Privacy – Definition:
Privacy is the right of an individual to control who has access to his or her personal information and under what circumstances.
The privacy of your personal information is of the utmost importance to Penmore. Penmore believes that protecting the privacy and the confidentiality of its customers’ personal information is an important part of its relationship with them any information gathered by Penmore will be kept strictly confidential and will only be used or shared in ways for which you have specifically consented. Unless we have your express consent, Penmore will not sell, rent or trade your personal information to any third party.
The personal information that Penmore holds or will hold concerning you will be treated confidentially, and will be kept in a file opened for the purpose of allowing you to benefit from various insurance, annuity, credit and other related financial services offered by your insurer. This information will only be consulted by the personnel of your insurer who require access to it in the course of their duties.
You may have access to your file and request that information be corrected if you prove that it is incorrect, incomplete, ambiguous, outdated or unnecessary. You must then send a written request to the person in charge of the protection of personal information at Penmore.
Why Penmore collects Personal Information
Penmore collects, uses and discloses personal information about its customers for the purposes of managing their financial-related needs. This includes evaluating and assessing insurance needs, underwriting, coverage assessment, compiling statistics, providing all policy related or administrative services, loss control, compliance with any regulatory requirements, claims investigation, protecting against error and fraud, ensuring information is accurate and up to date, and determining your payment of premiums.
Penmore may also collect, use and disclose personal information about third parties for the purpose of handling claims made against our customers.
What type of Personal Information Penmore collects
The types of personal information that Penmore may collect are property details, claims histories, employment information, professional history, medical and health information, driving records and financial information. Which of those types we collect in a particular case depends on which of our purposes is applicable and on the particular circumstances.
How Penmore Obtains Personal Information
The personal information collected by Penmore is provided to us by you directly or through an insurance company or agent, by ways of your insurance application, and by service providers. For some of our purposes, we may obtain personal information, such as claims, underwriting, credit history and driving records, from other industry sources.
In some cases, Penmore will consider the need for certain personal information is so obvious as part of the process that the customer’s consent to its collection and use are implied.
In some circumstances, consent may not be required for the collection and use of personal information for the purpose of investigating a breach of an insurance/fund policy or other agreement, or a contravention of Canadian law.
Subject to legal or contractual restrictions and upon reasonable notice, you may withdraw your consent at any time. At that time, we will advise you of the consequences of withdrawal of your consent.
How and When Penmore Shares Personal Information
Penmore provides personal information to other organizations (including its affiliated companies) only for the purposes listed above, or if required or permitted to do so by law.
In some circumstances, the customer’s consent is not required for the disclosure of personal information; this would apply, for example, to the disclosure of personal information to an approved investigative body when we believe that the information relates to the breach of an insurance policy or other agreement or a contravention of Canadian law; or when we are required by law to disclose the information; or when we disclose information to a lawyer for claims purposes or to obtain legal advice.
When Penmore provides data containing personal information to service providers, they are subject to confidentiality requirements.
Securing and Safeguarding Your Personal Information
Penmore protects your personal information with security safeguards appropriate to the sensitivity of the information. Penmore employees, contractors and representatives access personal information only when they have a business need to do so. Our employees are made aware of the proper handling of personal information pertaining to this policy. We keep personal information only as long as it is necessary for our purposes listed above.
Accuracy of and Access to Your Personal Information
Penmore protects your personal information as accurate and up to date as is required. We will do our best to base any decisions on accurate information; however, we rely on individuals to disclose all material information and to inform us of any changes.
Upon written request and appropriate identification satisfactory to Penmore, we will provide reasonable access to personal information exclusively to the individual to whom it refers. In some circumstances, we may refuse access; for example, if:
- Doing so would likely reveal personal information about a third party
- The information is protected by solicitor-client privilege
- Doing so would reveal confidential commercial information
- Revealing the information could affect the security of another person
- The information was generated in the course of a formal dispute resolution process
Personal Health Information Protection Act (Ontario)
The Personal Health Information Protection Act, known by its acronym PHIPA, outlines privacy regulations for health information custodians in Ontario, Canada. It sets out ten principles as standards for protecting personal information. Those principles are summarized below.
Principle 1 – Accountability
Under Principle 1, an organization must designate a person or persons to be accountable for privacy systems. The principle also requires organizations to implement policies and practices to give effect to the principles.
Principle 2 – Purpose
The philosophy and purpose of the policy should reinforce the organization’s commitment to the privacy and confidentiality of all personal information, both employee and client, and to implementing systems to manage this. It should be stated what information will be collected and for what reasons and that all personal information will be kept confidential and used only for the purpose for which it was collected (or other legitimate business purposes, such as administering benefit plans). It is important to have consistent policies – management should treat employees’ personal information with the same confidentiality employees are expected to treat client information. Personal information should be broadly defined in the policy to include any identifiable information about a person or client, whether recorded or not.
Principle 3 – Consent
Except for data required to be collected by various laws (e.g. information that must be gathered under the Income Tax Act about an individual’s entitlement to certain tax exemptions), organizations should commit to gaining consent to collect, use and/or further disclose personal information in terms that are clear and unambiguous.
Principle 4 – Limited collection
Information collection must be specific, relevant and necessary and only for the purposes specified. Employers should be aware of the information they are required by law to collect and retain.
Principle 5 – Limited use, disclosure, retention
Use of the information must also be limited to the purposes specified, limited in its disclosure and retained only as long as necessary. Employers may be required to disclose information under court order or subpoena and policies should recognize this.
Principle 6 – Accuracy
Information should be accurate, complete and up-to-date and processes should allow for this maintenance.
Principle 7 – Safeguards
Information must be safeguarded during use, storage and disposal. Personal information about clients or customers will often have different storage and access systems than employee information. Employee information is often only accessed by supervisory personnel, Human Resources and/or Payroll personnel and the employees themselves; it can be stored electronically or manually in the Human Resources or Payroll Department, protected by locks and keys or by passwords. Client information, often required by numerous employees, must be more accessible and therefore, must have strict rules regarding the collection, use and disclosure of such data. Access to the data should be protected by passwords and there should be a prohibition against releasing any client information except as necessary to fulfil one’s duties. Sensitive materials such as employee or client medical files should be kept separately and safeguarded.
Processes should be set up to document and regulate who has internal access to employee information. Procedures should be in place to ensure employee consent in writing to release information to third parties. Access to client information by employees will, of course, depend on job descriptions. Security measures, such as passwords, and adequate training to ensure employees know how to properly collect, use and disclose client information should be part of the policy.
By law, some employee information must be kept for specific time periods. Processes should be documented to ensure information no longer required is disposed of properly so that it can not fall into the wrong hands. Similarly, outdated client information must be adequately disposed of, either by destruction or archiving.
Principle 8 – Openness
Privacy policies should be open and clear regarding accountability measures and means and rights of access.
Principle 9 – Individual access
Individuals should be informed of the existence of information and their rights to access and correct such data, subject to logistic and/or security limitations.
Principle 10 – Challenging compliance
Privacy policies should include processes to challenge compliance with these principles to the person designated accountable for privacy and information management.