Privacy & Compliance
On January 1, 2004, the federal government enforced legislation governing how commercial companies collect, use and disclose an individual’s personal information. The federal rules apply in those provinces where provincial legislation of a “substantially similar nature” does not exist. All private sector companies in Canada, including insurance companies and consultants, are governed by the Act or by similar provincial legislation.
Bill C-6, also known as PIPEDA, is the Personal Information Protection and Electronic Documents Act. It stipulates that consent must be given for the collection, use or disclosure of an individual’s personal information. The individual has the right to access personal information held by an organization and to challenge its accuracy. Personal information can only be used for the purposes for which it was collected; otherwise, consent must be again obtained from the individual for each distinct purpose.
PIPEDA will affect the type of information that can be given by insurers to employers or to consultants/brokers. It will also affect the type of information that can be required by insurers and the methods of physical protection and retention of personal information. The means for establishing identity must be enhanced (i.e.: PIN or password when requesting information over the telephone). All files with personal information (both paper and electronic) must be sealed, locked up or encrypted.
Member consent should be obtained before or at the time of collection of personal information such as:
- when an employee enrolls for benefits or submits a claim form
- when a transaction or relationship is initiated (when a member dependent accepts a drug card to use for direct transactions)
Most insurers have updated their enrollment forms to include the existing authorization and a new confidentiality section above the employee’s signature. These forms should be used and can generally be downloaded from the insurer’s website. For existing plan members, the insurer can use “implied consent” and can disclose appropriate information.
Traditionally, insurers have provided employers with detailed reports on everything from health and dental claim activities, drug utilization, incidence of disability, etc. Under PIPEDA, these reports can no longer include any identifying information about specific employees. Information will be limited to aggregate, non-identifying data. For small groups, this could be even more limited, as identification is often possible through deductive reasoning. Therefore, employers will get less information to manage their disability, health or dental plan.
Generally, an employer has to justify the need to obtain any medical or personal information from a third party, such as a hospital, medical clinic, and insurer. The need has to be evaluated within the context of the purpose of the request. It is an accepted fact that the medical diagnosis of an employee is not considered information that an employer needs to effectively manage through human resources, barring special circumstances such as reasonable grounds to suspected fraud or abuse. Most health specialists are bound by a code of ethics for their profession. Consequently, these specialists will not provide any information without obtaining the informed consent of the patient regarding transmission of medical data to the patient’s employer. The quantity and nature of information may also be restricted.
As our client, you trust us with your personal information. We value that trust and want you to be aware of our commitment to protect the information you share in the course of doing business with us.
Why we collect, use and retain your personal information
When you do business with us, you share personal information so that we may provide you with the products and services that best meet your needs. We assume your consent to our firm to use this information in an appropriate manner. We may use and disclose this information to:
- Communicate with the client and employees in a timely and efficient manner
- Assess your application for insurance, investment, and other services available to the company
- Evaluate claims and underwriting risks when required
- Analyze business results and claims utilization
- Act as required or authorized by the Law
What we will NOT do with your information
We never give client information to anyone, nor do we share client information with organizations outside our relationship with you that may use it to contact you about their own product or services.
How we collect your personal information
We will collect most personal information directly from you. However, you may occasionally instruct us to collect additional personal information from a third party, such as your accountant, your lawyer, your attending physician, etc. This authorization allows us to do so when directed by you in the course of conducting your insurance or investment business. All employees, associated advisors, suppliers and third-party administrators who are granted access to client records understand the obligation to keep this information protected and confidential, and to use the information only for the purposes intended.
We will protect your personal information
We will make every effort to protect your personal information while it is in our care. You may withdraw your consent at any time (subject to legal or contractual obligations and on providing reasonable notice to us). Please be aware that withdrawing your consent may prevent us from providing you with requested products and services or lead to terminating our relationship. We may occasionally use your personal information to advise you of products or services we believe may be of interest to you or fit your personal circumstances. Please advise us if you prefer to not receive this type of communication.
Communicating with you
In the course of doing business with you we may communicate by phone, email, or fax. If you have provided us with phone, email or fax contacts, we will assume that it is appropriate to use these methods to reach you. However, please advise us if you do not want personal information communicated using these methods
If you or an employee is concerned about the communication method, we strongly advise a phone call before any information is exchanged. For more information, please contact our Client Relations & Marketing Manager, Carolyn Begin, by phone (403) 262-7278 or by firstname.lastname@example.org.