1.1. The individual appointed to be accountable for QA Adjusting Company compliance will be known as our Privacy Officer. We will then appoint an appropriate person in this capacity who has sufficient authority within the organization to ensure compliance.
1.2 We will use reasonable means to ensure that the insured/claimant personal information is given a comparable level of protection while being processed by a third party.
2. Identifying Purposes:
2.1 We will identify the purposes for which we collect personal information of affected individuals at or before the time of collection.
2.2 We may choose to identify such purposes orally or in writing. Written notification will be used whenever practical to do so or this handbook may be used to identify such purposes. Common purposes for collection include:
- Verifying the circumstances surrounding the loss;
- Verifying the amount payable for the loss;
- Verifying the availability of benefits payable under the policy;
- Verifying the circumstances leading to the formation of the insurance contract;
- Protecting QA Adjusting Company and/or the insurer against inaccuracy;
- Protecting QA Adjusting Company and/or the insurer against fraud
2.3 We may choose to orally explain to insured/claimant the purposes for which personal information is being collected and then place a note in the client’s file indicating that this has been done.
2.4 We will identify any new purposes that arise during the course of dealing with personal information and obtain prior consent for this new use. We will only do this when the intended new purpose truly constitutes a “new” use.
3.1 We may obtain express consent for the collection, use, or disclosure of personal information or we may determine that consent has been implied by the circumstances. All consent must be informed and obtained fairly without deception.
3.2 Express consent is a specific authorization given by the individual to QA Adjusting Company, either orally or in writing.
3.3 Implied consent is one in which QA Adjusting Company has not received a specific authorization but the circumstances allow us to collect, use or disclose personal information.
3.4 Express written consent includes a client:
- Signing a consent form (such as the Personal Information Consent);
- Providing a letter, claim form or other document authorizing certain activities; and
- Providing an authorization electronically (through a computer).
3.5 Express oral consent can be given in person or over the telephone. If we obtain an express oral consent, we will normally make note of that consent in the insured’s/claimants file.
3.6 An example of implied consent is where a drycleaner asks for your name and address. An implied consent is obtained for the obvious purpose of contacting you should you not collect your dry cleaning. Consent will not be implied for the cleaner to give your information to another business for some other purpose.
3.7 Subject to legal exceptions, consent may be withdrawn at any time. We generally require such withdrawal to be in writing. There may be serious consequences to failing to provide or withdrawing consent, such as QA Adjusting Company’s inability to properly investigate a claim presented or the circumstances surrounding a liability claim.
3.8 Depending on whether a new purpose is identified during the course of dealing with the insured’s/claimants personal information, we may choose to seek a new consent.
3.9 Exceptions – There are circumstances in which we are not required to obtain an individual’s consent or explain purposes for the collection, use or disclosure of their personal information. These include but are not limited to:
- Collection – We may collect personal information without the consent where it is in the individual’s interest and timely consent is unavailable, or to investigate a breach of an agreement (such as insurance fraud) or a contravention of law. We must have objective reasons to believe there is fraud or breach of an agreement or law. We will where appropriate use the industry standard questionable claims indicators.
- Use – We may use personal information without consent for similar reasons as those listed beside “collection” above, and also in an emergency situation in which an individual’s life, health or security is threatened.
- Disclosure – we may disclose personal information without consent for law enforcement and national security purposes, for debt collection, to a lawyer representing our organization or the insurer and in an emergency situation in which an individual’s life, health or security is threatened.
4. Limiting Collection:
4.1 We only collect personal information for specific, legitimate purposes. We will not collect personal information indiscriminately.
4.2 We will only collect information by fair and lawful means and not by misleading or deceiving individuals about the purpose for which information is being collected.
4.3 Our policies and procedures relating to the limitations on collection of personal information will be regularly communicated to our staff members who deal with personal information.
4.4 We may need to obtain personal information about insured/claimant from third parties, for example, those parties identified in the Personal Information Consent.
5. Limiting Use, Disclosure, and Retention:
5.1 We will only use or disclose personal information for legitimate, identified purposes.
5.2 We will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.
5.3 We will abide by industry standards applicable in the province(s) in which we are located, regarding minimum and maximum retention periods.
5.4 Personal information that has been used to make a decision about an individual will only be retained long enough to allow the individual access to the information after the decision has been made. This period will not exceed applicable industry standards.
5.5 Personal information that is no longer required to fulfill identified purposes will be destroyed, erased, or made anonymous.
6.1 Our organization will, on an ongoing basis, ensure the accuracy and completeness of personal information under our care and control.
6.2 Individuals who provide their personal information to us must do so in an accurate and complete manner.
6.3 Our goal is to minimize the possibility that inappropriate information may be use to make a decision about any individual whose personal information we process.
6.4 The process for ensuring accuracy and completeness will involve:
- Initial collection from the insurer or other instructing principal preferably in writing;
- Contact with the claimant/insured or witness and where appropriate, documenting information in a statement or by letter or e-mail;
- Regular reviews; and
- Verifying accuracy by contacting third parties (e.g., motor vehicle and driver licensing authorities, police, fire departments, fire commissioner, authorities with jurisdiction, insurance brokers, other adjusters and any other party that can substantiate the type and nature of an occurrence or circumstance) including date, time and place of persons who may have been present and which is relied upon by an insured/claimant to support their claim for loss.
7.1 We will protect the security of personal information, regardless of the format in which it is held, against loss or theft, and against unauthorized access, disclosure, copying, use, or modification.
7.2 More sensitive information will be safeguarded by a higher level of protection.
7.3 In determining what safeguards are appropriate, we will consider the following factors:
- The sensitivity of the information;
- The amount of information held;
- The parties to whom information will be disclosed;
- The format in which the information is held; and
- The way in which the information is physically stored.
7.4 When transferring insured/claimant information to a third party, we will remove or mask any information that is not reasonably needed by the third party.
7.5 Our methods of protection include:
- Physical measures, such as locked filing cabinets and restricted access;
- Organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and
- Technological measures, such as the use of passwords and encryption.
- Hard copy files removed from our offices will, during transport be kept in briefcases or similar. If left unattended during travel, they will be locked in vehicle trunks or a locked hotel room.
- Computer files accessed from a home or remove computer system will not be copied or kept on such home or remote system. Temporary copies of files will be erased.
- Passwords and log in information will be kept secure and not disclosed to any person. (Note: authorized IT personnel have access to the system and will never ask you to divulge passwords or log in information).
7.6 We will ensure that our policies and procedures on safeguarding personal information are clearly communicated and accessible to our employees by:
- Training staff on the subject of personal information protection; and
- Having regular staff meetings in which we will review our procedures and revise where appropriate.
7.7 We will take precautions in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information. These measures include:
- Ensuring that no one may retrieve personal information after it has been disposed of;
- Shredding documents before recycling them; and
- Deleting electronically stored information.
8.1 Individuals will be able to inquire about our polices and procedures without unreasonable effort.
8.2 We will tell our receptionist and other staff members who our Privacy Officer is so that members of the public can easily be informed.
8.3 We may choose to make information about our policies and procedures available in a variety of ways, for example:
- Making a handbook or our Privacy Code or brochures available or;
- Mailing out information;
- Establishing a primary section on our website or;
- Establishing a toll-free telephone number;
- Establishing standardized wordings to be included in letters and e-mails to the insured/claimant as part of our first written communication.
8.4 The information we make publicly available will include:
- The name or title, and the address of our Privacy officer;
- The means of gaining access to personal information held by the organization;
- A description of the type of personal information held by the organization and a general account of its use;
9. Individual Access:
9.1 We act as agents of the insurer or administrator of a self insured plan and where a written request is made by an individual to be informed of whether or not we hold personal information about him or her, we will immediately refer that inquiry to our instructing principal and ask for instructions.
9.2 To the extent that we are not agents for a principal, upon written request; an individual will be informed as to whether or not we hold personal information about him or her. If we do hold such personal information, upon written request, we will provide access to the information, as well as a general account of its use.
9.3 The manner in which access will be given may vary, depending on the format in which the information is held (i.e., hard copy or electronic), the amount of information held and other factors. For example, if there is a large volume of information, instead of providing a copy of the entire file, we may simply provide a summary of the information.
9.4 Upon written request, we will provide a list of third parties to whom we may have disclosed an individual’s personal information. If we are unsure exactly which third parties may have received the information, we will provide a list of third parties likely to have received the information.
9.5 Individuals will be required to provide sufficient information to us to permit us to provide an account of the existence, use and disclosure of personal information.
9.6 The procedure for making a request is as follows:
1) All requests must be made in writing.
2) We will respond to a request within 30 days after receipt of the request, unless we first advise the person that we need a longer period to respond.
3) Reasons – if we refuse a request, we will inform the individual in writing of the refusal, explaining the reasons and any recourse the individual may have, including the possibility that they may file a complaint with the Privacy Commissioner of Canada.
4) Deemed refusal – Notwithstanding sub-paragraphs (2) and (3), if we do not respond within the above time limit, we will be deemed to have refused the request.
5) Costs for responding – QA Adjusting Company may require payment of a modest fee to cover our administrative costs associated with preparing a response.
9.7 There are also exceptions, which will prevent us from providing access, including where:
- Personal information about another person might be revealed;
- Commercially confidential information might be revealed;
- Someone’s life or security might be threatened;
- The information was collected without consent for the purposes related to an investigation of a breach of an agreement or contravention of the law; or
- The information was generated during the course of a formal dispute resolution process.
10. Challenging Compliance:
10.1 Upon written request, individuals who wish to inquire or file a complaint about the manner in which we handled their personal information – or about our personal information policies and procedures – will be informed of our procedures.
10.2 To file a complaint, an individual must direct the concern in writing providing basic information and a description of the nature of the complaint.
10.3 Our Privacy Officer on receipt will:
- Acknowledge the complaint right away;
- Assign someone to investigate;
- Give the investigator unfettered access to files and personnel, etc.;
- Clarify facts directly with the complainant, where appropriate; and
- Advise the complainant in writing of the out come of our investigation, including any steps taken to rectify the problem, if applicable.
10.4 We will document all complaints made by clients, as well as our actions in response to complaints, by noting these details in the individual’s file and also in a master privacy file.