privacy information for producers n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy Information for Producers PowerPoint Presentation
Download Presentation
Privacy Information for Producers

Loading in 2 Seconds...

play fullscreen
1 / 28

Privacy Information for Producers - PowerPoint PPT Presentation

  • Uploaded on

Privacy Information for Producers. Agenda. PIPEDA Producer Required Privacy Program Our MGA Privacy Program Recommendations for Producers. What Privacy Laws Apply to Us?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Privacy Information for Producers

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


Producer Required Privacy Program

Our MGA Privacy Program

Recommendations for Producers

what privacy laws apply to us
What Privacy Laws Apply to Us?

The Personal Information Protection and Electronic Documents Act (“PIPEDA”), a federal act,governs collections of customer information and producer information.

“Substantially similar” legislation in Alberta, BC and Quebec. (Ontario has substantially similar law for health information).

why is this important
Why is This Important?

The confidence and trust that insurers and customers place in you to protect their privacy and the confidentiality of customers’ personal information is critical to your ongoing success.

pipeda summary
PIPEDA Summary

You must obtain an individual’s consent to collect, use or disclose his/her personal information (“PI”). The person has a right to access it and to challenge its accuracy. PI can only be used for the reasons you collected it. You must get consent for any new use. You must assure individuals that you will protect their PI with specific safeguards like locked cabinets, computer passwords, encryption.

non compliance

Individuals can complain to the Office of the Privacy Commissioner of Canada (“OPCC”) about alleged breaches.

The OPCC can also initiate a complaint.

A person can ask the courts to order you to change your practices or award damages.

OPCC can audit you.


It is an offence to:

  • Destroy PI that an individual has requested.
  • Retaliate against an employee who complains or refuses to contravene Sections 5 to 10.
  • Obstruct a complaint investigation or audit by OPCC.
pipeda s 10 principles
PIPEDA’s 10 Principles


Identify Purposes for Collection


Limit Collection of Information

Limit Use, Disclosure and Retention of PI






what is the producer required to do
What is the Producer Required to Do?

1. Adhere to the 10 PIPEDA Principles;

2. Establish and maintain a Compliance Program that includes:

  • Appointing a Compliance Officer
  • Written Privacy Policies and Procedures that cover at a minimum
    • Receiving and Processing Access Requests
    • Receiving and Responding to Inquiries/Complaints
    • Safeguarding Information
      • Assessing the Program Regularly
      • Training Staff
      • Privacy Breach Procedures
what else
What Else?

Make sure that you develop a consent form that covers the work you do for the customer. Not all information goes to the insurer. Anything you retain and use requires explicit consent.

Make sure that the MGA is covered by this consent!

our mga s privacy program
Our MGA’s Privacy Program

Our Privacy Policy covers how we handle your PI and your customers’ PI. It is posted on our website and included in contracting packages.

Our Compliance Program covers the same elements that you will have to cover in your program.

appointed compliance officer
Appointed Compliance Officer

Place Name and Contact Information for MGA Compliance Officer here

mga role in collecting pi
MGA Role in Collecting PI

We collect customer PI from producers on behalf of insurers and under the consents insurers obtain. We act as an arm of the insurer. We don’t have our own consents for customer PI.

Sometimes we collect information on behalf of the producer. Make sure your consent covers our MGA.

We collect producer PI directly through the CLHIA screening form, which provides express consent, and any follow up screening.

why we collect and use your pi
Why We Collect and Use Your PI

We are required to screen you for suitability

initially and on an ongoing basis

We need information for licensing and contracting

We need information in order to pay you.

requirements for access requests
Requirements for Access Requests

When requested, inform individuals if we have any PI about them and provide access.

Explain how it is/has been used and provide a list of any organizations to which it has been disclosed.

Correct/amend any PI if its accuracy and completeness is challenged and found to be deficient.

Provide a copy of the PI requested, or reasons for not providing access, subject to exceptions set out in Section 9 of the Act.

Note any disagreement on the file and advise 3rd parties where appropriate.

our procedures for customer access requests
Our Procedures for Customer Access Requests

Ask the requestor to name the insurer(s) involved. Do not volunteer this information as it is actually PI. We do not have an authentication process to determine who is making the request.

Notify the PC Officer of the request.

The PC Officer should notify the producer and/or insurer(s)’ contact person directly and ask for written instructions on handling any PI in our possession, including whether the information needs to be provided in a certain format, the deadlines for providing the information, etc.

requirements for responding to complaints and inquiries
Requirements for Responding to Complaints and Inquiries

Develop simple and easily accessible complaint procedures.

Inform complainants of their avenues of recourse. These include our MGA's own complaint procedures, those of insurers and industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada.

Investigate all complaints received.

Take appropriate measures to correct information handling practices and policies.

procedures for handling customer complaints and inquiries
Procedures for Handling Customer Complaints and Inquiries

Ask the requestor to name the insurer(s) but do not volunteer this information as it is PI.

Notify the PC Officer, who should notify the producer and/or insurer(s) involved and ask for written instructions if our assistance is required in providing PI or resolving the complaint.

The PC Officer will ask the parties to keep us apprised so that we can record the decision and make any necessary changes to our policies and procedures and close the complaint off in our complaint log.

procedure for producer access requests and complaints
Procedure for Producer Access Requests and Complaints

Privacy Compliance Officer handles all of these as they require special handling because of sensitivity of information.

privacy breach process
Privacy Breach Process

If you become aware that any PI has been lost, stolen, inadvertently destroyed, or disclosed improperly, notify our PC Officer immediately.

This is very serious and requires immediate action.

privacy breaches
Privacy Breaches

PC Officer may ask you to gather information about the incident.

We need to contain the breach immediately and prevent any more PI loss.

The PC Officer will assess the breach.

Insurers will be notified of any customer PI breaches as they will have to follow their own process.

self assessment of our privacy program
Self-Assessment of Our Privacy Program

At least every two years

Requires gathering evidence of how we comply including sampling files and testing our systems


At least annually for existing staff.

At hiring for new staff.

regulatory audits
Regulatory Audits

The OPCC can audit if it has “reasonable grounds” to believe you are contravening PIPEDA.

Our PC Officer will

direct our response to the audit.

be the lead contact with the OPCC.

or may ask you to assist in compiling information.

prepare you if the OPCC needs to interview you.

recommendations to producers
Recommendations to Producers

Take this seriously.

As an independent, you have your own regulatory obligations and risks that you have to manage.

recommendations to producers1
Recommendations to Producers

Draft your own Privacy Policy for your customers.

Create an inventory of all the PI you collect, why you collect it, where you keep it, how you protect it.

Develop your own consent form for the advice and service part of your role. Don’t rely on insurer consents alone. Make sure that you cover off sharing information with the MGA.

Use formal documents such as needs analyses, which guide you in asking required, consistent questions and are more likely to result in accuracy.

Advocis and other associations have Privacy programs to share. Join a professional association and take advantage of the compliance support they offer.

safeguards recommendations
Safeguards - Recommendations

Use encryption for sensitive information.

Password protect your computer and all devices

Keep customer PI locked up and away from public view.

Ensure that your premises are secure.

Have strict fax policies and keep your fax equipment out of public areas.

Destroy material no longer needed. Use a shredder.

Train your staff.

questions or concerns
Questions or Concerns?

Contact our Privacy Compliance Officer


Contact Information