DUGGAN BENEFITS INSURANCE AGENCIES INC. PRIVACY INFORMATION DOCUMENT
Principle 1 - Accountability
- If you are going to collect and hold personal information, you must be responsible for all personal information under your control.You should designate an individual with ultimate accountability for compliance to the principles- The Chief Operating Officer.
- Others may be responsible for the day-to-day collection and processing of personal information.
- You must be responsible for all personal information in your possession or custody including information transferred to third party processors.
All third party processors of personal information held by Duggan Benefits Insurance Agencies Inc. will agree (contractually) to comply with the following terms and conditions.
- Name an individual to handle all aspects of contract.
- Act strictly on behalf Duggan Benefits Inc. when receiving and processing personal information.
- Limit the use of all personal information transferred to the third party processor:
- Limit disclosure of all personal information to what is authorized by Duggan Benefits Inc.
- Refer to Duggan Benefits Inc. any individual seeking access to their personal information.
- To return or dispose of transferred information upon completion of the contract:
- To use appropriate security measures to protect all personal information:
- To rectify, delete or update all personal information on a timely basis upon receiving instructions from Duggan Benefits Inc:
- To acknowledge liability for the use made of all personal information:
- To allow Duggan Benefits Inc. to oversee the third party processors methods of processing data (by review or audit)
- To indemnify Duggan Benefits Inc. for any breach of contract: and
- To ensure that the third party has complied with the issue of consent.
Principle 2 - Identify the Purposes for Collecting Personal Information
You must identify the purposes for which personal information is collected at, or before, the time the information is collected.
For group/benefit plan members- personal information provided is used solely for the purpose of:
- Establishing identification
- Providing the subscriber and dependants with the applicable benefit coverage
- Protecting the subscriber and Duggan Benefit Inc. from fraud
- Providing ongoing services
For employees of Duggan Benefits Inc. - personal information contained in employment files, performance appraisals and benefit claims information files solely for;
- The administration of payroll, pension and benefit plans
- To meet Human Resources management requirements
- To comply with federal and provincial regulations
- Individual performance appraisals
Our purposes are identified in the following places:
For group/benefit plan members- on enrollment forms, in benefit plan booklets, and in-group contracts.
For employees of Duggan Benefits Inc. - on payroll, pension and benefit plan forms
When personal information that has been collected is to be used for a new purpose, it will be identified prior to use. The consent of the individual will be obtained before information can be used for the new purpose, unless the new purpose is required by law.
Information Principle 3 - Consent is obtained for the Collection, Use or Disclosure of Personal
You must seek consent for the disclosure of the collection of personal information and its subsequent use or disclosure.
Express consent should be obtained form the individual to whom the information relates.
When dealing with group benefit plans, Duggan Benefits Inc. typically communicates with the plan sponsor or the carrier- not directly with the individual. Therefore, it is implied that the group has obtained the required consent for the collection of personal information.
It is also implied that the plan member has obtained the required consent from their dependants.
ID cards, enrollment forms, claim forms, group contracts and benefit plan booklets will contain specific wording to obtain or communicate consent.
Form of Consent
- Subscriber/plan member signs an enrolment form - written consent
- Plan member submits a claim form- written consent
- Present your ID card to a pharmacist/dentist in lieu of payment- implied consent
An authorized representative (i.e. legal guardian, power of attorney, and union rep of the plan member) can give consent.
An authorized representative (i.e. legal guardian, power of attorney, and union rep of the plan member) can give consent.
Consent can be implied or inferred from certain actions when the implications would be clearly understood by a reasonable person, i.e. presentation of an invoice or completed claim form to an individual by a health care provider can be regarded as consent for that individual to use that information to seek reimbursement for the cost of that service.
An individual may withdraw consent at any time, subject to legal or contractual restrictions, reasonable notice and the requirement that the integrity of the statistics of data necessary to carry on business is maintained.
The individual should be informed that the implication of such withdrawal of consent would result in that they are no longer eligible for benefit coverage.
Personal information can be collected, used or disclosed without the knowledge and consent of the individual as follows:
- Clearly in the individual's interest and consent is not available in a timely way:
- If knowledge and consent would compromise the availability of accuracy of the information:
- For journalistic, artistic, or literacy purposes: or
- Information is publicly available.
- If we have reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial, or foreign law and the info is used for that investigation:
- For an emergency that threatens an individual's life:
- For statistical or scholarly study or research
- It is publicly available
- If the use is clearly in the individual's best interest: or
- If knowledge and consent would compromise the availability or accuracy of the information;
- To a lawyer representing us;
- To collect a debt the individual owes us;
- To comply with a subpoena;
- To a government institution that has requested the information;
- To an investigative body named in the regulations of the Act or government institution:
- If made by an investigative or regulatory body;
- In an emergency threatening an individuals life, health or security;
- For statistical, scholarly study of research (notify privacy Commissioner);
- To an archival institution;
- 20 years after the individuals death or 100 years after the record was created;
- If publicly available; or
- If required by law.
Principle 4- Limiting the Collection of Personal Information
You must ensure that the collection of personal information is limited to that which is necessary for the purposes identified. Information is collected by fair and lawful means;
Information is collected:
- From group and benefit plan members and their employees; or
- From third parties for the purposes for which it was originally collected.
Principle 5 - Limiting the Use, Disclosure and Retention of Personal Information
You must ensure that personal information is not used or disclosed for purposes other than those for which it was collected.
Personal information is retained only as long as necessary for the fulfillment of these purposes.
When using personal information for a new purpose, you should document the identified new purpose.
- Minimum and maximum retention periods are set.
- Personal information that has been used to make a decision about an individual is retained long enough to allow the individual access to the information after the decision has been made.
- Personal information that is no longer required to fulfill the identified purposes is destroyed, erased or made anonymous.
- Claims information is retained and disposed of in accordance with the retention period's table maintained by the Information Systems Department. (Minimum 7 years)
Disposing of Personal information
- Placed in secure, locked containers and subsequently shredded.
- Business reports and data, internal manuals, system documentation and printed material with proprietary, sensitive or confidential information must be shredded.
- Desktop computers, laptops and hard disk drives considered surplus must be erased and written over with binary zeros before leaving our premises.
The following procedures are used to ensure that inappropriate disclosure of personal information does not occur:
- All external reports must contain a disclaimer; and
- All external reports will be
- De-identified, or
- Contain only aggregated information.
You may disclose personal information about your employees:
- For normal personnel and benefit administration:
- Where disclosure is required by law, or
- When the written consent of the employee is obtained.
Principle 6 - Accuracy of Personal Information
Personal information is accurate, complete and up-to-date:
- To minimize the possibility that inappropriate information may be used to make a decision about the individual:
- To fulfill the identified purposes or upon notification by the individual: or
- Unless limits to the requirement for accuracy are clearly set out.
Principal 7 - Safeguarding of Personal Information
Security safeguards appropriate to the sensitivity of the information protect personal information.
- Loss or theft; or
- Unauthorized access, disclosure, copying, use or modification.
Methods of Protection:
- Physical measurement - locking filing cabinets and restricting access to offices.
- Organizational measurements - security clearances, limiting access on a "need to know" basis;
- Technological measures- use of passwords, encryption; and
- Attitudinal Environmental Measures- avoidance of hallway discussions.
Personal information disclosed to third parties is protected by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.
All employees sign confidentiality agreements.
All employees are required to participate in annual security and privacy awareness training programs.
You should implement appropriate safeguards in the disposal and destruction of personal information - to prevent unauthorized parties from gaining access to the information.
Principle 8 - Openness Concerning Policies and Procedures
You should make readily available to any individual who should ask, specific information about your policies and procedures relating to the management of personal information.
The information made available should include the following:
- The name, title and the address of the person accountable for compliance.
Call, write or fax to the Chief Operating Officer
The above information is placed on all external privacy publications.
- The means of gaining access to personal information in your control
The above information is placed on all external privacy publications
- A description of the type of information held including a general account of its use.
This information is placed on all external privacy publications for the benefit.
Of our group and benefit plan members and on our internal privacy
publications for the benefit of our employees.
- A copy of any brochures or other information that explain your Privacy Code.
Principle 9 - Individual Access to Personal Information
You should ensure that, upon request, an individual will be informed of the existence, use and disclosure of his/her personal information and will be given access to that information.
An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
The following steps will be taken when an individual wishes to access to his/her personal information:
Verify identity of the individual
When filling out a form - ID is required
When filling out a form on someone's behalf- power of attorney, etc.
Third party requests- ID of that party and how to contact them shall be documented for future reference.
Requests made by letter - reasonable attempts will be made to verify authenticity of the letter.
Determine what info will be made available. All personal information will be made available unless under the following categories.
It contains reference to other individuals.
Information that cannot be disclosed for legal or security reasons.
Information that cannot be disclosed for commercial proprietary reasons.
Information that is subject to solicitor-client or litigation privilege.
Information that cannot be disclosed due to prohibitive cost.
Determine a reasonable cost for the information
Fees imposed will not exceed cost incurred by us.
Establish timeframe for response
Within 30 days
If longer than 30 days, the individual will be notified in writing of the length of time.
Keep a Registry of Inquires
Unresolved challenges will be recorded by us for future references.
Act within 2 weeks of withdrawal request.
Duggan Benefits will no longer be able to administer benefit coverage and may use the personal information to wind up the service relationship.
Resolving disagreements over Personal Information
If there is a disagreement about the accuracy of personal information the issue will be reviewed by the Chief Operating Officer.
If individual is not satisfied, they will be made aware of applicable industry associations or councils, regulatory authorities or the Privacy Commissioner of Canada.
Language or Cultural issues
Duggan Benefits Inc. will make reasonable effort to provide information in a format that the individual can understand.
Duggan Benefits Inc. may choose to make sensitive medical information available through a medical practitioner - they would relay the information to the individual.
Requested as proof of identity
Subscriber number, name, and initial date of birth, street address driver's license, spousal name, employer.
Dependents under 14 years of age- mother, father, legal guardian- with adequate identification.
For any other person, the requestor of confidential information provides the required completed CONSENT TO RELEASE OF CONFIDENTIAL INFORMATION form.
- Make an official request
- In person- by showing ID and by filling out a form
- By sending a letter or fax
- By telephone request - two items of ID required
Date of request is documented
- By e-mail - through Duggan Benefits Inc. web site
The following procedures will be undertaken to respond to an individual's request:
- Respond to the request as quickly as possible and no later than 30 days after receipts of the request.
- The normal 30 day response time limit can be extended to a maximum of 30 additional days according to specific criteria:
- If responding to the request within the original 30 days would unreasonably interfere with the activities of Duggan Benefits Inc.
- If additional time is necessary to conduct consultants: or
- If additional time is necessary to convert personal information to an alternate format.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Duggan Benefits Inc. will amend the information as required- this amended information will be transmitted to third parties having access to the information.
When a challenge is not resolved to the satisfaction of the individual, Duggan Benefits Inc. will record the unresolved challenge- this information may be transferred to third parties having access to the information.
In certain circumstances Duggan Benefits may not be able to provide access to all personal information it holds.
Duggan Benefits Inc. must refuse individual access to personal information:
- If it would reveal personal information about another individual unless there is consent or a life-threatening situation:
- If Duggan Benefits Inc. has disclosed information to a government institution for law enforcement for national security reasons. Upon request, the government institution may instruct us to refuse access to the information. We must refuse the request and notify the privacy Commissioner.
You may refuse access to personal information if the information falls under the following:
- Solicitor-client privilege;
- Confidential commercial information;
- Disclosure could harm a person's life or security;
- It was collected without the individuals knowledge or consent; or
- It was generated in the course if a formal dispute resolution process.
Principle 10 - Challenging Compliance
An individual will be able to address a challenge concerning compliance with above principles.
Procedures for handling complaints or inquiries about Duggan Benefits Inc. policies and procedures:
Record the date a complaint was received
- Acknowledge receipt of complaint
- Contact individual to clarify complaint
- Assign investigation
- Give investigator access to all relevant records
- Notify individual of outcome of investigation clearly and promptly
- We will contact the individual following the decision to verify whether the matter has been resolved in a satisfactory manner
- If a decision is adverse, the individual will be made known the action for recourse.
- If a decision will take longer than 30 days to make, the individual should be made aware of the delay
- Duggan Benefits Inc. will correct any inaccurate personal information or modify policies and procedures based on the outcome of the complaints
- A pattern of complaints in any one area will prompt Duggan Benefit Inc. to identify possible improvements to policies and procedures.
You should inform individuals whom make inquires or lodge complaints of the existence of our relevant complaint procedures.
Avenues of recourse available to complainants
- Company complaint procedures
- The Privacy Commissioner of Canada
The individual accountable may seek external advice before providing response to individual complaints.
Duggan Benefits Inc. will investigate all complaints. If a complaint is justified, appropriate measures will be made to amend our policies and procedures.