The PBAS Group
Effective January 1, 2004, The PBAS Group is required to comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”). A copy of PIPEDA is available at www.privcom.gc.ca.
We have always recognized and respected the privacy and confidentiality of personal information we collect in the course of our daily business activities. As a further commitment, we have created this Privacy Code, which, is an embodiment of our adherence to the principles outlined in PIPEDA and, applies to all our operations.
In order to ensure that this privacy code is kept up-to-date, we reserve the right to change it from time to time. Any changes will be effective thirty (30) days following The PBAS Group providing you with notice. Notice of changes to the privacy code may be distributed through bulletins, statements, newsletters and/or posted on our website.
Definition Of Terms Used In This Privacy Code
The PBAS Group
“The PBAS Group” is the operating style name of Benchmark Decisions Ltd., Prudent Benefits Administration Services Inc. and, Student Benefits Administrators Inc.
Information about an identifiable individual, but does not include the name, title or business address or business telephone number of an employee of an organization.
Chief Privacy Officer
The person at The PBAS Group who is responsible for overseeing that management practices are carried out to ensure overall compliance with the Act.
The following ten principles of privacy are interrelated and are based on fair information practices. They are intended to recognize an individuals right of privacy while balancing the need for an organization to collect, use or disclose personal information for legitimate business purposes.
The PBAS Group is accountable for all personal information in our possession or control, including any personal information transferred to third parties. We have established policies and procedures to comply with this privacy code, and have designated Wayne Murphy, CEBS, as our Chief Privacy Officer. All staff are required to sign a Confidentiality Agreement as a condition of their employment. In addition to regular audits and other compliance procedures, The PBAS Group stays relevant by attending various educational conferences and symposiums relating to privacy legislation to ensure we follow the standards set by the Act.
We will inform individuals of the purpose for which personal information will be used before or when we consent to its collection. Individuals joining a benefit plan will be required to complete our revised enrolment form which will indicate the reasons why personal information is being collected. If we identify other purposes for which the personal information may be used, we will seek the individual’s consent prior to commencing these uses. We will explain that it is the individual’s right to refuse permission for us to use personal information for any such other purposes. Individuals can ask for information about the purposes for which The PBAS Group collects personal information when they contact our office. Our administrators are able to respond to most inquires about the collection of personal information. Unless additional purposes are identified to an individual before or at the time of collection, The PBAS Group, will collect personal information only for the following purposes:
compute a benefit;
satisfy the reporting requirements of the provincial and federal governments;
pay taxes and comply with civil and criminal law;
determine future operating costs;
accommodate audits of the Plan; and, if applicable,
transfer data to a new replacement plan.
A Social Insurance Number is collected because the Income Tax Act requires it for the individual's income tax reporting.
Personal information is used to establish an individual’s entitlement to a benefit and protect the individual and The PBAS Group from error and fraud.
Consent is obtained from the individual whose personal information is collected, used, or disclosed. This is commonly acquired through the completion of the enrolment form. An individual can provide consent to the collection, use and disclosure of personal information about them expressly, or through an authorized representative. The latter would require written authorization from the individual to release the personal information. For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney. The PBAS Group may collect, use or disclose personal information without an individual’s consent if it is clearly in the individual’s best interests to do so and consent can not be sought in a timely manner (e.g., when an individual is seriously ill) and, in limited circumstances as permitted by law. Subject to certain legal or contractual restrictions and reasonable notice, an individual can withdraw consent at any time. The PBAS Group will inform individuals of the consequences of refusing or withdrawing consent when individuals seek to do so. Refusing or withdrawing consent could precipitate the destruction of an individual’s personal information and may, therefore, render ongoing participation impossible.
The PBAS Group will limit the amount and type of personal information we collect. We will collect personal information only for the identified purposes or as otherwise permitted by law and, will only collect the information about an individual primarily from the individual or, from external sources if individuals have consented to such collection.
We will use or disclose personal information only for the reasons it was collected, unless an individual gives us consent to use or disclose it for another reason. Under certain circumstances, The PBAS Group may have a legal duty or right to disclose personal information without consent. Within The PBAS Group, access to personal information is, and will continue to be, limited to only those people who have a need to know. The majority of personal information we receive is filed electronically, with access limitations related to the specific activities of each member of our staff. Hard-copy information is either destroyed after it is transferred to electronic form, or retained in locked files to which only authorized staff members have access. There are a limited number of instances wherein the personal information is disclosed to third parties. The most prevalent, of those, involves medical practitioners concerned with the process of claims adjudication. They are bound by their professional standards. Otherwise, there may be outsiders who print and distribute statements on the accumulated benefit/coverage entitlements, or third parties who determine reserve requirements and other projected costs, lawyers who perform family and estate settlements, and auditors who assess recording-accuracy. As an extension of our current operating policy, a plan member’s personal information is not released to the Plan Sponsor or to a representative union, without the specific consent from the member. In each of those cases, we require the completion of a Confidentiality and Privacy Agreement. When responding to a verbal request for personal information, an individual will be asked to provide the following information:
date of birth;
social insurance number/personal identification number; and,
place of employment.
Except for the revocation of a member’s consent (to hold and use personal information) there are long-term requirements for the retention of personal information. We will keep personal information only as long as necessary for the identified purposes. As a rule of thumb, pension records must be kept indefinitely, while other records should be held for at least seven years after the member’s termination from the plan. In the latter case, files are purged, periodically, and destroyed. Electronic destruction is performed by the IT staff of The PBAS Group. Hard-copy files are shredded, on site, by reputable contractors, who certify the completion of each job.
We will keep the personal information in our possession or control accurate, complete, current and relevant, based on the most recent information available to us. Individuals may challenge the accuracy and completeness of personal information about them and have it amended as appropriate. We will rely on individuals to keep certain personal information relating to them accurate, complete and current.
If an individual demonstrates that personal information is inaccurate, incomplete, out-of-date or irrelevant, The PBAS Group will revise or delete the personal information and, disclose the revised personal information to any third parties to whom we disclosed wrong or outdated information in order to permit them to revise their records. If information remains in dispute, it will be duly noted in the individual’s file
The PBAS Group protects personal information with safeguards appropriate to the sensitivity of the information.
With the few exceptions where hard-copy files are kept, the personal information held by The PBAS Group is stored on an IBM Power System S814 (8286-41A). It is downloaded, to the microcomputers of the staff members with clearance to do so. Both facilities are protected by encryption, firewalls, anti-virus programs, and physical intrusion detection that are regularly upgraded. Passwords and personal identification numbers are other measures taken to safeguard personal information.
All databanks and systems are duplicated, for disaster-recovery purposes, at an IBM facility. Their assurance of privacy protection is outlined in a contractual agreement we enter into on an annual basis.
Physical admittance to our IT department has always been controlled with locks and select access codes. Only a limited number of staff members may enter those premises without close supervision.
The PBAS Group will be open about the procedures used to manage personal information. Individuals will have access to information about these procedures through this privacy code, or by contacting the Chief Privacy Officer. Should an individual wish to lodge a complaint they may do so by contacting our Chief Privacy Officer. An electronic copy of this privacy code will be available on our website at www.pbas.ca or copies can be secured by writing to the Chief Privacy Officer at: 61 International Blvd., Toronto, Ontario M9W 6K4.
When an individual requests it, The PBAS Group will advise the individual what personal information we have in our possession or control about the individual, what it is being used for, and to whom it has been disclosed. In certain exceptional situations, The PBAS Group may not be able to give individuals access to all of the personal information about them. We will respond to the request as quickly as possible and no later than thirty (30) days after receipt of the request. This timeframe may be extended for a maximum of thirty (30) additional days, if, for example, additional time is required to conduct consultations. If that were to happen, we would notify the individual in writing. In the unlikely event that The PBAS Group determines that there may be a cost to the individual in granting such access, we shall inform the individual of the costs permitted by law prior to granting such access. All requests for personal information should be addressed, in writing, to the Chief Privacy Officer.
Complaints and inquires should be directed to our Chief Privacy Officer, Wayne Murphy at firstname.lastname@example.org.
Individuals may challenge The PBAS Group’s compliance with this privacy code. All complaints will be investigated. If a complaint is found to be justified, we will attempt to resolve it. If necessary, we will modify our policies and procedures to ensure that other individuals will not experience the same problem. If individuals are not satisfied with the way we have responded to their complaint, they may file a written complaint to:
Office of the Privacy Commissioner of Canada
30 Victoria Street