In the Employee Benefits business, we collect highly sensitive Personal Information concerning our clients and their employees. As the success of our business depends upon obtaining and maintaining the trust of our customers, they must be assured that the Personal Information they provide to us will be maintained in the strictest confidence.
At Johnstone’s Benefits, our commitment to protecting the confidentiality and security of our clients’ Personal Information has and always will be the most integral part of our corporate values. Johnstone’s Benefits has adopted the ten privacy principles established by the Canadian Standards Association’s Model Code for the Protection of Personal Information. These ten principles form part of the Personal Information Protection and Electronic Documents Act (“Act”). This Act establishes rules governing the collection, use and disclosure of Personal Information.
What is Personal Information?
Under the Act, Personal Information is broadly defined as information (data) – oral, written, or electronic – about an identifiable individual. Personal Information includes, but is not limited to, the following:
- name, address and telephone number
- age, gender, family and marital status
- medical and health information
- identification numbers (such as Social Insurance Number)
- financial and employment information
- beneficiaries and dependent information
What is Not Personal Information?
Personal Information does not include the name, title or business address, telephone number, or e-mail address of employees (i.e. business card information). Any data that we have collected in which all the “personal identifiers” have been removed, making it impossible to determine the identity of the person to whom it relates, is also not considered Personal Information.
Johnstone’s Benefits is responsible for Personal Information in its possession or control, including information that has been transferred to a third party for processing. All employees are obligated to protect the personal privacy of group and individual policyholders, lives insured and their beneficiaries and dependents.
We have designated an individual to oversee our compliance with the Act and ensure that our ten privacy principles are upheld.
2. Identifying Purposes
The purposes for which Personal Information is collected will be identified at or before the time the information is collected. This will generally be done through application or claim forms. Johnstone’s requires this information to:
- determine your eligibility for benefits;
- process and adjudicate your claims;
- provide you with ongoing services, establish and maintain communication with you and respond to any inquiries you may have;
- assess the suitability of the products or services for you or provide you with information on other products and services that may help meet your financial security needs;
- meet legal and regulatory requirements.
For these purposes we may share your Personal Information within Johnstone’s Benefits, and with Insurance Companies as they may require it to provide you with the coverage you are entitled to. Johnstone’s Benefits will not collect, use, or disclose information beyond that required to fulfill the specified purposes.
When Personal Information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is required in order to investigate a potential breach of contract, the prevention or detection of fraud, or for law enforcement purposes the consent of the individual is required before information can be used for that purpose.
Johnstone’s staff are able to explain to individuals the purposes for which the information is being collected.
The knowledge and consent of the individual are required for the collection of Personal Information and the subsequent use or disclosure of this information. Typically, Johnstone’s Benefits will seek consent for the use or disclosure of the information at the time of collection through the use of application or claim forms. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected, but before use (for example, when Johnstone’s Benefits wants to use information for a purpose not previously identified).
The way in which Johnstone’s Benefits seeks consent may vary, depending on the circumstances and the type of information collected. Johnstone’s Benefits should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney), although the authority of such a representative may be restricted by law or company policy.
In certain circumstances Personal Information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the investigation of a potential breach of contract, the prevention or detection of fraud, or for law enforcement purposes, seeking the consent of the individual might defeat the purpose of collecting the information. Similarly, seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or otherwise incapacitated.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Johnstone’s Benefits will inform the individual of the implications of such withdrawal, which may include termination of a policy or the inability to process a claim.
4. Limiting Collection
The collection of Personal Information will be limited to that which is reasonably necessary for the purposes identified by Johnstone’s Benefits. Information shall be collected only by fair and lawful means.
Johnstone’s Benefits shall not collect Personal Information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
5. Limiting Use, Disclosure, and Retention
Personal Information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Your Personal Information will only be retained for the time necessary to fulfill the purposes for which it was collected, and to meet any legal or regulatory requirements.
Under no circumstances will Johnstone’s Benefits sell any client lists.
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Johnstone’s Benefits will routinely update personal information, but only if it is necessary to fulfill the purposes for which the information was collected. You can assist us in ensuring your records are current by providing us with any changes to your Personal Information, such as an address, dependent, and beneficiary changes. You have the right to challenge the accuracy and completeness of your Personal Information and amend it as necessary.
Personal Information will be protected by security safeguards appropriate to the sensitivity of the information. As Johnstone’s Benefits deals with highly sensitive information concerning the health and finances of our clients, this is of paramount importance.
The security safeguards will protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Only authorized employees and service providers have access to your Personal Information. Our commitment to security extends to the contracts and agreements that we sign with external suppliers and service providers.
The methods of protection will include:
- physical measures (i.e., building access for employees and visitors, off-site backups, archiving);
- organizational measures (i.e., security clearances and limiting access on a “need-to-know” basis); and
- technological measures (i.e., the use of passwords).
Johnstone’s Benefits will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Individual Access
We will give you access to your Personal Information at your request, subject to any legal or business restrictions. There may be a nominal charge for doing so.
10. Challenging Compliance
An individual may address a challenge concerning compliance with this policy to Johnstone’s Benefit’s Compliance Officer at firstname.lastname@example.org
Johnstone’s Benefits will inform individuals who make inquiries or lodge complaints of the applicable complaint handling protocol.
Johnstone’s Benefits will investigate and respond to all complaints in accordance with the applicable departmental complaint handling protocol. If a complaint is found to be justified, Johnstone’s Benefits will take appropriate measures, including, if necessary, amending its policies and procedures.