The Wawanesa Mutual Insurance Company (“Wawanesa”) is committed to protecting the personal information of its Customers. The Company has developed this Personal Information Protection Policy (the “Policy”) to provide information regarding the Company’s approach to the management and control of personal information collected in the course of its business.
This Policy, in compliance with all applicable privacy legislation, including without limitation the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), British Columbia’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, and Quebec’s An Act respecting the protection of personal information in the private sector (collectively, the “Privacy Laws”), addresses two broad issues:
Wawanesa strives to balance its Customers’ right of privacy concerning their personal information with its own need to collect, use or disclose personal information in the course of its business.
The ten interrelated principles set out in PIPEDA (the “Privacy Principles”) form the basis of this Policy. Each principle is accompanied by a commentary that elaborates on the principle. To the extent that this Policy:
The following definitions apply in this Policy:
“Collection” means the act of gathering, acquiring or obtaining personal information from any source, including third parties, by any means. Personal information necessary to carry on its business may be collected by Wawanesa, its agents and brokers, or their authorized agents.
“Consent” means voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of Wawanesa. Implied consent arises where consent may reasonably be inferred from the action or inaction of the Customer. For further information, please refer to the commentary accompanying Principle Three.
“Customer” means an individual about whom Wawanesa collects personal information in order to carry on its business and includes individuals who are insureds, former insureds, applicants, claimants, individuals involved in a claim, and individuals insured as part of a group or corporate policy.
“Personal information” has the meaning ascribed to it by the Privacy Laws and related regulations, and includes an individual’s name, address, telephone number, date of birth, family status, marital status, occupation, medical and health records, assets, liabilities, income, credit rating, credit history, credit and payment records, banking information, previous insurance experience (including claims history), and driving record, as well as information concerning whether or not credit was previously extended or refused to the individual.
|1.||PRINCIPLE ONE: ACCOUNTABILITY|
|Wawanesa is responsible for personal information under its control and shall designate an individual or individuals who are accountable for Wawanesa’s compliance with the Privacy Principles.|
|1.1||The individual designated to oversee Wawanesa’s compliance with this Policy is:
Senior Vice President and Chief Risk Officer
The Wawanesa Mutual Insurance Company
Winnipeg, Manitoba R3C 3P1
(the “Designated Individual”)
|1.2||Accountability for Wawanesa’s compliance with this Policy rests with the Designated Individual, even though other individuals within Wawanesa may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within Wawanesa may be delegated to act on behalf of the Designated Individual.|
|1.3||Wawanesa is responsible for personal information in its possession or custody, including information that has been transferred to a third party service provider for processing or storage. In such circumstances, Wawanesa will provide only the information necessary to perform such services and will use contractual or other means to provide a comparable level of protection while information is being processed or stored by the third party service provider. In the event that the third party service provider is located in a foreign jurisdiction, it is bound by the laws of that jurisdiction, which may require it to disclose personal information to the courts, law enforcement agencies, or national security authorities of the jurisdiction. Information concerning Wawanesa’s policies and practices with respect to service providers outside Canada may be obtained from Wawanesa’s website or by contacting the Designated Individual.|
|1.4||Wawanesa has implemented and will maintain policies and procedures to give effect to the Privacy Principles, including the following:
procedures to protect personal information; and
procedures to receive and respond to complaints and inquiries.
has developed information to explain Wawanesa’s policies and procedures; and
trains staff and provides them with information about Wawanesa’s policies and procedures.
|2.||PRINCIPLE TWO: IDENTIFYING PURPOSES|
|The purposes for which personal information is collected shall be identified by Wawanesa before or at the time the information is collected.|
|2.1||Wawanesa will collect personal information only for the purposes of:
establishing and maintaining communications with Customers; underwriting risks on a prudent basis (i.e. assessing application(s) for insurance, including renewals, and underwriting policies); investigating, evaluating and paying claims; detecting and preventing fraud; providing disclosure to property and casualty insurance industry service providers, as dictated by prudent insurance practices; offering and providing property and casualty insurance products and services to meet Customer needs; compiling statistics and analyzing business results; and acting as required or authorized by law.
Wawanesa takes a global approach to these purposes. In other words, Wawanesa is not collecting personal information just for any one of the purposes (e.g. underwriting a policy). Instead, Wawanesa is collecting the personal information for all of the purposes so that, in effect, a Customer can expect that although Wawanesa may initially use the data for underwriting a policy, it may later use it for claims purposes, and vice versa.
|2.2||Wawanesa understands that, in collecting information for the purposes referred to in principle 2.1, Wawanesa or its designates may collect only that information which is necessary for such identified purposes.|
|2.3||The identified purposes will be communicated to Customers or other persons from whom the personal information is being collected. This may be done orally or in writing (e.g. on an application form, or through pamphlets or other suitable media).|
|2.4||When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified before use. Unless the new purpose is required by law, the consent of the Customer will be obtained before the information is used for that purpose.|
|2.5||Individuals collecting personal information on behalf of the Company are able to explain to Customers the purposes for which the information is being collected.|
|3.||PRINCIPLE THREE: CONSENT|
|The knowledge and consent of the Customer are required for the collection, use, or disclosure of personal information, except where inappropriate.|
|3.1||The Customer’s “knowledge and consent” are required for the collection, use, or disclosure of personal information. Accordingly, Wawanesa will make a reasonable effort to ensure that the Customer is advised of the purposes for which the information will be used. The purposes will be stated in a manner that can be reasonably understood by the Customer.|
|3.2||Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use.|
|3.3||Wawanesa will not, as a condition of the supply of a product or service, require a Customer to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes. Wawanesa may refuse to deal with a Customer who will not consent to the collection, use and disclosure of the information for the explicitly specified and legitimate purposes. For example, Wawanesa provides insurance at specified rates and on certain terms and conditions based on, among other things, analysis of an individual’s personal information, including date of birth, address and claims history. If this information is not obtained, Wawanesa cannot determine the basis for insurance coverage and, therefore, cannot provide insurance to the Customer. Consent will not be obtained through deception.|
|3.4||A Customer can reasonably expect that Wawanesa will use personal information in determining the Customer’s insurability and in adjusting the Customer’s claim. On the other hand, a Customer would not reasonably expect Wawanesa to give accident information to car sales companies to solicit new car purchases if the Customer’s car had incurred extensive damage in an accident.|
Where Wawanesa seeks express consent, it can be given in many ways. For example,
an application form may be used to seek consent, collect information and inform the Customer of the use that will be made of the information. By completing and signing the form, the Customer is giving consent to the collection and the specified uses;
a checkbox on a form may be used to allow Customers to request that their names and addresses not be given to other organizations for marketing purposes. Customers who do not place a mark in the checkbox are assumed to consent to the transfer of this information to third parties;
consent may be given orally when information is collected over the telephone;
consent may be given by agreement; and
consent may be given by action on the part of the Customer (for instance, by using, acquiring or accepting a product or service).
|3.6||Consent can be given by an authorized representative (such as a person having a power of attorney, or a legal guardian). Consent can also be given by an individual on behalf of another individual. For example, where individuals apply for automobile insurance for themselves as well as for their family members, such applicants are giving consent for the collection, use and disclosure of personal information both for themselves and for their family members, even though their family members are not present during the application process. A similar situation arises where an employer, on behalf of its employees, applies for or renews a group or fleet insurance policy which provides insurance benefits to the employees. The employer is giving consent for the collection, use and disclosure of personal information for the employees, even though the employees are not present during the application or renewal process.|
|3.7||Wawanesa’s business has certain unique features which make express consent impossible to obtain in some circumstances. For instance,
as a convenience to its Customers, Wawanesa often provides insurance or amendments to existing policies over the telephone, on short notice and with little written documentation. In these circumstances, it is impossible for Wawanesa to obtain express written consent from Customers; Wawanesa, when it operates through independent brokers, does not have a direct relationship with its Customers and therefore is not able to obtain their express consent; and Wawanesa has a legal duty to defend its policyholders against claims made by third party claimants. In such situations, Wawanesa and the third party claimants are adverse parties. In order to fulfill its obligations to its policyholders, Wawanesa must collect, use and disclose personal information about such third party claimants that is relevant to the claim, even if the third party claimants have not given their consent.
Given these constraints, it is reasonable for Wawanesa to infer that by dealing with it on insurance related matters (e.g. by using, acquiring or accepting a product), Customers have given implied consent for the collection, use or disclosure of personal information necessary for the identified purposes (see principle 2.1).
|3.8||In limited circumstances, personal information can be collected, used or disclosed without the knowledge and consent of the Customer. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the Customer might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the Customer is a minor, seriously ill, or mentally incapacitated. In addition, where there is no direct relationship with the Customer, Wawanesa may not always be able to seek consent. However, when certain types of information are being collected, such as medical or hospital records, employment records or income tax records, Wawanesa will obtain express consent from the Customer.
The following are situations specific to Wawanesa’s business where consent is not required for the collection, use and disclosure of personal information:
collection of personal information for the detection and prevention of fraud; and compliance with subpoenas, search warrants, and other court or government orders.
In either of these situations, obtaining consent might defeat the purpose of collecting the information.
Duty to Defend
Wawanesa will transfer the personal information of Customers to lawyers retained by Wawanesa pursuant to the contractual obligation in the insurance policy to defend legal actions against its insureds.
In exceptional circumstances, Wawanesa may, under a public duty, disclose personal information to appropriate authorities in matters of significant public interest.
Medical and Other
Where the Customer is a minor, seriously ill, or mentally incapacitated, seeking consent may be impossible or inappropriate.
|3.9||In certain situations, the express written consent of the Customer will be obtained for the collection, use or disclosure of personal information (e.g. medical or hospital records, employment records or income tax returns).|
|3.10||Consent is valid for the length of time needed to achieve the identified purposes. The Customer may withdraw consent on reasonable notice, subject to legal or contractual restrictions and the requirement that Wawanesa maintain the integrity of the statistics and data necessary to carry on its business.|
|3.11||Any restriction or withdrawal of the Customer’s consent may result in Wawanesa being unable to provide the Customer with the product or service being applied for, or having to terminate the policy.|
|4.||PRINCIPLE FOUR: LIMITING COLLECTION|
|The collection of personal information shall be limited to that which is necessary for the purposes identified by Wawanesa. Information shall be collected by fair and lawful means.|
|4.1||Wawanesa will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified. Wawanesa obtains personal information primarily from insurance Customers, but also from others, including other property and casualty insurers (i.e. insurers licensed in Canada to write any class of insurance other than life insurance), brokers, and underwriting or claims information networks. Wawanesa will specify the type of information collected as part of its information handling practices in accordance with Principle Eight.|
|4.2||The Company will not obtain consent with respect to collection through deception. The Company will not mislead or deceive individuals about the purposes for which information is being collected.|
|5.||PRINCIPLE FIVE: LIMITING USE, DISCLOSURE AND RETENTION|
|Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the Customer or as required by law. Personal information shall be retained for only as long as necessary for the fulfillment of those purposes.|
|5.1||There are situations specific to its business where Wawanesa may provide personal information to others, as dictated by prudent insurance practices. Examples of such situations include the following:
Risk-Sharing. As part of the underwriting and claims handling process, Wawanesa may transfer personal information to other insurance companies, including reinsurance companies which share in the risk. This would include situations where the Customer has made a fraudulent application for, or renewal of, a policy of insurance.
Information Services. Wawanesa may transfer personal information to providers of information processing and storage, programming, printing, mailing and distribution services for underwriting, claims, classification and rating purposes.
Insurance Services. Wawanesa may provide personal information to businesses that provide goods and services to insurance companies and/or their Customers, such as loss control managers and claims adjusters.
Insurance Intermediaries. Wawanesa may provide personal information to its insurance intermediaries, such as brokers and agents.
In these situations, the third parties will be provided with only the information appropriate to the circumstances.
|5.2||If Wawanesa uses personal information for a new purpose, it will document this purpose.|
|5.3||Wawanesa has implemented and will maintain policies and procedures with respect to the retention of personal information, including minimum and maximum retention periods. Personal information that has been used to make a decision about a Customer will be retained for a sufficient period to permit the Customer access to the information after the decision has been made. Wawanesa may be subject to legislative requirements with respect to retention periods.|
|5.4||Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased or made anonymous. Wawanesa has implemented and will maintain guidelines and procedures to govern the destruction of personal information.|
|6.||PRINCIPLE SIX: ACCURACY|
|Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.|
|6.1||The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the Customer. Information will be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the Customer.|
|6.2||Wawanesa will not routinely update personal information unless it is necessary to fulfill the purposes for which it was collected.|
|6.3||Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.|
|7.||PRINCIPLE SEVEN: SAFEGUARDS|
|Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.|
|7.1||Wawanesa’s security safeguards protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Wawanesa protects personal information regardless of the format in which it is held.|
|7.2||The nature of the safeguards varies depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. More sensitive information is safeguarded by a higher level of protection.|
|7.3||The methods of protection include the following:
physical measures, such as locked filing cabinets and restricted access to offices;
organizational measures, such as security clearances and limiting access on a “need to know” basis; and
technological measures, such as the use of passwords and encryption.
|7.4||Wawanesa makes its employees aware of the importance of maintaining the confidentiality of personal information.|
|7.5||Care is used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.|
|8.||PRINCIPLE EIGHT: OPENNESS|
|Wawanesa shall make readily available to Customers specific information about its policies and practices relating to the management of personal information.|
|8.1||Wawanesa is open about its policies and practices with respect to the management of personal information. A Customer will be able to acquire information about Wawanesa’s policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.|
|8.2||The information made available will include the following:
the contact information of an individual to whom complaints or inquiries, including inquiries concerning
Wawanesa’s collection of personal information; or
the collection, use, disclosure or storage of personal information by service providers outside Canada on Wawanesa’s behalf;
can be forwarded;
the means of gaining access to personal information held by Wawanesa;
a description of the type of personal information held by Wawanesa, including a general account of its use;
a copy of any brochures or other information explaining Wawanesa’s policies, standards or procedures; and
what personal information is made available to related organizations such as subsidiaries.
|8.3||Wawanesa may make information concerning its policies and practices available in a variety of ways. For example, Wawanesa may choose to make brochures available at its (or its brokers’) places of business, mail information to its Customers, provide online access, or establish a toll free telephone number.|
|9.||PRINCIPLE NINE: CUSTOMER ACCESS|
|Upon written request, a Customer shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A Customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.|
|9.1||Upon written request, Wawanesa will inform a Customer whether or not it holds personal information about the Customer. Subject to certain exceptions, as noted above, Wawanesa will allow the Customer access to this information. However, Wawanesa may choose to make sensitive medical information available through a medical practitioner. In addition, Wawanesa will provide an account of the use that has been made, or is being made, of this information, as well as an account of the third parties to which it has been disclosed.|
|9.2||Wawanesa will respond to a Customer’s request within a reasonable time and at minimal or no cost to the Customer. The requested information will be provided or made available in a form that is generally understandable. For example, if Wawanesa uses abbreviations or codes to record information, an explanation of their meaning will be provided.|
|9.3||A Customer may be required to provide sufficient information to permit Wawanesa to provide an account of the existence, use, and disclosure of personal information. The information provided will only be used for this purpose.|
|9.4||In providing an account of the third parties to which it has disclosed personal information about a Customer, Wawanesa will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about a Customer, Wawanesa will provide a list of organizations to which it may have disclosed such information.|
|9.5||When a Customer successfully demonstrates the inaccuracy or incompleteness of personal information, Wawanesa will amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.|
|9.6||In certain situations, Wawanesa may not be able to provide access to all the personal information it holds about a Customer. Exceptions to the access requirement shall be limited and specific. The reasons for denying access shall be provided to the Customer upon request. Exceptions may include prohibitive cost, personal information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
If the request is denied, the Customer will be given reasons for the denial, as well as
an invitation to send a letter to Wawanesa’s President & CEO requesting reconsideration of such denial;
a commitment by Wawanesa to promptly open a dialogue with the Customer; and
a commitment by Wawanesa to participate in an independent mediation process, should the parties be unable to resolve the dispute.
|9.7||When a challenge is not resolved to the satisfaction of the Customer, the substance of the unresolved challenge will be recorded by Wawanesa. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.|
|10.||PRINCIPLE TEN: CHALLENGING COMPLIANCE|
|A Customer shall be able to challenge Wawanesa’s compliance with the Privacy Principles.|
|10.1||The Designated Individual is accountable for Wawanesa’s compliance with the Privacy Principles.|
|10.2||Wawanesa has implemented and will maintain procedures for receiving and responding to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint process is available at Wawanesa’s website and at its place of business.|
|10.3||Wawanesa will inform Customers who make inquiries or lodge complaints of the existence of relevant complaint mechanisms. A range of these mechanisms may exist. For example, some regulatory bodies accept complaints about the personal information handling practices of the companies they regulate.|
|10.4||Wawanesa will investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, Wawanesa will take appropriate measures, including amending its policies and practices, if necessary.|
|10.5||Customers who are dissatisfied with the manner in which their complaints have been handled may contact the appropriate public official designated in relevant provincial legislation, or if none, the Privacy Commissioner of Canada.|