All organizations collecting, using, or disclosing personal information in Canada throughout the course of commercial activities must comply with the Personal Information Protection and Electronic Documents Act (the “Act”). The Act requires the individual’s consent to the collection, use, and disclosure of personal information. These obligations extend to Managing General Agents in Canada and will continue to apply where personal information is transmitted outside of Canada.
The Act defines personal information as any information about an identifiable individual. This encompasses any information that identifies an individual or with which their identity could be deduced. However, personal information does not include the name, business title, business address or business telephone number of an employee of an organization.
All SSRU employees (including temporary and independent contract staff) are responsible for maintaining the privacy, confidentiality, and security of all personal information they collect, use, maintain or disclose. To ensure this accountability, SSRU has developed this policy and trained its staff about the policies and practices outlined herein.
During its operations as a Managing General Agency, SSRU only collects, uses, and discloses Personal Information for the following purposes:
- provide insurance products and related services;
- administer client databases;
- underwrite and price insurance coverage;
- investigate, evaluate, manage and administer claims and claim payments;
- reinsure insurance risks;
- determine and verify identity;
- detect and prevent fraud;
- monitor and investigate transactions;
- analyze business operations and results;
- provide information of interest to clients;
- compiling statistics; and
- complying with the laws or the requests of law enforcement agencies or regulators
SSRU collects information only through lawful, fair means and not in an unreasonably intrusive way. Wherever possible SSRU collects personal information directly from insurance brokers or from the client, both at the commencement of the underwriting process and throughout the term of the relationship.
SSRU may also obtain information about clients and others from other sources, such as:
- another insurance company, broker or adjuster;
- insurance or reinsurance associations;
- from a government agency or registry; or
- other reinsurance companies and other financial institutions.
SSRU shall ask clients to provide explicit consent if it collects, uses, or discloses their personal information, or shall rely upon the express consents obtained by its insurance brokers. Although SSRU may ask for consent in writing in most circumstances, in some circumstances it may accept verbal consent. Sometimes, consent may also be implied through conduct with SSRU.
In seeking consent, SSRU shall apprise the client of the purposes for which collection, use, and disclosure are taking place as further discussed below.
SSRU uses personal information for the reasons listed above under the heading “Why does SSRU collect personal information from clients and brokers?”.
If SSRU is notified that a client no longer wishes to receive information regarding products, services or other information of interest to clients, SSRU shall not send to the client any further materials of this nature.
Except for disclosure to SSRU’s capacity carriers, SSRU does not disclose personal information to any third party to enable them to market their products and services. SSRU does not provide its client mailing lists to other insurance companies or intermediaries.
Under certain circumstances, SSRU will disclose personal information:
- when required by law to do so, for example if a court issues a subpoena;
- when the individual in question has consented to the disclosure;
- when the insurance products and services provided requires SSRU to give personal information to third parties (for example, to a broker in an insurance transaction or a reinsurer in a reinsurance transaction) the consent will be implied, unless we are advised otherwise;
- where it is necessary to establish or collect premiums or other amounts owing to SSRU;
- if the information is already publicly known.
In the event of a sale, financing, merger, or other fundamental business transaction affecting SSRU’s business or its assets, SSRU may disclose personal information to the potential transaction counterparties and their professional advisors; however, this disclosure will be subject to confidentiality restrictions and will be limited to disclosure for the purpose of evaluating and closing the transaction. Any successor to SSRU’s business may continue to use and disclose the personal information that it receives from SSRU for the purposes outlined this policy unless the successor obtains consents to new purposes for the use and disclosure of this information.
SSRU takes all reasonable precautions to ensure that personal information is kept safe from loss, unauthorized access, modification, or disclosure. Among the steps taken to protect personal information are:
- premises security;
- restricted file access to personal information;
- deploying technological safeguards like security software and firewalls to prevent hacking or unauthorized computer access; and
- internal password and security policies.
SSRU takes the security of personal information seriously and takes appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Although we take appropriate measures to protect the security of the information communicated through our website, no Internet-connected computer system can be made absolutely secure from intrusion. Therefore, we cannot and do not guarantee that information communicated to us will be received or that it will not be altered before or after its transmission to us.
An individual may ask for access to any personal information SSRU holds about them. Any questions, or requests for access to personal information, should be directed in writing to SSRU’s Privacy Officer email@example.com
Summary information is available on request. More detailed requests which require archive or other retrieval costs may be subject to appropriate fees.
However, an individual’s rights to access their personal information are not absolute. SSRU may deny access when:
denial of access is required or authorized by law;
information relates to existing or anticipated legal proceedings;
when granting access would have an unreasonable impact on other people’s privacy;
when to do so would prejudice negotiations with the individual;
to protect SSRU’s rights and property; or
where the request is frivolous or vexatious.
If we deny a request for access to, or refuse a request to correct information, we shall explain why.
SSRU does not use Social Insurance Numbers as a way of identifying or organizing the information we hold about clients or others.
Whenever it is legal and practicable, SSRU may offer the opportunity to deal with general inquiries without an individual providing a name (for example, by accessing general information on our website).
SSRU shall retain personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with legal and regulatory requirements. When personal information is no longer required, we will securely destroy or de-identify it in accordance with PIPEDA and other applicable privacy laws.
Clients and brokers shall be made aware that email is not a 100% secure medium to send personal or confidential information when contacting us.
Although the Act does not apply to SSRU’s employee information, SSRU has elected to follow privacy “best practices” in this area. If an individual applies to SSRU for employment, personal information will need to be considered as part of the review process. SSRU will normally retain information from employment candidates after a decision has been made, unless specifically asked not to retain the information. If an applicant is offered a job, and they accept, the information will be retained in accordance with SSRU’s privacy procedures for employee records.