1 / 28

Privacy Information for Producers

Privacy Information for Producers. Agenda. PIPEDA Producer Required Privacy Program Our MGA Privacy Program Recommendations for Producers. What Privacy Laws Apply to Us?.

aure
Télécharger la présentation

Privacy Information for Producers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Information for Producers

  2. Agenda PIPEDA Producer Required Privacy Program Our MGA Privacy Program Recommendations for Producers

  3. What Privacy Laws Apply to Us? The Personal Information Protection and Electronic Documents Act (“PIPEDA”), a federal act,governs collections of customer information and producer information. “Substantially similar” legislation in Alberta, BC and Quebec. (Ontario has substantially similar law for health information).

  4. Why is This Important? The confidence and trust that insurers and customers place in you to protect their privacy and the confidentiality of customers’ personal information is critical to your ongoing success.

  5. PIPEDA Summary You must obtain an individual’s consent to collect, use or disclose his/her personal information (“PI”). The person has a right to access it and to challenge its accuracy. PI can only be used for the reasons you collected it. You must get consent for any new use. You must assure individuals that you will protect their PI with specific safeguards like locked cabinets, computer passwords, encryption.

  6. Non-Compliance Individuals can complain to the Office of the Privacy Commissioner of Canada (“OPCC”) about alleged breaches. The OPCC can also initiate a complaint. A person can ask the courts to order you to change your practices or award damages. OPCC can audit you.

  7. Offences It is an offence to: • Destroy PI that an individual has requested. • Retaliate against an employee who complains or refuses to contravene Sections 5 to 10. • Obstruct a complaint investigation or audit by OPCC.

  8. PIPEDA’s 10 Principles Accountability Identify Purposes for Collection Consent Limit Collection of Information Limit Use, Disclosure and Retention of PI Accuracy Safeguards Openness Access Recourse

  9. What is the Producer Required to Do? 1. Adhere to the 10 PIPEDA Principles; 2. Establish and maintain a Compliance Program that includes: • Appointing a Compliance Officer • Written Privacy Policies and Procedures that cover at a minimum • Receiving and Processing Access Requests • Receiving and Responding to Inquiries/Complaints • Safeguarding Information • Assessing the Program Regularly • Training Staff • Privacy Breach Procedures

  10. What Else? Make sure that you develop a consent form that covers the work you do for the customer. Not all information goes to the insurer. Anything you retain and use requires explicit consent. Make sure that the MGA is covered by this consent!

  11. Our MGA’s Privacy Program Our Privacy Policy covers how we handle your PI and your customers’ PI. It is posted on our website and included in contracting packages. Our Compliance Program covers the same elements that you will have to cover in your program.

  12. Appointed Compliance Officer Place Name and Contact Information for MGA Compliance Officer here

  13. MGA Role in Collecting PI We collect customer PI from producers on behalf of insurers and under the consents insurers obtain. We act as an arm of the insurer. We don’t have our own consents for customer PI. Sometimes we collect information on behalf of the producer. Make sure your consent covers our MGA. We collect producer PI directly through the CLHIA screening form, which provides express consent, and any follow up screening.

  14. Why We Collect and Use Your PI We are required to screen you for suitability initially and on an ongoing basis We need information for licensing and contracting We need information in order to pay you.

  15. Requirements for Access Requests When requested, inform individuals if we have any PI about them and provide access. Explain how it is/has been used and provide a list of any organizations to which it has been disclosed. Correct/amend any PI if its accuracy and completeness is challenged and found to be deficient. Provide a copy of the PI requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act. Note any disagreement on the file and advise 3rd parties where appropriate.

  16. Our Procedures for Customer Access Requests Ask the requestor to name the insurer(s) involved. Do not volunteer this information as it is actually PI. We do not have an authentication process to determine who is making the request. Notify the PC Officer of the request. The PC Officer should notify the producer and/or insurer(s)’ contact person directly and ask for written instructions on handling any PI in our possession, including whether the information needs to be provided in a certain format, the deadlines for providing the information, etc.

  17. Requirements for Responding to Complaints and Inquiries Develop simple and easily accessible complaint procedures. Inform complainants of their avenues of recourse. These include our MGA's own complaint procedures, those of insurers and industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Investigate all complaints received. Take appropriate measures to correct information handling practices and policies.

  18. Procedures for Handling Customer Complaints and Inquiries Ask the requestor to name the insurer(s) but do not volunteer this information as it is PI. Notify the PC Officer, who should notify the producer and/or insurer(s) involved and ask for written instructions if our assistance is required in providing PI or resolving the complaint. The PC Officer will ask the parties to keep us apprised so that we can record the decision and make any necessary changes to our policies and procedures and close the complaint off in our complaint log.

  19. Procedure for Producer Access Requests and Complaints Privacy Compliance Officer handles all of these as they require special handling because of sensitivity of information.

  20. Privacy Breach Process If you become aware that any PI has been lost, stolen, inadvertently destroyed, or disclosed improperly, notify our PC Officer immediately. This is very serious and requires immediate action.

  21. Privacy Breaches PC Officer may ask you to gather information about the incident. We need to contain the breach immediately and prevent any more PI loss. The PC Officer will assess the breach. Insurers will be notified of any customer PI breaches as they will have to follow their own process.

  22. Self-Assessment of Our Privacy Program At least every two years Requires gathering evidence of how we comply including sampling files and testing our systems

  23. Training At least annually for existing staff. At hiring for new staff.

  24. Regulatory Audits The OPCC can audit if it has “reasonable grounds” to believe you are contravening PIPEDA. Our PC Officer will direct our response to the audit. be the lead contact with the OPCC. or may ask you to assist in compiling information. prepare you if the OPCC needs to interview you.

  25. Recommendations to Producers Take this seriously. As an independent, you have your own regulatory obligations and risks that you have to manage.

  26. Recommendations to Producers Draft your own Privacy Policy for your customers. Create an inventory of all the PI you collect, why you collect it, where you keep it, how you protect it. Develop your own consent form for the advice and service part of your role. Don’t rely on insurer consents alone. Make sure that you cover off sharing information with the MGA. Use formal documents such as needs analyses, which guide you in asking required, consistent questions and are more likely to result in accuracy. Advocis and other associations have Privacy programs to share. Join a professional association and take advantage of the compliance support they offer.

  27. Safeguards - Recommendations Use encryption for sensitive information. Password protect your computer and all devices Keep customer PI locked up and away from public view. Ensure that your premises are secure. Have strict fax policies and keep your fax equipment out of public areas. Destroy material no longer needed. Use a shredder. Train your staff.

  28. Questions or Concerns? Contact our Privacy Compliance Officer Name Contact Information

More Related