To ensure that:
- PPI (including PPI Partners doing business as PPI Advisory, PPI Solutions Inc. and PPI Benefits) is in compliance with regulatory and self-regulatory requirements regarding Privacy (“Regulations”);
- PPI Privacy obligations are handled in a professional manner, in a secure environment and appropriately monitored.
At PPI our Advisors and their clients are our business. As a financial services company, we are trusted with some of their clients’ most sensitive personal information. We must respect that trust and need those clients to be aware of our commitment to protect the information they provide in the course of doing business with us.
There are 10 principles that we must follow to be in compliance with PIPEDA.
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
- Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes.
- Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization's compliance.
The Act is applicable to personal information only. However, it has been suggested that in keeping with the spirit of the law, PIPEDA should also be applied to information obtained on closely-held corporations which would be most, if not, all corporate clients.
PPI Privacy Officer
Kim Russell, Director, Compliance is the Privacy Officer and all inquiries / complaints shall be directed to her at: firstname.lastname@example.org
Information Collection and Use
We collect the information required for us to complete the task for which we are engaged, whether that is insurance or money products. This information is collected on the insurance company applications and may also be collected prior to and during the underwriting process.
The consent for us to establish a file and collect and maintain personal information is to be obtained by the advisor, signed by the client and placed in the client file.
Protection of Personal Information
As the principals, management and employees of PPI we are granted access to client information and must understand the need to keep the information protected and confidential. Our training procedures clearly communicate that we are to use the information only for the intended purpose(s). When hired all PPI employees initial a non-disclosure/confidentiality clause that is included in their offer letter.
The PPI Data Centres are physically protected by actively monitored alarm systems, key card access and intermittent building security patrols. PPI uses the latest generation firewall technology with application level inspection, Advance Malware Protection and Intrusion Prevention System (IPS) protecting PPI from threats coming from the Internet. Servers and services within the Data Centres have active monitoring and alerting with 24/7 paging to members of the PPI Network Team on a rotating on call basis.
Retention of Personal Information
Personal information will be retained on file as long as is necessary to facilitate the underwriting and ongoing administration of the policy or as long as is legally required.
Clients may request copies of our privacy policies and procedures at any time.
Clients may request access to their information. We must respond to this request as quickly as possible, however no later than 30 days after the receipt of the request.
Clients may withdraw their consent at any time by contacting our Privacy Officer. However, they will be made aware that failure to provide adequate information may prevent us from completing the task for which we were engaged.
Exceptions to client access
Organizations must refuse an individual access to personal information:
- if it would reveal personal information about another individual unless there is consent or a life-threatening situation
- if the organization has disclosed information to a government institution for law enforcement or national security reasons. Upon request, the government institution may instruct the organization to refuse access or not to reveal that the information has been released. The organization must refuse the request and notify the Privacy Commissioner. The organization cannot inform the individual of the disclosure to the government institution, or that the institution was notified of the request, or that the Privacy Commissioner was notified of the refusal.
Organizations may refuse access to personal information if the information falls under one of the following:
- solicitor-client privilege
- confidential commercial information
- disclosure could harm an individual’s life or security
- it was collected without the individual’s knowledge or consent to ensure its availability and accuracy, and the collection was required to investigate a breach of an agreement or contravention of a federal or provincial law (the Privacy Commissioner must be notified)
- it was generated in the course of a formal dispute resolution process.