Privacy Information for Producers. Agenda. PIPEDA Producer Required Privacy Program Our MGA Privacy Program Recommendations for Producers. What Privacy Laws Apply to Us?.
Producer Required Privacy Program
Our MGA Privacy Program
Recommendations for Producers
The Personal Information Protection and Electronic Documents Act (“PIPEDA”), a federal act,governs collections of customer information and producer information.
“Substantially similar” legislation in Alberta, BC and Quebec. (Ontario has substantially similar law for health information).
The confidence and trust that insurers and customers place in you to protect their privacy and the confidentiality of customers’ personal information is critical to your ongoing success.
You must obtain an individual’s consent to collect, use or disclose his/her personal information (“PI”). The person has a right to access it and to challenge its accuracy. PI can only be used for the reasons you collected it. You must get consent for any new use. You must assure individuals that you will protect their PI with specific safeguards like locked cabinets, computer passwords, encryption.
Individuals can complain to the Office of the Privacy Commissioner of Canada (“OPCC”) about alleged breaches.
The OPCC can also initiate a complaint.
A person can ask the courts to order you to change your practices or award damages.
OPCC can audit you.
It is an offence to:
Identify Purposes for Collection
Limit Collection of Information
Limit Use, Disclosure and Retention of PI
1. Adhere to the 10 PIPEDA Principles;
2. Establish and maintain a Compliance Program that includes:
Make sure that you develop a consent form that covers the work you do for the customer. Not all information goes to the insurer. Anything you retain and use requires explicit consent.
Make sure that the MGA is covered by this consent!
Our Compliance Program covers the same elements that you will have to cover in your program.
Place Name and Contact Information for MGA Compliance Officer here
We collect customer PI from producers on behalf of insurers and under the consents insurers obtain. We act as an arm of the insurer. We don’t have our own consents for customer PI.
Sometimes we collect information on behalf of the producer. Make sure your consent covers our MGA.
We collect producer PI directly through the CLHIA screening form, which provides express consent, and any follow up screening.
We are required to screen you for suitability
initially and on an ongoing basis
We need information for licensing and contracting
We need information in order to pay you.
When requested, inform individuals if we have any PI about them and provide access.
Explain how it is/has been used and provide a list of any organizations to which it has been disclosed.
Correct/amend any PI if its accuracy and completeness is challenged and found to be deficient.
Provide a copy of the PI requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act.
Note any disagreement on the file and advise 3rd parties where appropriate.
Ask the requestor to name the insurer(s) involved. Do not volunteer this information as it is actually PI. We do not have an authentication process to determine who is making the request.
Notify the PC Officer of the request.
The PC Officer should notify the producer and/or insurer(s)’ contact person directly and ask for written instructions on handling any PI in our possession, including whether the information needs to be provided in a certain format, the deadlines for providing the information, etc.
Develop simple and easily accessible complaint procedures.
Inform complainants of their avenues of recourse. These include our MGA's own complaint procedures, those of insurers and industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada.
Investigate all complaints received.
Take appropriate measures to correct information handling practices and policies.
Ask the requestor to name the insurer(s) but do not volunteer this information as it is PI.
Notify the PC Officer, who should notify the producer and/or insurer(s) involved and ask for written instructions if our assistance is required in providing PI or resolving the complaint.
The PC Officer will ask the parties to keep us apprised so that we can record the decision and make any necessary changes to our policies and procedures and close the complaint off in our complaint log.
Privacy Compliance Officer handles all of these as they require special handling because of sensitivity of information.
If you become aware that any PI has been lost, stolen, inadvertently destroyed, or disclosed improperly, notify our PC Officer immediately.
This is very serious and requires immediate action.
PC Officer may ask you to gather information about the incident.
We need to contain the breach immediately and prevent any more PI loss.
The PC Officer will assess the breach.
Insurers will be notified of any customer PI breaches as they will have to follow their own process.
At least every two years
Requires gathering evidence of how we comply including sampling files and testing our systems
At least annually for existing staff.
At hiring for new staff.
The OPCC can audit if it has “reasonable grounds” to believe you are contravening PIPEDA.
Our PC Officer will
direct our response to the audit.
be the lead contact with the OPCC.
or may ask you to assist in compiling information.
prepare you if the OPCC needs to interview you.
Take this seriously.
As an independent, you have your own regulatory obligations and risks that you have to manage.
Create an inventory of all the PI you collect, why you collect it, where you keep it, how you protect it.
Develop your own consent form for the advice and service part of your role. Don’t rely on insurer consents alone. Make sure that you cover off sharing information with the MGA.
Use formal documents such as needs analyses, which guide you in asking required, consistent questions and are more likely to result in accuracy.
Advocis and other associations have Privacy programs to share. Join a professional association and take advantage of the compliance support they offer.
Use encryption for sensitive information.
Password protect your computer and all devices
Keep customer PI locked up and away from public view.
Ensure that your premises are secure.
Have strict fax policies and keep your fax equipment out of public areas.
Destroy material no longer needed. Use a shredder.
Train your staff.
Contact our Privacy Compliance Officer