Policy 1 -- Accountability
We are responsible for all personal information under our control and will designate one or more individuals who will be accountable for the organization's compliance with the policies and procedures described in this Handbook.
1.1 The individual appointed to be accountable for QA Adjusting Company compliance will be known as our Privacy Officer. We will appoint an appropriate person in this capacity who has sufficient authority within the organization to ensure compliance.
1.2 Our Privacy Officer may be contacted as follows:
Title: Chief Privacy Officer
Name: Cory R. Malkoske
Address: 279 Provencher Blvd
City: Winnipeg, MB, R2H 0G6
Telephone #: 204-233-8844 ext 24
Fax #: 204-233-7793
E-mail: [email protected]
Title: Branch Privacy Officer
The Branch Privacy Officer, for branches with more than one adjuster, will be the Branch Manager. Where an inquiry is made on the file handled by the Branch Manager, the person inquiring should be referred to the Regional Privacy Officer.
1.3 Our commitment is to:
• protect personal information;
• allow individuals to request information, seek amendments to their personal information, and file complaints against QA Adjusting Company with our Privacy Officer;
• train and educate staff; and
• develop information which explains those procedures to the public.
1.4 We will use reasonable means to ensure that the insured / claimant personal information is given a comparable level of protection while being processed by a third party. If not practical to obtain written assurances, we may choose to make a written notation in our own file(s). Where a third-party processes information on a one-off basis, we will issue a privacy notice to that service provider requiring them to comply with our privacy principles.
Policy 2 -- Identifying Purposes
We will identify the purposes for which we collect personal information at or before the time the information is collected.
2.1 We will identify and document the purposes for which we collect personal information of affected individuals at or before the time of collection.
2.2 We may choose to identify and document such purposes orally or in writing. Written notification will be used whenever practical to do so. This Handbook itself may be used to identify such purposes. Common purposes for collection include:
• verifying the circumstances surrounding the loss;
• verifying the amount payable for the loss;
• verifying the availability of benefits payable under the policy;
• verifying the circumstances leading to the formation of the insurance contract;
• protecting QA Adjusting Company and/or the insurer against inaccuracy;
• protecting QA Adjusting Company and/or the insurer against fraud
2.3 We may choose to orally explain to insured’s/claimant’s the purposes for which personal information is being collected and then simply place a note in the client's file indicating that this has been done. (see the attached form)
2.4 We will identify any new purposes that arise during the course of dealing with personal information – and obtain prior consent for this new use – even if we have already identified certain initial purposes. However, we will only do this when the intended new purpose truly constitutes a "new" use, i.e., when the purpose now being proposed is sufficiently different from the purpose initially identified.
2.5 All purposes must be explained to insured’s/claimants in a manner that results in meaningful consent, as outlined in Policy 3 below.
Note 1 — The Personal Information Consent discloses the same common purposes for collection as set out in paragraph 2.3 above. If insured’s/claimants have received this consent form or this Handbook, we will not provide any further disclosure in relation to a purpose already identified by or contemplated in the form or Handbook, nor will we seek a new consent.
Note 2 — There may be situations in which we are not required to explain purposes and where it would not be appropriate to do so, including those situations outlined under paragraph 3.11 "Exceptions" in Policy 3 -- Consent.
Policy 3 -- Consent
We will obtain the appropriate consent from individuals for the collection, use, or disclosure of their personal information, except where the law provides an exemption.
3.1 We may obtain express consent for the collection, use, or disclosure of personal information or we may determine that consent has been implied by the circumstances. All consent must be informed and obtained fairly without deception.
3.2 All express or implied consent must be “meaningful consent”, which requires individuals to have sufficient knowledge to reasonably understand the nature, purpose, and consequences of the information’s use or disclosure. The reasonable expectations of the individual must be taken into account.
3.3 To ensure meaningful consent, we will provide individuals with the opportunity to review the following elements on providing consent to disclosure or use of personal information:
•the type of personal information that is being, or may be, collected;
•the parties with whom the personal information will be shared;
•the purposes for which personal information is being collected, used, or disclosed; and
•the consequences of the collection, use, or disclosure to which they are consenting, particularly any meaningful risks of significant harm.
3.4 Express consent is a specific authorization given by the individual to QA Adjusting Company, either orally or in writing.
3.5 Implied consent is one in which QA Adjusting Company has not received a specific authorization but the circumstances allow us to collect, use or disclose personal information. Implied consent will only be appropriate where the information is less sensitive, taking into account the reasonable expectations of the individual.
3.6 Express written consent includes a client:
•signing a consent form (such as the Personal Information Consent);
•electing to not check a checkoff box;
•providing a letter, claim form or other document authorizing certain activities; and
•providing an authorization electronically (through a computer).
3.7 Express oral consent can be given in person or over the telephone. If we obtain an express oral consent, we will make note of that consent in the insured’s/claimant’s file.
3.8 An example of implied consent is where a drycleaner asks for your name and phone number. An implied consent is obtained for the obvious purpose of contacting you should you not collect your dry cleaning. Consent will not be implied for the cleaner to give your information to another business for some other purpose.
3.9 Subject to legal exceptions, consent may be withdrawn at any time. We generally require such withdrawal to be in writing. There may be serious consequences to failing to provide or withdrawing consent, such as QA Adjusting Company’s inability to properly investigate a claim presented or the circumstances surrounding a liability claim.
3.10 Depending on whether a new purpose is identified during the course of using or disclosing the insured’s/claimant’s personal information, we may choose to seek a new consent.
3.11 Exceptions — There are circumstances in which we are not required to obtain an individual's consent or explain purposes for the collection, use or disclosure of their personal information. These include but are not limited to:
•Collection — We may collect personal information without consent where it is in the individual's interest and timely consent is unavailable, or to investigate a breach of an agreement (such as insurance fraud) or a contravention of law. We must have objective reasons to believe there is fraud or breach of an agreement or law and a note of such reasons is incorporated into the insured’s/claimant’s file. We will where appropriate use the industry standard questionable claims indicators.
•Use — We may use personal information without consent for similar reasons as those listed beside “collection” above, and also in an emergency situation in which an individual's life, health or security is threatened.
•Disclosure —- We may disclose personal information without consent for law enforcement and national security purposes, for debt collection, to a lawyer representing our organization or the insurer, to another organization to detect, suppress, or prevent fraud, and in an emergency situation in which an individual's life, health or security is threatened.
3.12 The exceptions outlined in paragraph 3.11 above do not apply to the below unless an agreement has been entered into otherwise. In such cases, consent for collection and use will remain a requirement:
• the collection and use of an individual’s electronic address where the address is collected by use of a computer program.
• the collection and use of an individual’s personal information for telecommunication purposes.
Note – We will still use the specific medical and wage consent and similar authorization forms in addition to our own consent forms.
Policy 4 -- Limiting Collection
The personal information we collect will be limited to that which is necessary for the purposes we have identified.
4.1 We only collect personal information for specific, legitimate purposes considered reasonably appropriate in the circumstances. We will not collect personal information indiscriminately.
4.2 We will only collect information by fair and lawful means and not by misleading or deceiving individuals about the purpose for which information is being collected.
4.3 Our policies and procedures relating to the limitations on collection of personal information will be regularly communicated to our staff members who deal with personal information.
4.4 QA Adjusting Company may need to obtain personal information about insured’s/claimants from third parties, for example, those parties identified in the Personal Information Consent.
Note — There may be situations in which we collect personal information for legitimate purposes not identified to the individual, including those situations outlined under paragraph 3.11 "Exceptions" in Policy 3 – Consent.
Note 1 — Adjusters will be aware that in order to avoid criticism from the courts over leading a witness (and thus potentially making the statement inadmissible) “pure form” statements are used where individuals provide a complete uninterrupted account and this may result in the collection of personal information beyond that necessary for the purposes identified. Adjusters will also be aware that failure to record all information and provide it to one's principal for whom one is an agent, could lead to a potential errors and omissions claim. The adjuster should simply note such extraneous information as having been given and not attempt to follow up.
Note 2 — If a witness/claimant/insured offers documents containing personal information for which no consent has been provided, the adjuster should note the availability of such documents and, if appropriate, seek either to obtain consent or obtain a court order to produce such documents.
Note 3 — If an insurer asks us to investigate and obtain personal information that appears to be beyond that necessary or appropriate for a specific legitimate purpose, the adjuster will clarify such instructions (preferably in writing) with the instructing principal.
Policy 5 -- Limiting Use, Disclosure, and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. We will only retain personal information as long as necessary for the fulfillment of those purposes.
5.1 We will only use or disclose personal information to the extent necessary for legitimate, identified purposes.
5.2 We will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.
5.3 We will abide by industry standards applicable in the province(s) in which we are located, regarding minimum and maximum retention periods.
5.4 Personal information that has been used to make a decision about an individual will only be retained long enough to allow the individual access to the information after the decision has been made. This period will not exceed applicable industry standards.
5.5 Personal information that is no longer required to fulfill identified purposes will be destroyed, erased, or made anonymous. See Policy 7 -- Safeguards, paragraph 7.7.
Note 1 — There may be situations in which we use, disclose, or retain personal information for legitimate purposes not identified to the individual, including those situations outlined under paragraph 3.11 "Exceptions" in Policy 3 – Consent.
Note 2 — We may be required to keep personal information for a length of time consistent with legal limitation periods including potential errors and omissions claims against QA Adjusting Company or where the person entitled to benefits under a policy is not yet at the age of majority.
Note 3 — Where backup records from our computer servers must be kept for sound business reasons to comply with statutory or regulatory requirements, and to protect QA Adjusting Company from liability for errors and omissions claims, fraud and/or where such backup copies using reasonably available technology cannot guarantee the complete anonymity or erasure of all personal information, backup data will be held at a secure third party location and access to this backup information will be limited to top management and IT personnel only. The intention is to place these backup records beyond use, except in exceptional circumstances or otherwise within the permissible uses as set out by PIPEDA. Safeguards will be implemented to ensure the security of personal information contained within backup data.
Policy 6 -- Accuracy
The personal information we collect will be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used.
6.1 Our organization will, on an ongoing basis, ensure the accuracy and completeness of personal information under our care and control.
6.2 Individuals who provide their personal information to us must do so in an accurate and complete manner.
6.3 Our goal is to minimize the possibility that inappropriate information may be used to make a decision about any individual whose personal information we process.
6.4 The process for ensuring accuracy and completeness will involve:
• initial collection from the insurer or other instructing principal preferably in writing;
• contact with the claimant/insured or witness and where appropriate, documenting information in a statement or by letter or e-mail;
• regular reviews; and
• verifying accuracy by contacting third parties (e.g., motor vehicle and driver licensing authorities, police, fire departments, fire marshals, authorities with jurisdiction, insurance brokers, other adjusters and any other party that can substantiate the type and nature of an occurrence or circumstance) including date, time and place of persons who may have been present and which is relied upon by an insured/claimant to support their claim for loss.
6.5 As more particularly described in Policy 9 -- Individual Access, we will provide recourse to individuals who appear to have legitimate corrections to make to their information on file. Once significant errors or omissions have been identified, we will correct or amend the information as appropriate. Where necessary, we will send such corrected or amended information to our principals and/or third parties who have had access to the information in question.
Policy 7 -- Safeguards
We will safeguard the security of personal information under our control in a manner that is appropriate to the sensitivity of the information.
7.1 We will protect the security of personal information, regardless of the format in which it is held, against loss or theft, and against unauthorized access, disclosure, copying, use, or modification.
7.2 More sensitive information will be safeguarded by a higher level of protection. However, we will generally seek to achieve the highest level of security.
7.3 In determining what safeguards are appropriate, we will consider the following factors:
• the sensitivity of the information;
• the amount of information held;
• the parties to whom information will be disclosed;
• the format in which the information is held; and
• the way in which the information is physically stored, including technological means of storage.
7.4 When transferring insured/claimant information to a third party, we will remove or mask any information that is not reasonably needed by the third party.
7.5 Our methods of protection include:
• physical measures, such as locked filing cabinets and restricted access;
• organizational measures, such as security clearances and limiting access on a "need-to-know" basis; and
• technological measures, such as the use of passwords and encryption.
• hard copy files removed from our offices will, during transport, be kept in briefcases or similar. If left unattended during travel, they will be locked in vehicle trunks or a locked hotel room.
• computer files accessed from a home or remote computer system will not be copied or kept on such home or remote system. Temporary copies of files will be erased.
• passwords and log in information will be kept secure and not disclosed to any person. (Note: authorized IT personnel have access to the system and will never ask you to divulge passwords or log in information).
7.6 We will ensure that our policies and procedures on safeguarding personal information are clearly communicated and accessible to our employees by:
• training staff on the subject of personal information protection; and
• having regular staff meetings in which we will review our procedures and revise where appropriate.
7.7 We will take precautions in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information. These measures include:
• ensuring that no one may retrieve personal information after it has been disposed of;
• shredding documents before recycling them; and
• deleting electronically stored information.
Policy 8 -- Openness
We will make readily available to individuals specific information about our policies and procedures relating to the management of personal information which is under our control.
8.1 Individuals will be able to inquire about our policies and procedures without unreasonable effort.
8.2 We will tell our receptionist and other staff members who our Privacy Officer is so that members of the public can easily be informed.
8.3 We may choose to make information about our policies and procedures available in a variety of ways, for example:
• making this Handbook or our Privacy Code or brochures available;
• mailing out information;
• establishing a primary section on our website;
• establishing a toll-free telephone number; or
• establishing standardized wordings to be included in letters and e-mails to the insured/claimant as part of our first written communication.
8.4 The information we make publicly available will include:
• the name or title, and the address of our Privacy Officer;
• the means of gaining access to personal information held by the organization;
• a description of the type of personal information held by the organization and a general account of its use;
• a general list of the kinds of personal information made available by us to other organizations (e.g., insurance companies and other third parties). See Personal Information Consent.
Note — Openness is one of the fundamental privacy principals and must be recognized as such.
Policy 9 -- Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information, which is under our control, and may be given access to, and challenge the accuracy and completeness of that information.
9.1 We act as agents of the insurer or administrator of a self insured plan and where a written request is made by an individual to be informed of whether or not we hold personal information about him or her, we should immediately refer that inquiry to our instructing principal and ask for instructions. Any response will be provided in a reasonable time, in an understandable form, and at minimal or no cost to the individual.
9.2 To the extent that we are not agents for a principal, upon written request, an individual will be informed as to whether or not we hold personal information about him or her. If we do hold such personal information, upon written request, we will provide access to the information, as well as a general account of its use inside and outside the organization.
9.3 The manner in which access will be given may vary, depending on the format in which the information is held (i.e., hard copy or electronic), the amount of information held and other factors such as sensory disabilities of the individual. For example, if there is a large volume of information, instead of providing a copy of the entire file, we may simply provide a summary of the information.
9.4 Upon written request, we will provide a list of third parties to whom we have disclosed an individual's personal information. If we are unsure exactly which third parties may have received the information, we will provide a list of third parties who may have received the information.
9.5 Individuals will be required to provide sufficient information to us to permit us to provide an account of the existence, use and disclosure of personal information. This information will only be used for such a purpose.
9.6 The procedure for making a request is as follows:
(1) All requests must be made in writing using a form such as the Request/Complaint Form.
(2) We will respond to a request with due diligence and within 30 days after receipt of the request, unless we first advise the person that we need a longer period to respond.
(3) Reasons – If we refuse a request, we will inform the individual in writing of the refusal, explaining the reasons and any recourse the individual may have, including the possibility that they may file a complaint with the Privacy Commissioner of Canada. We will also notify the Privacy Commissioner of Canada of the refusal in writing.
(4) Deemed refusal – Notwithstanding sub-paragraphs (2) and (3), if we do not respond within the above time limit, we will be deemed to have refused the request.
(5) Costs for responding – QA Adjusting Company may require payment of a modest fee to cover our administrative costs associated with preparing a response. This fee can only be charged if the individual was informed of the cost.
9.7 There are also exceptions, which will prevent us from providing access, including where:
• personal information about another person might be revealed and this information is not severable;
• confidential commercial information might be revealed and this information is not severable;
• another individual’s life or security might reasonably be threatened and this information is not severable;
• the information was collected without consent for the purposes related to an investigation of a breach of an agreement or contravention of the law; or
• the information was generated during the course of a formal dispute resolution process.
Note — We should be cautious in using the word “fraud” in connection with a denial of access to records. The Courts have been critical of adjusters for coming to a premature conclusion that a claim is fraudulent and then by the nature of their inquiries seeking only to reinforce an earlier prejudice.
Policy 10 -- Challenging Compliance
An individual may address a challenge concerning compliance with the above policies and procedures to our Privacy Officer.
10.1 Upon request, individuals who wish to inquire or file a complaint about the manner in which we handled their personal information – or about our personal information policies and procedures – will be informed of our applicable complaint procedures.
10.2 To file a complaint, an individual must fill out a Request/Complaint Form, which requires basic information and a description of the nature of the complaint.
10.3 The procedure for filing a complaint about our organization is as follows:
• a Request/Complaint Form must be filed with our Privacy Officer;
• we will acknowledge the complaint right away;
• we will assign someone to investigate;
• we will give the investigator unfettered access to files and personnel, etc.;
• we will clarify facts directly with the complainant, where appropriate; and
• we will advise the complainant in writing of the outcome of our investigation, including any steps taken to rectify the problem, if applicable.
10.4 Individuals can file complaints resulting from our refusal to grant a request for access to personal information collected, disclosed, or used directly with the Privacy Commissioner. Such complaints must be filed within six months after our refusal. We will be notified by the Privacy Commissioner of any such complaints.
10.5 We will document all complaints made by clients, as well as our actions in response to complaints, by noting these details in the individual's file and also in a master privacy file.
Policy 11 – Breaches of Security
We will fulfil our obligations to report any breaches of our security safeguards and notify relevant parties of any risks to their personal information.
11.1 On identification of a breach of our security safeguards compromising personal information, we will appoint a “breach coach” to assist with post-incident response, including:
• identifying material facts;
• coordinating the securing of impacted information and networks;
• retaining third party service providers to provide credit monitor and data restoration services;
• advising as to obligations under Canadian privacy legislation; and
• responding to any investigations or audits on behalf of the organization.
11.2 We will report breaches of our security safeguards to the Office of the Privacy Commissioner where such breaches expose information within our control and pose a real risk of significant harm to the individual.
• Information will be in our control unless we are storing the personal information on behalf of another organization, without using or disclosing the information.
• Information will pose a real risk of significant harm where it is more than speculative that harm could take place. Factors to consider include the information’s sensitivity, the likelihood of misuse, the length of exposure, evidence of malicious intent, and whether the information was encrypted.
11.3 If the breach passes the ‘notification threshold’ in 8.1, we must notify the Office of the Privacy Commissioner and affected individuals of the breach as soon as is feasible. The Office of the Privacy Commissioner will be informed in writing using the designated PIPEDA Breach Report Form available at https://www.priv.gc.ca/media/4844/pipeda_pb_form_e.pdf
11.4 Affected individuals must be notified of the breach as soon as is feasible. Any notification must be sufficiently clear to inform them of the breach and any steps they must take to reduce the risk of harm.
11.5 We will inform affected individuals directly by telephone, mail, or e-mail unless this would cause further harm, undue hardship, or we are not in possession of such information. In such cases, we will provide indirect notification to affected individuals by public communication.
11.6 Notification to affected individuals must include:
• a description of the circumstances of the breach;
• the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
• a description of the personal information that is the subject of the breach to the extent that the information is known;
• a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
• a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
• contact information that the affected individual can use to obtain further information about the breach.
11.7 Where the breach of security safeguards exposes sensitive personal information, credit monitoring services will be offered to the affected individuals at no additional cost.
11.8 We will retain breach logs recording all breaches of our security safeguards affecting personal information for 24 months after the date the breach occurs. These records must include, at minimum:
• date or period of the breach;
• circumstances of the breach;
• nature of information involved in the breach;
• whether or not notifications were made to the Office of the Privacy Commissioner and affected individuals; and
• if applicable, why the organization decided the breach did not meet the threshold of notification.
11.9 We will maintain confidentiality throughout the breach process. Breach logs and reports to the Office of the Privacy Commissioner will not be disclosed unless deemed necessary for the public interest.
11.10 The Office of the Privacy Commissioner will investigate the breach of our security safeguards and either issue a report with recommendations and/or requesting our entry into a compliance agreement. We will comply with any information requests throughout the course of the investigation and provide new information as available. Any recommendations or compliance agreements will be implemented.
Note — Failure to comply with these obligations is an offence punishable by a $100,000 fine and damage awards to affected individuals.
Policy 12 – Electronic Signatures
Where permitted by statute, we will allow documents to be signed by encrypted electronic signature and consider them equivalent to “wet ink” signatures.
12.1 Where there is a legal requirement that a document be signed, electronic signatures can be used in place of “wet ink” signatures unless indicated otherwise in legislation.
12.2 A document containing an electronic signature will be accepted where its integrity and authenticity can be demonstrated by the following:
• an electronic signature block is inserted at the location where the signature was applied;
• an electronic signature audit trail, including a digital signature certificate, is embedded, and linked directly in the document;
• the document is secured once signed and it can be determined whether the document has been changed since the signature was added;
• the date and time of the signature is included; and
• we are able to download a verifiable copy of the signed record, with or without the audit trail.
12.3 Electronic signatures must be unique to the person, under their control, and able to be used to identify the person.
12.4 Where an electronic signature is used in compliance with the above requirements, we are entitled to presume that the document was signed by the person identified by the electronic signature.
Note — Where there is no clear legislative requirement to sign a document, electronic signatures are generally recognized as proof of assent to an agreement so long as integrity and authenticity of the document can be demonstrated.