-to-know basis in the performance of their duties;
• If disclosure to a third party is necessary, A & A Insurance Brokers Ltd and its employees must contractually ensure that the third party will abide by the applicable privacy legislation and this Policy.
• Report all personal information compromises to the appropriate manager and the Privacy Office.
• Responsible for ensuring the safeguarding of personal information and that the appropriate retention/destruction guidelines are followed;
• When creating relationships that may include the transfer of personal information, ensure that a sufficient review is completed, and that proper contractual provisions and safeguards are in place; and
• Establish and maintain a reporting process, which includes the reporting and managing of privacy breaches up to any required regulator notification regarding such breaches.
4. Third Party Transfers
All relationships requiring the transfer of personal information to third parties must have a contract with personal information protection provisions. These provisions shall ensure that the personal information is protected in accordance with this Policy and privacy legislation.
5. Request Regarding Personal Information
A. Individual Access Requests to Personal Information
• When an individual requests access to their personal information that A & A Insurance Brokers Ltd has collected, used or disclosed, pursuant to privacy legislation, a manager must be informed immediately.
• All requests made under privacy legislation must be received in writing.
• To assist A & A Insurance Brokers Ltd in responding to access requests, the department responsible for the collection, use and disclosure of the personal information will gather and provide to Harry Yashpal all of the documents requested by the customer. Harry Yashpal will then review the documentation provided and determine what documents will be provided to the customer.
• In order to ensure that any conflicting laws and/or restrictions are taken into account, standard letters created by Harry Yashpal will be used to respond to access requests. The standard letters will include a list all of the documents which will not be available for access due to a statutory exemption.
• Replies to written requests for access will be delivered within 30 days of receipt of the request. Harry Yashpal will provide notice of any refusals to access or when extra time to respond is necessary.
• If A & A Insurance Brokers Ltd is unable to satisfy a customer to his or her satisfaction, the customer may bring the issue to the relevant privacy regulator.
B. Correction of Personal Information
• When personal information is found to be inaccurate, A & A Insurance Brokers Ltd will make every effort to correct this information within 15 days.
C. Withdrawal of Consent
• Customers may withdraw their consent at any time. However, if they do so, A & A Insurance Brokers Ltd may no longer be able to provide them with the products or services that they desire. If a customer wishes to withdraw consent, a front line representative or the Privacy Office must explain to the customer what the implications are of withdrawing.
6. Privacy Breach Reporting
• A privacy breach is the result of the loss of, unauthorized access to, or unauthorized disclosure of personal information.
• Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Alberta’s Personal Information Protection Act (“PIPA”), British Columbia’s Personal Information Protection Act (“PIPA”), and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector.
• Some of the most common privacy breaches happen when personal information is stolen, lost or mistakenly disclosed. A privacy breach may occur within a company or off-site and may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders. A privacy breach may also be a consequence of faulty business procedure or operational control gap.
• When a privacy breach occurs, organizations must take proactive measures to deal with the situation promptly. Because of the speed with which leaked information can fall into the wrong hands, sealing and dealing with a breach must happen quickly.
• If any employee becomes aware of a privacy breach, they must immediately inform their manager, or Harry Yashpal.
7. Contact Information
If you have any questions about this Policy, you may contact:
A & A Insurance Brokers Ltd.
3220 Dougall Ave, Unit B