Howick Mutual Insurance Company

PERSONAL INFORMATION PROTECTION POLICY

 

INTRODUCTION

 

Adopted from the Model Personal Information Code - Insurance Bureau of Canada

 

The Howick Mutual Insurance Company is concerned about the protection of personal information of their "customers" (as defined in this Code). The Howick Mutual Insurance Company agrees to adhere to the principles in this Code.

 

Rather than a contract between The Howick Mutual Insurance Company and its customer, this Code shall be deemed a set of principles respecting the manner in which the Howick Mutual Insurance Company protects the privacy of customers.

 

The Code addresses two broad issues: the way the Howick Mutual Insurance Company collects, uses, discloses and protects personal information; and the right of customers to have access to personal information about themselves and, if necessary, to have the information corrected. Ten interrelated principles form the basis of the Code. Each principle is accompanied by a commentary that elaborates on the principle.

 

This Code:

 

a) provides principles for the management of personal information;

b) specifies the minimum requirements for the adequate protection of personal information held by the Howick Mutual Insurance Company;

c) makes the public aware of how personal information is protected by the Howick Mutual Insurance Company; and

e) provides for independent mediation when the Howick Mutual Insurance Company and its customers disagree about Customer Access (Principle 9).

 

PRINCIPLES IN SUMMARY

 

Ten interrelated principles form the basis of this Code. Each principle must be read in conjunction with the accompanying commentary.

 

1. Accountability

 

The Howick Mutual Insurance Company is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the Howick Mutual Insurance Company's compliance with the following principles.

 

2. Identifying Purposes

 

The purposes for which personal information is collected shall be identified by the Howick Mutual Insurance Company at or before the time the information is collected.

 

3. Consent

 

The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information, except where inappropriate.

 

4. Limiting Collection

 

The collection of personal information shall be limited to that which is necessary for the purposes identified by the Howick Mutual Insurance Company. Information shall be collected by fair and lawful means.

 

5. Limiting Use, Disclosure and Retention

 

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the customer or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

 

6. Accuracy

 

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

 

7. Safeguards

 

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

 

8. Openness

 

The Howick Mutual Insurance Company shall make readily available to customers specific information about its policies and practices relating to the management of personal information.

 

9. Customer Access

 

Upon request, a customer shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

 

10. Challenging Compliance

 

A customer shall be able to challenge compliance within the above principles with the person who is accountable within the Howick Mutual Insurance Company.

 

1. SCOPE

 

1.1

 

This Code describes the minimum requirements for the protection of personal information. Any applicable legislation must be considered in implementing these requirements.

 

1.2

 

This Code applies to personal information relating to "customers" as defined in 2.1.

 

1.3

 

The objective of this Code is to assist the Howick Mutual Insurance Company in developing and implementing policies and practices to be used when managing personal information.

 

2. DEFINITIONS

 

2.1

 

The following definitions apply in this Code:

 

"Collection" - the act of gathering, acquiring, or obtaining personal information from any source, including from third parties, by any means. Personal information necessary to carry on the business of the Howick Mutual Insurance Company may be collected by the Howick Mutual Insurance Company, agents, brokers or their authorized agents.

 

"Consent" - voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the Howick Mutual Insurance Company while seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the customer. See commentary in 4.3.1.

 

"Customer" - individuals about whom the Howick Mutual Insurance Company collects personal information in order to carry out the business of the Howick Mutual Insurance Company; and includes individuals who are insureds, former insureds, applicants, claimants, individuals involved in a claim, and individuals insured as part of a group or corporate policy.

 

"Customer" does not include commercial and corporate entities, or individuals carrying on business in sole proprietorships, in partnerships or in other associations.

 

"Disclosure" - making personal information available to others outside the Howick Mutual Insurance Company.

 

"P&C insurers" - insurers licensed in Canada to write any class of insurance other than life insurance.

 

Commentary: P&C insurers market their insurance products in a number of different ways, either through agents ("agents"), independent brokers ("brokers") or employees ("employees"). Agents and brokers are similar in that they are independent, self-employed business people; the difference is that agents sell insurance products exclusively for one insurer while a broker sells insurance products for a number of insurers. Neither agents nor brokers are under the direct control of the P&C insurer(s); on the other hand, employees are under the direct control of the P&C insurer that employs them. A P&C insurer may sell its insurance products through agents, brokers, employees or a combination thereof.

 

"Personal information" - information about a customer that is recorded in any form. It may include an individual's name, address, telephone number, date of birth, family status, marital status, occupation, medical and health records, assets, liabilities, income, credit rating, whether or not credit was extended or refused to the individual, credit and payment records of the individual, an individual's previous insurance experience including claims history, and an individual's driving record.

 

"Use"- treatment and handling of personal information within the Howick Mutual Insurance Company.

 

3. GENERAL REQUIREMENTS

 

3.1

 

The ten principles that make up this Code are interrelated. the Howick Mutual Insurance Company shall adhere to the set of ten principles as a whole.

 

3.1.1

 

Each principle is followed by a commentary. The commentaries are intended to help customers of P&C insurers understand the significance and the implications of the principles. Where there is also a "NOTE" following a principle (see principles 3 and 9), it forms an integral part of the principle.

 

3.1.2

 

Although the following clauses use prescriptive language (that is, the words "shall" or "must") this document is a voluntary code. the Howick Mutual Insurance Company will treat the clauses containing prescriptive language as requirements. The use of the word "should" indicates a recommendation.

 

3.1.3

 

Use of the singular does not exclude the plural (and vice versa) when the sense allows.

 

4.1 PRINCIPLE 1: ACCOUNTABILITY

 

The Howick Mutual Insurance Company is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the Howick Mutual Insurance Company's compliance with the following principles.

 

4.1.1

 

Accountability for the Howick Mutual Insurance Company’s compliance with the principles rests with the designated individual(s) even though other individuals within the Howick Mutual Insurance Company may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the Howick Mutual Insurance Company may be delegated to act on behalf of the designated individual.

 

4.1.2

 

The identity of the individuals designated by the Howick Mutual Insurance Company to oversee the Howick Mutual Insurance Company’s compliance with the principles shall be available upon request.

 

4.1.3

 

The Howick Mutual Insurance Company is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Howick Mutual Insurance Company shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

 

4.1.4

 

The Howick Mutual Insurance Company shall implement policies and practices to give effect to the principles, including:

 

a) implementing procedures to protect personal information;

b) establishing procedures to receive and respond to complaints and inquiries;

c) training staff and communicating to staff information about the Howick Mutual Insurance Company's policies and practices; and

d) developing information to explain the Howick Mutual Insurance Company's policies and procedures.

 

4.2 PRINCIPLE 2: IDENTIFYING PURPOSES

 

The purposes for which personal information is collected shall be identified by the Howick Mutual Insurance Company before or at the time the information is collected.

 

4.2.1

 

The Howick Mutual Insurance Company shall collect personal information only for the purposes of:

 

Establishing and maintaining communications with customers;

Underwriting risks on a prudent basis;

Investigating, defending against, and paying claims;

Detecting and preventing fraud;

Offering and providing products and services to meet customer needs;

Compiling statistics;

Complying with the law; and

A business or activity which it may undertake under applicable federal, provincial or territorial legislation.

 

4.2.2

 

The Howick Mutual Insurance Company understands that the information it needs to collect to fulfill the purposes referred to in 4.2.1. require the Howick Mutual Insurance Company or its designates to collect only that information necessary for the identified purposes.

 

4.2.3

 

The identified purposes should be communicated to customers or other persons from whom the personal information is being collected. This can be done orally or in writing, as for example, on an application form or through pamphlets or other suitable media.

 

4.2.4

 

When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified before use. Unless the new purpose is required by law, the consent of the customer is required before information can be used for that purpose.

 

4.2.5

 

Persons collecting personal information should be able to explain to customers the purposes for which the information is being collected.

 

4.3 PRINCIPLE 3: CONSENT

 

The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information, except where inappropriate.

 

NOTE: In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the customer. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the customer might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the customer is a minor, seriously ill, or mentally incapacitated. In addition, where there is no direct relationship with the customer, the Howick Mutual Insurance Company may not always be able to seek consent. However, when certain types of information are being collected, such as medical or hospital records, employment records or income tax records, the Howick Mutual Insurance Company will obtain express consent from the customer.

 

4.3.1

 

The P&C insurance business has the following unique features that make express consent impossible to obtain:

 

As a convenience to their customers, P&C insurers often provide insurance or amendments to existing policies over the telephone, on short notice and with little written documentation. In these circumstances, it is impossible for P&C insurers to obtain express written consent from customers.

 

P&C insurers that operate through independent brokers or agents (see definition of "P&C insurers" in 2.1) do not have direct relationships with the customers and therefore are not able to obtain express oral consent from the customers.

 

P&C insurers have a legal duty to defend their policyholders against claims made by third party claimants. In such situations, the P&C insurers and the third party claimants are adverse parties. In order to fulfill their obligations to their policyholders, P&C insurers must collect, use and disclose personal information about such third party claimants that is relevant to the claim even if the third party claimants have not given their consent.

 

Given these constraints, it is reasonable for the Howick Mutual Insurance Company to infer that by dealing with them on insurance related matters, customers have given implied consent for the collection, use or disclosure of personal information necessary for the identified purposes (see 4.2.1.).

 

4.3.2

 

The following are situations specific to the P&C insurance business where consent is not required for the collection, use and disclosure of personal information:

 

(a) Legal

 

Collection of personal information for the detection and prevention of fraud.

Compliance with subpoenas, search warrants, and other court or government orders.

In either of these situations obtaining consent might defeat the purpose of collecting the information.

 

(b) Duty to Defend

 

P&C insurers will transfer the personal information of customers to lawyers retained by the P&C insurers pursuant to the contractual obligation in the insurance policy to defend legal actions against their insureds.

 

(c) Public Duty

 

In exceptional circumstances, P&C insurers may, under a public duty, disclose personal information to appropriate authorities in matters of significant public interest.

 

(d) Medical and Other

 

Where the customer is a minor, seriously ill, or mentally incapacitated, seeking consent may be impossible or inappropriate.

 

4.3.3

 

Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when the Howick Mutual Insurance Company wants to use information for a purpose not previously identified).

 

4.3.4

 

The principle requires "knowledge and consent." This suggests that the Howick Mutual Insurance Company shall make a reasonable effort to ensure that the customer is advised of the purposes for which the information will be used. The purposes shall be stated in a manner that can be reasonably understood by the customer.

 

4.3.5

 

The Howick Mutual Insurance Company may not, as a condition of the supply of a product or service, require a customer to consent to the collection, use or disclosure of information beyond that required to fulfill the specified, explicit and legitimate purposes. The Howick Mutual Insurance Company shall explain to the customer the information requirements that are related to the product or service. In so doing, the Howick Mutual Insurance Company has provided a specified, explicit and legitimate purpose. The Howick Mutual Insurance Company can then refuse to deal with a customer who will not consent to the collection, use and disclosure of the information for the specified, explicit and legitimate purpose. For example, P&C insurers provide insurance at specified rates and on certain terms and conditions based on, among other things, analysis of an individual's personal information, including date of birth, address, and claims history. If this information is not obtained, the P&C insurer cannot determine the basis for insurance coverage and, therefore, cannot provide insurance to the customer. Consent shall not be obtained through deception.

 

4.3.6

 

There are certain types of information where the express written consent of the customer will be obtained for the collection, use or disclosure of personal information. For example, medical or hospital records, employment records or income tax returns.

 

4.3.7

 

A customer should reasonably expect that the Howick Mutual Insurance Company will use personal information in making its decisions on the customer's insurability and in adjusting the customer's claim. On the other hand, a customer would not reasonably expect the Howick Mutual Insurance Company to give accident information to car sales companies to solicit individuals for the purchase of a new car if the customer's car had incurred extensive damage in an accident.

 

4.3.8

 

Consent can be given by an authorized representative (such as a person having a power of attorney, or legal guardian). Consent can also be given by an individual on behalf of another individual. For example, where an individual applies for automobile insurance for himself and family members, the applicant is giving consent for the collection, use, and disclosure of personal information both for himself and his family members even though the family members are not present during the application process. A similar situation arises where an employer, on behalf of its employees, applies for or renews a group or fleet insurance policy that provides insurance benefits to the employees even though the employees are not present during the application or renewal process.

 

4.3.9

 

Where the Howick Mutual Insurance Company seeks express consent, it can be given in many ways. For example:

 

(a) An application form may be used to seek consent, collect information and inform the customer of the use that will be made of the information. By completing and signing the form, the customer is giving consent to the collection and the specified uses. (b) A check-off box may be used to allow customers to request that their names and addresses not be given to other organizations for marketing purposes. Customers who do not check the box are assumed to consent to the transfer of this information to third parties. (c) Consent may be given orally when information is collected over the telephone. (d) Consent may be given by agreement, or action on the part of the customer, to use, acquire or accept a product or service.

 

4.3.10

 

Consent is valid for the length of time needed to achieve the identified purposes. The customer may withdraw consent on reasonable notice, subject to legal or contractual restrictions and the requirement that the Howick Mutual Insurance Company maintains the integrity of the statistics and data necessary to carry on their business. The Howick Mutual Insurance Company shall inform the customer of the implications of such withdrawal.

 

4.4 PRINCIPLE 4: LIMITING COLLECTION

 

The collection of personal information shall be limited to that which is necessary for the purposes identified by the Howick Mutual Insurance Company. Information shall be collected by fair and lawful means.

 

4.4.1

 

The Howick Mutual Insurance Company shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. The Howick Mutual Insurance Company obtains personal information primarily from insurance customers, but also from others including other P&C insurers, brokers, and underwriting or claims information networks. The Howick Mutual Insurance Company shall specify the type of information collected as a part of their information handling policies and practices in accordance with Principle 8 - Openness.

 

4.4.2

 

The requirement that personal information be collected by fair and lawful means is intended to prevent the Howick Mutual Insurance Company from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.

 

4.5 PRINCIPLE 5: LIMITING USE, DISCLOSURE AND RETENTION

 

Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the customer or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

 

4.5.1

 

There are situations specific to the P&C insurance business where the Howick Mutual Insurance Company will disclose personal information as dictated by prudent insurance practices. For example:

 

• Risk-Sharing: As a part of the underwriting and claims-handling process, P&C insurers transfer personal information to other insurance companies including reinsurance companies which share in the risk. This would include situations where the customer has made a fraudulent application for or renewal of a policy of insurance.
• Information Services: P&C insurers disclose personal information for underwriting, claims, classification and rating purposes.
• Insurance Services: P&C insurers disclose personal information to businesses that provide goods and services to insurance companies and/or their customers, such as data processors, loss control managers and claims adjusters.
• Insurance Intermediaries: P&C insurers may disclose personal information to their insurance intermediaries, such as brokers and agents.
• Only the information necessary for these services will be provided by the P&C insurer to these service providers.

 

4.5.2

 

If the Howick Mutual Insurance Company uses personal information for a new purpose it must document this purpose.

 

4.5.3

 

The Howick Mutual Insurance Company shall develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about a customer shall be retained long enough to allow the customer access to the information after the decision has been made. The Howick Mutual Insurance Company may be subject to legislative requirements with respect to retention periods.

 

4.5.4

 

Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. The Howick Mutual Insurance Company should develop guidelines and implement procedures to govern the destruction of personal information.

 

4.6 PRINCIPLE 6: ACCURACY

 

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

 

4.6.1

 

The extent to which personal information shall be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the customer. Information shall be sufficiently accurate, complete and up-to-date, to minimize the possibility that inappropriate information may be used to make a decision about the customer.

 

4.6.2

 

The Howick Mutual Insurance Company shall not routinely update personal information unless this is necessary to fulfill the purposes for which it was collected.

 

4.6.3

 

Personal information that is used on an on-going basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

 

4.7 PRINCIPLE 7: SAFEGUARDS

 

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

 

4.7.1

 

The security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying use, or modification. The Howick Mutual Insurance Company is expected to protect personal information regardless of the format in which it is held.

 

4.7.2

 

The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. More sensitive information should be safeguarded by a higher level of protection.

 

4.7.3

 

The methods of protection should include:

 

(a)    physical measures, such as locked filing cabinets and restricted access to offices;

(b)   organizational measures, such as security clearances and limiting access on a "need to know" basis; and

(c)    technological measures, such as the use of passwords and encryption.

 

 

4.7.4

 

The Howick Mutual Insurance Company shall make its employees aware of the importance of maintaining the confidentiality of personal information.

 

4.7.5

 

Care shall be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.

 

4.8 PRINCIPLE 8: OPENNESS

 

The Howick Mutual Insurance Company shall make readily available to customers specific information about its policies and practices relating to the management of personal information.

 

4.8.1

 

The Howick Mutual Insurance Company shall be open about their policies and practices with respect to the management of personal information. A customer shall be able to acquire information about the Howick Mutual Insurance Company's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

 

4.8.2

 

The information made available shall include:

 

(a)    the title, address and telephone number of the person who is accountable for the Howick Mutual Insurance Company's policies and practices and to whom complaints or inquiries can be forwarded;

(b)   the means of gaining access to personal information held by the Howick Mutual Insurance Company;

(c)    a description of the type of personal information held by the Howick Mutual Insurance Company, including a general account of its use;

(d)   a copy of any brochures or other information explaining the Howick Mutual Insurance Company's policies, standards or codes; and

(e)    what personal information is made available to related organizations, such as subsidiaries.

 

4.8.3

 

The Howick Mutual Insurance Company may make information on its policies and practices available in a variety of ways. The method chosen will depend on the nature of its business and other considerations. For example , the Howick Mutual Insurance Company may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.

 

4.9 PRINCIPLE 9: CUSTOMER ACCESS

 

Upon request, a customer shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

 

NOTE: In certain situations, the Howick Mutual Insurance Company may not be able to provide access to all the personal information it holds about a customer. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the customer upon request. Exceptions may include prohibitive cost, personal information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

 

4.9.1

 

Upon request, the Howick Mutual Insurance Company shall inform a customer whether or not the Howick Mutual Insurance Company holds personal information about the customer. The Howick Mutual Insurance Company is encouraged to indicate the source of this information. The Howick Mutual Insurance Company shall allow the customer access to this information. However, the Howick Mutual Insurance Company may choose to make sensitive medical information available through a medical practitioner. In addition, the Howick Mutual Insurance Company shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed. If such a request is denied, the customer shall have the right to be given reasons for the denial and information on how to challenge such denial including:

 

(a)    an invitation to the customer to send a letter to the Howick Mutual Insurance Company's President requesting reconsideration of such denial;

(b)   a commitment by the Howick Mutual Insurance Company to open promptly a dialogue with the customer; and

(c)    a commitment by the Howick Mutual Insurance Company to participate in an independent mediation process should the parties be unable to resolve the dispute.

 

4.9.2

 

A customer may be required to provide sufficient information to permit the Howick Mutual Insurance Company to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

 

4.9.3

 

In providing an account of third parties to which it has disclosed personal information about a customer, The Howick Mutual Insurance Company shall attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about a customer, the Howick Mutual Insurance Company shall provide a list of organizations to which it may have disclosed information about the customer.

 

4.9.4

 

The Howick Mutual Insurance Company shall respond to a customer's reasonable request within a reasonable time and at minimal or no cost to the customer. The requested information shall be provided or made available in a form that is generally understandable. For example, if the Howick Mutual Insurance Company uses abbreviations or codes to record information, an explanation shall be provided.

 

4.9.5

 

When a customer successfully demonstrates the inaccuracy or incompleteness of personal information, the Howick Mutual Insurance Company shall amend the information as required. Depending upon the nature of the information challenged, an amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

 

4.9.6

 

When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge shall be recorded by the Howick Mutual Insurance Company. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

 

4.10 PRINCIPLE 10: CHALLENGING COMPLIANCE

 

A customer shall be able to challenge compliance with the above principles with the person who is accountable within the Howick Mutual Insurance Company.

 

4.10.1

 

The individual accountable for the Howick Mutual Insurance Company's compliance is discussed in 4.1.1.

 

4.10.2

 

The Howick Mutual Insurance Company shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.

 

4.10.3

 

The Howick Mutual Insurance Company shall inform customers who make inquiries or lodge complaints of the existence of relevant complaint mechanisms. A range of these procedures may exist. For example, some regulatory bodies accept complaints about the personal information-handling practices for the companies they regulate.

 

4.10.4

 

The Howick Mutual Insurance Company shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, the Howick Mutual Insurance Company shall take appropriate measures, including amending its policies and practices if necessary.

 

4.10.5

 

Insurance customers of the Howick Mutual Insurance Company who are dissatisfied with the manner in which their complaints have been handled may contact:

 

Financial Services Commission of Ontario

5160 Yonge Street, 16th Floor

North York, Ontario M2N 6L9

 

APPENDIX "A"

 

CSA Standard CAN/CSA-Q830-96 Model Code for the Protection of Personal Information

 

Principles in Summary

 

Ten interrelated principles form the basis of the CSA Model Code for the Protection of Personal Information. Each principle must be read in conjunction with the accompanying commentary.

 

1. Accountability

 

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

 

2. Identifying Purposes

 

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

 

3. Consent

 

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

 

4. Limiting Collection

 

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

 

5. Limiting Use, Disclosure and Retention

 

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

 

6. Accuracy

 

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

 

7. Safeguards

 

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

 

8. Openness

 

The organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

 

9. Individual Access

 

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

 

10. Challenging Compliance

 

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

 

Note: With the permission of the Canadian Standards Association, this material is reproduced from the CSA Standard CAN/CSA-Q830-96 "Model Code for the Protection of Personal Information," which is copyrighted by CSA, 178 Rexdale Blvd., Etobicoke, Ontario, Canada M9W 1R3. While use of this material has been authorized, CSA shall not be responsible for the manner in which the information is presented, nor for any interpretations thereof. This CSA material may not be updated to reflect amendments made to the original content. For up-to-date information, contact CSA.

 

Amended March 19, 2004 pursuant to “Comparison of Personal Information Protection and Electronic Documents Act and IBC Model Code, (Excerpt)” dated February 15, 2002.