Privacy Policy
1.0 Policy Statement
SCM Insurance Services Inc. (SCM) has made a commitment to collect, use and disclose personal information in compliance with applicable law and in such a manner that a reasonable person would consider appropriate in the circumstances.
2.0 Scope
This policy governs the collection, use, disclosure and handling of personal information in the course of the commercial activity of SCM, including the following SCM business units:
“SCM” means SCM Insurance Services Inc., and all of its subsidiaries and limited partnerships.
3.0 Introduction
SCM’s commercial activity is subject to applicable privacy legislation. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies when personal information crosses provincial boundaries and in all provinces and territories except Alberta, British Columbia and Quebec. Alberta, British Columbia and Quebec have passed privacy legislation based on similar principals as PIPEDA that applies in each province. This Policy is based on the principles and rules set out in all applicable privacy legislation.
4.0 Definitions (specific to this policy only)
Personal Information — means information about an identifiable individual, but does not include “Business Card Information.”
Privacy Officer — means the individual or individuals appointed from time to time by SCM to be accountable for SCM compliance with this and related privacy policies.
Publicly Available Information — means information that is deemed to be publicly available as set out in applicable privacy legislation.
Business Card Information – means information about an individual’s working life or profession that is excluded from the definition of personal information in applicable privacy legislation – e.g. name, position name, work address and work telephone number.
Breach of Security Safeguards - means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of SCM’s security safeguards.
5.0 The Privacy Principles
Policy 1 – Accountability
SCM is responsible for all personal information under its control and will designate one or more individuals who will be accountable for the organization's compliance with applicable privacy legislation and its policies and procedures.
The individual appointed to be accountable for SCM compliance will be designated as the Privacy Officer. SCM will appoint an appropriate person in this capacity that has sufficient authority within the organization to ensure compliance.
The Privacy Officer may be contacted as follows:
Name: Keith P. Edwards, FCILA, CLA, FUEDĺ ELAE
Senior Vice-President, Compliance
Address: 145 King Street West, Suite 620, Toronto, ON M5H 1J8
T: 416-777-4479
E: privacy@scm.ca
SCM will use reasonable means to ensure that personal information is given a comparable level of protection while being processed by a service provider. It will do so by employing due diligence in selecting third parties, contracting with third parties and working with third parties.
SCM currently uses a customer relationship tool that is hosted in the United States and that may be used to transmit and store personal information. SCM employees, contractors and service providers may also work from outside Canada using SCM systems that are hosted in Canada. Service providers are authorized by SCM to collect, use and disclose personal information to facilitate the provision of service.
Policy 2 – Identifying Purposes
SCM will identify the purposes for which SCM collect personal information at or before the time the information is collected from individuals.
SCM may choose to identify such purposes orally or in writing. Written notification will be used whenever practical to do so. Common purposes for collection include:
- verifying the circumstances surrounding loss, damage or injury;
- verifying the amount payable for loss, damage or injury;
- verifying the availability of benefits payable under the policy;
- verifying the circumstances leading to the formation of the insurance contract;
- protecting SCM and/or the insurer and/or the client against inaccuracy;
- protecting SCM and/or the insurer and/or the client against fraud
SCM may choose to orally explain to individuals the purposes for which personal information is being collected and then simply place a note in the relevant file indicating that this has been done.
SCM will identify any new purposes that arise during the course of dealing with personal information – and obtain prior consent for this new use – even if SCM has already identified certain initial purposes. However, SCM will only do this when the intended new purpose truly constitutes a "new" use (i.e., when the purpose now being proposed is sufficiently different from the purpose initially identified).
Policy 3 – Consent
SCM will obtain the appropriate consent from individuals for the collection, use, or disclosure of their personal information, except where the law provides an exemption.
SCM may obtain express consent for the collection, use, or disclosure of personal information or SCM may determine that consent has been implied by the circumstances. All consent must be informed and obtained fairly without deception.
Express consent is an affirmative authorization given by the individual to SCM, either orally or in writing. Medical assessors retained to assess a claim, for example, ordinarily obtain express consent from claimants.
Implied consent is one in which SCM has not received an affirmative authorization but the circumstances make it reasonable to believe that an individual understands how SCM will collect, use or disclose personal information and has given SCM permission.
Express written consent includes a client:
- signing a consent form
- providing a letter, claim form or other document authorizing certain activities; and
- providing an authorization electronically (through a computer).
Express, oral, consent can be given in person or over the telephone. If SCM obtains express oral consent, SCM will make note of that consent in the file.
Subject to legal exceptions, consent may be withdrawn at any time. SCM generally requires such withdrawal to be in writing. There may be serious consequences to failing to provide or withdrawing consent, such as SCM’s inability to properly investigate a claim presented or the circumstances surrounding a liability claim.
Depending on whether a new purpose is identified during the course of dealing with the personal information, SCM may choose to seek a new consent.
Exceptions — there are circumstances set out in applicable legislation that permit SCM to collect, use or disclose of personal information without consent. The scope of the exceptions vary in each applicable statute.
Policy 4 – Limiting Collection
The personal information SCM collects will be limited to that which is necessary for the purposes SCM has identified.
SCM will only collect personal information for specific, legitimate purposes. SCM will not collect personal information indiscriminately.
SCM will only collect information by fair and lawful means and not by misleading or deceiving individuals about the purpose for which information is being collected.
SCM policies and procedures relating to the limitations on collection of personal information will be communicated to staff members who collect personal information.
SCM may need to obtain personal information about individuals from third parties, for example, those parties identified in a consent form.
Policy 5 – Limiting Use, Disclosure, and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. SCM will only retain personal information as long as necessary for the fulfillment of those purposes.
SCM will only use or disclose personal information for legitimate, identified purposes.
SCM will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.
SCM will establish minimum and maximum retention periods for records containing insured/claimant/client personal information.
Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made.
Personal information that is no longer required to fulfill identified purposes will be destroyed, erased, or made anonymous. See Policy 7 – Safeguards.
Policy 6 – Accuracy
The personal information SCM collects will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
SCM will, on an ongoing basis, take reasonable steps to ensure the accuracy and completeness of personal information under its care and control.
Individuals who provide their personal information to SCM must do so in an accurate and complete manner. SCM’s goal is to minimize the possibility that inaccurate information is used to make a decision about any individual whose personal information SCM processes.
The process for ensuring accuracy and completeness will involve:
- initial collection from the insurer or other instructing principal preferably in writing
- contact with the claimant/insured/client or witness and where appropriate, documenting information in a statement or by letter or e-mail
- verifying accuracy as appropriate by contacting third parties (g., motor vehicle and driver licensing authorities, police, fire departments, fire marshals, authorities with jurisdiction, insurance brokers, other adjusters and any other party that can substantiate the type and nature of an occurrence or circumstance) including date, time and place of persons who may have been present and which is relied upon by an insured/claimant/client to support their claim for loss, damage or injury
- facilitating assessments that are conducted by competent medical professionals
Policy 7 – Safeguards
SCM will safeguard personal information under its control in a manner that is appropriate to the sensitivity of the information.
SCM will safeguard personal information, regardless of the format in which it is held, against loss or theft, and against unauthorized access, disclosure, copying, use, or modification.
More sensitive information will be safeguarded by a higher level of protection.
In determining what safeguards are appropriate, SCM will consider all relevant factors. For example:
- the sensitivity of the information;
- the amount of information held;
- the format in which the information is held; and
- the foreseeable risks
When transferring personal information to a third party, SCM will remove or mask any information that is not reasonably needed by the third party.
SCM methods of protection may include:
- physical measures, such as locked filing cabinets and restricted access;
- organizational measures, such as security clearances and limiting access on a "need-to-know" basis;
- technological measures, such as the use of passwords and encryption;
- protocols for keeping physical files secure during travel;
- protocols for conducting work remotely;
- rules governing use of passwords and log in information; and
- regular communication to employees and others to support data security.
SCM will ensure that the policies and procedures on safeguarding personal information are reasonably communicated and accessible to employees by:
- training staff on the subject of personal information protection; and
- having periodic staff meetings in which SCM will review the procedures and revise where appropriate.
SCM will take reasonable precautions in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information. These measures may include securely shredding physical documents and deleting electronically stored information in a manner that prevents it from being readily recovered.
All employees must promptly report any known or suspected Breach of Security Safeguards (all “incidents”) to the Privacy Officer. SCM will investigate all reports and respond appropriately with a view to understanding incidents, containing them, mitigating the potential for harm and improving safeguarding practices to prevent future incidents.
SCM will notify individuals and regulators of a Breach of Security Safeguards in accordance with applicable laws and regulations and otherwise will notify individuals when it concludes that an incident gives rise to a real risk of significant harm.
Policy 8 – Openness
SCM will make readily available to individuals specific information about the policies and procedures relating to the management of personal information which is under the Corporation’s control.
Individuals will be able to inquire about the policies and procedures without unreasonable effort.
All staff members will be aware of who the Privacy Officer is so that members of the public can easily be informed.
SCM may choose to make information about the policies and procedures available in a variety of ways, for example:
- mailing out information;
- establishing a primary section on their website;
- establishing a toll-free telephone number; or
- establishing standardized wording to be included in letters and e-mails to the insured/claimant/client as part of their first written communication.
The information SCM makes publicly available will include:
- the name or title, and the address of the Privacy Officer;
- the means of gaining access to personal information held by the corporation;
- a description of the type of personal information held by SCM and a general account of its use;
- written information that explains the policy; and
- a general list of the kinds of personal information made available to other organizations (i.e.: insurance companies and other third parties).
Policy 9 – Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information which is under SCM control, and may be given access to, and challenge the accuracy and completeness of that information in accordance with applicable law.
SCM will act as agent of the insurer or administrator of a self insured plan and where a written request is made by an individual to be informed of whether or not SCM holds personal information about him or her, SCM should immediately refer that inquiry to their instructing principal and ask for instructions.
To the extent that SCM is not an agent for a principal, upon written request, an individual will be informed as to whether or not SCM holds personal information about him or her. If SCM does hold such personal information, upon written request, SCM will provide access to the information, as well as a general account of its use in accordance with applicable law.
The manner in which access will be given may vary, depending on the format in which the information is held (i.e., hard copy or electronic), the amount of information held and other factors. SCM may provide original source information but not documentation that merely repeats or incorporates the information in our internal work product.
Upon written request, SCM will provide a list of third parties to whom SCM may have disclosed an individual's personal information. If SCM is unsure exactly which third parties may have received the information, SCM will provide a list of third parties likely to have received the information.
Individuals will be required to provide sufficient information to SCM to permit the corporation to provide an account of the existence, use and disclosure of personal information.
The procedure for making a request is as follows:
- All requests must be made in writing.
- SCM will respond to a request within 30 days after receipt of the request, unless SCM first advises the person that SCM needs a longer period to respond.
- Reasons – If SCM refuses a request, SCM will inform the individual in writing of the refusal, explaining the reasons and any recourse the individual may have, including the possibility that they may file a complaint with the Privacy Commissioner of Canada or provincial Privacy Commissioners.
- Deemed refusal – Notwithstanding sub-paragraphs (2) and (3), if SCM does not respond within the above time limit, SCM will be deemed to have refused the request.
- Costs for responding – SCM may require payment of a modest fee to cover administrative costs associated with preparing a response (and do so in accordance with applicable law).
There are also exceptions in applicable privacy legislation that may allow or require SCM to deny access. For example, applicable legislation may allow SCM to deny access when:
- personal information about another person might be revealed;
- commercially confidential information might be revealed;
- someone's life or security might be threatened;
- the information was collected without consent for the purposes related to an investigation of a breach of an agreement or contravention of the law; or
- the information was generated during the course of a formal dispute resolution process.
Policy 10 – Challenging Compliance
An individual may address a challenge concerning compliance with the above policies and procedures to the Privacy Officer.
Upon request, individuals who wish to inquire or file a complaint about the manner in which SCM handled their personal information – or about SCM’s personal information policies and procedures – will be informed of their applicable complaint procedures.
To file a complaint, an individual must notify SCM in writing providing basic information and a description of the nature of the complaint.
The procedure for filing a complaint about SCM is as follows:
- a written request must be filed with the Privacy Officer;
- SCM will acknowledge the complaint right away;
- SCM will assign someone to investigate;
- SCM will give the investigator unfettered access to files and personnel, etc.;
- SCM will clarify facts directly with the complainant, where appropriate; and
- SCM will advise the complainant in writing of the outcome of their investigation, including any steps taken to rectify the problem, if applicable.
SCM will document all complaints, as well as the actions in response to complaints, by noting these details in the individual's file and also in a master privacy file.
6.0 Revision History
Feb 1, 2022 - Keith Edwards - Policy Reviewed.