- All banks in Canada are subject to Personal Information Protection and Electronic Documents Act (PIPEDA), hereinafter referred to as PIPEDA” and the “Act”. This Act supports and promotes electronic commerce by protecting personal information that is collected, used, or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions.
PIPEDA has two parts. The first part of the Act, Protection of Personal Information in the Private Sector, establishes rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. This Part applies to every organization in respect of personal information that
- the organization collects, uses or discloses in the course of commercial activities; or
- is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
The second part of the Act, Electronic Documents, provides for the use of electronic alternatives in the manner provided for in this Part where federal laws contemplate the use of paper to record or communicate information or transactions.
Section 2(1) of PIPEDA defines the term “Personal Information” as information about an identifiable individual. Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.” This Part does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. In other words, the term Personal Information include any factual or subjective information about an identifiable individual such as the following:
Clients’ Personal Information
The following types of information are considered the Personal Information of clients:
- Age, name, and ethnic origin
- Identification Documents such as Social Insurance Number (SIN)
- Financial information such as income, credit records credit reports and credit scores, bank account numbers, summaries or balances; transaction histories,
- Loan records and debt-related information (a simple reference to an outstanding debt, even without disclosing specific details about the debt, is personal information.)
- Tax returns and net worth
- Mortgage applications/renewals, residential property appraisal documents including the selling/purchase price of an individual’s home
- Existence of a dispute between a consumer and a merchant
- Video surveillance that captures an individual’s physical image or movement
- An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual
Employees’ Personal Information
The following types of information are considered the Personal Information of employees:
- Employee files, salary, benefits and performance ratings, opinions, evaluations, comments , disciplinary actions
- Employee number, swipe cards
- Email addresses
- Cell phone records from work cell phone
- Video footage or live-feed
- Medical records
- Intentions such as to acquire certain goods or services or change job
In certain cases, although the information seems to be same or similar to a piece of information as listed above, PIPEDA does not apply. For example:
- Name, title, business address, or telephone number of an employee of an organization;
- Information collected, used, or disclosed by an individual strictly for personal purposes; and
- Information collected, used, or disclosed by an organization solely for journalistic, artistic, or literary purposes.
“Electronic Document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, print out, or other output of that data.
The Digital Privacy Act has introduced several changes in PIPEDA. All new measures defined under the Digital Privacy Act, including the data breach notification requirements , have been taken into consideration in developing this Policy.
The Office of the Privacy Commissioner of Canada (OPC) has also issued several guidelines and interpretation bulletins that convey OPC’s expectations of banks regarding compliance with PIPEDA.
Scope of this Policy
- This Policy applies to all directors, senior management, and employees of the Bank.
- This Policy shall be read in conjunction with the other complaince-related policies and procedures issued by the Bank, especially the Legislative Complaince Management Policy and related procedures.
- The Bank defines complaince with the policies and procedures of the Bank as well as the legal and regulatory requirements applicable to the Bank as a responsibility of every employee of the Bank.
- A breach of this Policy by an officer or employee of the Bank may result in disciplinary action, which could lead to dismissal.
- This Policy is subject to review and approval by the Board every two years.
Protection of Personal Information
- PIPEDA applies to the Bank in respect of the followinng types of personal information:
- Personal Information that the Bank collects, uses, or discloses in the course of commercial activities; or
- Personal Information about employees of the Bank that the Bank collects, uses or discloses in connection with its operations.
- The Bank is required to comply with the following ten Privacy Principle as set out in Schedule 1 of PIPEDA.
- Principle 1. Accountability
- Principle 2. Identifying Purposes
- Principle 3. Consent
- Principle 4. Limiting Collection
- Principle 5. Limiting USe, Disclosure, and Retention
- Principle 6. Accuracy
- Principle 7. Safeguard
- Principle 8. Openness
- Principle 9. Individual Access
- Principle 10. Challenging Complaince
- SBI Canada Bank shall also take appropriate steps in the event of a privacy breach. This includes taking measures to contain the breach; evaluating the risks associated with the breach; notifying the affected parties, if required; and implementing preventive solutions.
Privacy Management Program at SBIC
- SBI Canada Bank is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Bank shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
- The Privacy Officer is responsible for establishing and managing compliance with the Privacy requirements applicable to the Bank. The contact details of the Privacy Officer made available on the website of the Bank and provided to clients upon request.
- The role and responsibilities of the Privacy Officer are defined in the mandate of the Privacy Officer. The mandate is approved by the Audit Committee of the Board.
- The Bank, with the authorization of Audit Committee of the Board, may delegate other individuals to act on behalf of Privacy Officer.
- Each employee of the Bank is responsible for complying with this Policy and protecting the personal information under his/her control.
- The Bank provides training to all staff members and senior management to ensure compliance with the Privacy requirements. The training is provided through in-person training sessions or through the computer-based training system used by the Bank.
- SBIC uses contractual or other means to provide a comparable level of protection to personal information that’s transferred by the Bank to any third party for the purpose of supporting the Bank in providing a service or product to its clients or to comply with a legislative or regulatory requirement applicable to it.
- The Bank identifies the purpose for collecting personal information at or before the time of collection.
- The purpose of obtaining client's personal information shall be defined in the respective "Approach Paper" or product program. In this regards, the Bank has issued a Product Development Policy. This policy defines the process used by the Bank for introducing new product and services and making changes to its existing products and services.
- If it is not feasible to provide written notice in advance, the individual can be notifies orally. In such cases, prior approval from the Privacy Officer of the Bank shall be obtained by the respective business function head.
- The personal information collected by the Bank shall only be used for the identifies purposes.
- If personal information that has been collected is to be used for a purpose not previously identified, the Bank shall identify the new purpose prior to using the information.
- As defined in PIPEDA and OPC guidelines , the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting. SBIC shall use simple and clear language for the purpose of seeking consent from clients to ensure that the consent provided by the client meets the validity criteria as defined in PIPEDA. Moreover, the Bank will not require individuals to consent to the collection, use, or disclosure of personal information beyond what is necessary to provide the product or service selected by them.
- SBIC notifies and seeks consent from the individual about whom the personal information is collected at or before the time of collection, except under certain circumstances as exempted under the Act
- Depending on the sensitivity of the information, consent could be expressed or implied. The Bank prefers to notify its clients and employees about the purpose of collecting, using, and disclosing personal information and seek consent in explicit and meaningful manner, where possible..
- The Bank shall use only standard paper or electronic forms for collecting personal information required for providing products and services to clients. Each form or application used by the Bank shall contain the name of a specific product or service and thus provide the purpose for collecting personal information at the time of collection. All client forms and applications used by the Bank shall be pre-approved by the Privacy Officer of the Bank.
- The Bank may seek consent orally when information is collected over the phone or electronically when information is collected through internet or phone banking. Effective January 01, 2019, the Bank shall use innovative processes that can be used to obtain the consent at the time of disclosure. The Bank shall ensure that such processes are specific to the context and are appropriate for the type of interface used.
- Effective January 01, 2019, SBIC must allow individuals to review a summary of key elements impacting their privacy as they consider using the products or services, including online and phone banking services, offered by the Bank. For this purpose, the Bank shall put emphasis on the following elements:
- Provide details of the Personal Information that is being or might be collected by the Bank in a precise manner for individuals to meaningfully understand the impact of their consent,
- Clearly explain the disclosure that might be made to third parties and specifically if the information might be used by any of the third party for their own purposes,
- Clearly define the specific purpose(s) for which the information is collected and how it will be used or disclosed in a meaningful and simple manner, and
- Explain the residual risk of harm and other consequences of the collection, use, or disclosure for the individual, if any.
- Effective January 01, 2019, the Bank must notify users and obtain consent prior to making any significant changes to its privacy practices.
- If the Bank wishes to collect personal information of clients for marketing and research purposes or for any other specific purpose, prior approval from the Privacy Officer of the Bank shall be obtained by the respective business function head.
- In accordance with Section 7 and Schedule 1 of PIPEDA, the Bank may collect use, or disclose personal information without the knowledge and consent of the individual under certain circumstances as exempted under the Act. This includes circumstances where seeking consent is impossible or impractical due to legal, medical, or security reasons; where information is being collected and or disclosed for the detection and prevention of fraud or for law enforcement; and when the individual is a minor, seriously ill, or mentally incapacitated. In such events, the Bank shall take reasonable measures to ensure that the collection, use, or disclosure is made in accordance with the exceptions provided in the Act. In this context, reasonable measures include but are not limited to conducting and documenting a review of the exceptions provided under the Act, referring the matter to the Privacy Officer of the Bank, or referring the matter to an external law firm.
- If personal information that has been collected earlier is to be used for a purpose not previously identified, the Bank shall seek consent form the individual prior to using the information for the new purpose. This does not apply if the new purpose is required by law.
- Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. SBIC will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
- The Bank will not obtain consent through deception and will collect personal information by fair and lawful means.
- The Bank will allow its clients and employees to withdraw their consent subject to legal or contractual restrictions and reasonable notice. If a client or an employee withdraws his/her consent, the Bank will inform them about the implication of such withdrawal.
- The Bank shall only collect personal information that is essentially required. In this context essentially required information refers to the set of information that is required by the Bank to provide the product or services required by the clients, perform its functions, and comply with the applicable requirements.
- The details of personal information that is required to provide any product or services shall be provided in the respective Apprach Paper.
Limiting Use, Disclosure, and Retention
- In accordance with subsection 5(3) of PIPEDA and the guidance issued by OPC on this section, SBIC may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. The Bank shall identify the legislative and regulatory requirements that are applicable to its operations and shall not collect, use, or disclose any personal information that is otherwise unlawful..
- Profiling or categorization might lead to unfair, unethical, or discriminatory treatment contrary to human rights law. SBIC shall not engage in any exercise that might create or increase the risk of unfair, unethical, or discriminatory practices.
- SBIC shall not ask for personal information of employees and job applicants that is not needed to assess an individual’s merits such as passwords to social media accounts.
- It may be permissible for the audio or video functionality of a device to regularly or constantly be turned on in order to provide a service if the individual is both fully aware and in control of this fact, and the captured information is not recorded, used, disclosed or retained except for the specific purpose of providing the service. SBIC shall not engage in audio or video recording or tracking through personal devises without obtaining approval from the Privacy Officer of the Bank and other management committee(s) of the Bank, as applicable. The Bank shall also provide clear and meaningful disclosure to targeted individuals and obtain explicit consent from them prior to initiating the recording or tracking process.
- SBIC shall ensure that the personal information collected, used, or disclosed by it doesn’t create any significant harm to the concerned individuals.
- As defined in the Digital Privacy Act, the term “Significant Harm” include bodily harm, humiliation, damage to reputation or relationship, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
- The Bank shall retain personal information only as long as necessary for the fulfillment of the identified purposes. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.
- The Bank shall retain personal information that is/was the subject of an Access Request as long as necessary for the individual making the request to exhaust any recourse provided by law. Upon receipt of an access request, staff responsible for retention or disposal of relevant records shall ensure that all relevant records are removed from any standard or routine disposal cycles and not destroyed or otherwise disposed of.
- Personal information that is no longer required to fulfill the identified purposes shall be destroyed, erased, or made anonymous by the Bank. This shall be applied in compliance with the legislative requirements pertaining to record keeping as well as the Record Management Policy and other policies and procedures issued by the Bank.
Disclosure of Information to External Parties
- From time to time, the Bank might use certain services provided by the Parent Bank and/or external service providers, operating within and outside Canada. Therefore, the Bank might transfer certain personal information of clients as well as employees to the Parent Bank and external service providers. In such cases, the information that is transferred by the Bank is only used for the purpose for which it was originally collected. The outsourcing arrangements made by the Bank shall be in accordance with PIPEDA as well as guidelines issued by the OPC and Office of the Superintendent of Financial Institutions (OSFI) . The Bank shall use service level agreements (SLA) to ensure that a comparable level of protection is provided when personal information is transferred by the Bank. This includes measures to taken by both parties during the process of transferring/sharing of the information, on an ongoing basis during the term of the agreement, and upon termination of the agreement. The Bank might also receive information from the Parent Bank or external service providers as part of the services provided by them. The personal information transferred to another jurisdiction might be accessed by the courts as well as law enforcement and national security authorities of that jurisdiction.
- The Bank might be served with a production order or receive a request for information from a law enforcement agency, any other government institution such as the Canada Revenue Agency (CRA), or part of a government institution. Before providing the requested information in any such event, the Bank shall ensure that the disclosure is made in accordance with PIPEDA Section 7.(3) and is required for the following purposes :
- To comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
- Made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated the following :
- It suspects that the information relates to national security, the defense of Canada or the conduct of international affairs,
- The disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
- The disclosure is requested for the purpose of administering any law of Canada or a province.
- Before disclosing the requested information, the Bank shall satisfy itself with the genuineness of the production order or the lawful authority of a request for information made by an individual representing a law enforcement agency, any other government institution, or part of a government institution.
- If the Bank has a reasonable doubt about the genuineness of a production order or lawful authority of a request for information, the matter shall be immediately reported to the Privacy Officer of the Bank. If required, the Privacy Officer might discuss the matter with the RMC and/or recommend the Bank to obtain a legal opinion on whether or not the Bank shall provide the requested information.
- No information shall be released without obtaining prior approval from the Privacy Officer of the Bank in the following situations :
- The Bank has a reasonable doubt about the genuineness or lawful authority of a request for information, or
- The request for information was made by an external party such as a law firm.
- The Bank shall make reasonable efforts to ensure that personal information collected, used, or disclosed by it is accurate, complete, and current. In this context, making reasonable efforts include obtaining the information from the individual.
- The Bank will not routinely update personal information, unless it is required to update the information to fulfill the purposes for which the information was collected or it is required by law.
- To ensure accuracy of information, the Bank might also take measures to validate the information provided by client or employees by verifying it with information under its control and information that is publicly and /or commercially available.
- The Bank is responsible for implementing security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosures, copying, use, or modification.
- The Bank collects and maintains personal information in paper as well as electronic /digital format and has implemented various security safeguards to protect it.
- The Bank has implemented physical measures to restrict access to its offices and physical records maintained at various locations. In this regards, access cards are required to access various areas of the Bank and physical records are maintained in locked filing cabinets.
- All staff members are responsible for safeguarding the access cards and key(s) provided to them by the Bank, protecting them from theft or loss, and promptly reporting any lost or stolen key or card to their immediate supervisor as well as to the personns responsible for issuing access cards and keys.
- The Bank provides certain information or provides access to certain information to all staff members of the Bank to enable them to perform their day-to-day activities. This includes personal information of clients and other staff members as well as information about the processes used by the Bank. The Bank requires all staff members to sign a confidentially agreement at the time of their employment. All staff members shall treat the information provided to them by the Bank as confidential and share it only with other staff members of the Bank on a need-to-know basis.
- All staff members of the Bank are reuired to ensure that physical records under their custoday are duly protected. Sensitive information shall not be left unattended during the day and shall be locked in filing cabinets at the end of each day.
- The Bank has implemented technilogical controls to protect the digital information collected by it. These controls are defined in the Information Technology and Information Security Policy of the Bank. All staff members of the Bank are required to comply with the Information Technology and Information Security Policy of the Bank and ensure that computer terminals and laptops provided to them by the Bank are secured with passwords and digital records under their custoday is duly protected.
- The Bank periodically assesses it privacy management program to ensure its effectiveness and ongoing compliance.
- In accordance with the expectation defined in OPC Guidelines for obtaining meaningful consent, the Bank will issue a privacy statement in a simple and clear language for the purpose of providing a generic overview of the privacy process adopted by the Bank to the clients. This statement shall include the following details :
- Elements mentioned in paragraph 28 of this Policy;
- A description of the personal information that is generally collected by the Bank and how it is used and disclosed, including the type of personal information that is generally disclosed by the Bank to affiliated entities and service providers for the purpose of providing services to clients;
- The title and the office address of the Privacy Officer of the Bank who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
- The means of gaining access to personal information held by the Bank; and
- A reference to any additional brochures or other information that might assist the individual in developing a deeper understanding of the process used by the Bank for complying with the privacy-related requirements.
- The Privacy Officer will address specific requests about the privacy related processes adopted by the Bank on a case-by-case basis.
- The Bank will inform an individual, upon receiving a written request, of the existence, use, and disclosure of his or her personal information and will provide access to that information. This includes providing information about the use that has been made or is being made of the client’s information and list of third parties to which it has been disclosed.
- The Bank will respond to an individual’s written request within thirty days after the receipt of the request at minimal or no cost to the individual. The requested information will be provided or made available in a form that is generally understandable.
- In accordance with PIPEDA, the Bank may extend the time limit for a maximum of thirty days if meeting the time limit would unreasonably interfere with the activities of the Bank or the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet. The Bank may also extend the limit for the period that is necessary in order to be able to convert the personal information into an alternative format.
- If the Bank extends the time limit for responding to a request, the Bank shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the OPC in respect of the extension. If the Bank fails to respond within thirty days, the Bank is deemed to have refused the request.
- The Bank shall respond to requests involving information provided by the Bank to a government institution or a part of a government institution in accordance with sub-section 9. (2.1) of PIPEDA.
- The Bank may respond to an individual’s request at a cost to the individual only if the Bank has informed the individual of the approximate cost and the individual has advised the Bank that the request is not being withdrawn.
- The Bank will give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information and who requests that it be transmitted in the alternative format if its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights defined in PIPEDA. The Bank does not readily maintain information in alternative format.
- In accordance with section 9. (1) of PIPEDA, the Bank will not give an individual access to personal information if doing so would likely reveal personal information about a third party, unless the information about the third party is severable.
- An individual can challenge the accuracy and completeness of the information provided to him/her by the Bank and have it amended as appropriate.
- The Bank will take appropriate measures if an individual successfully demonstrates the inaccuracy or incompleteness of personal information held by the Bank. Depending upon the nature of the information challenged, the Bank will amend, make correction, delete, or add information in its records. If required, the amended information will be provided to affiliated entities and service providers having access to the same information.
Access Request about information disclosed to a government institution
- An individual might request the Bank to inform or give the individual access to the individual about the following types of information:
- Disclosure of information to a government institution or a part of a government institution;
- The existence of any information that the organization has relating to a disclosure to a subpoena, warrant or order; or
- A request made by a government institution or a part of a government institution.
- The Bank will take the following steps if a request is received for access to any type of information mentioned above:
- Notify the concerned institution or part in writing about the access request made by the individual without delay, and
- Respond to the request only after receiving a notification from the concerned institution or part whether or not the institution or part objects to the organization complying with the request. The government institutions or part are required to provide such notification within thirty days after the day on which it is notified.
- If the Bank is notified that the institution or part objects to providing the requested information to the individual, the Bank will take the following steps:
- Refuse the request to the extent that it relates to information referred above;
- Notify the Office of the Privacy Commissioner of Canada (OPC) in writing without delay about the refusal; and
- Not disclose any of the following information to the individual.
- The information that the Bank has relating to a disclosure to a government institution or a part of a government institution,
- The notification provided by the Bank to the institution or part or the Commissioner, and
- The institution or part objection to providing requested information to the individual.
- The Bank will not respond to such cases request before the earlier of the day on which it is notified by the concerned institution or part and thirty days after the day on which the institution or part was notified.
Refusal to provide access
- In addition to the information referred to in the previous section of this Policy, the Bank is also not required to give access to personal information in the following circumstances:
- Providing access to requested information would reveal confidential commercial information;
- Providing access to requested information would reasonably be expected to threaten the life or security of another individual;
- The information was collected under a provision provided in PIPEDA that allows collection without knowledge or consent of the individual; or
- The information was generated in the course of a formal dispute resolution process.
- If the information mentioned in paragraph 71 and 78 of this Policy is severable from the record containing other information for which access is requested, the Bank will give access after severing the information mentioned in these paragraphs.
- The exceptions mentioned in the previous paragraph do not apply if the individual needs the information because the individual’s life, health, or security is threatened.
- If the Bank is not able to provide access to all the personal information it holds about an individual, due to an exception as defined in PIPEDA, the reasons for denying access shall be provided to the individual. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
- If the Bank decides not to give access to personal information under circumstances as defined in this Policy, the Bank will notify OPC in writing. Such notifications will include any information that the OPC may specify.
- Any individual can challenge Bank's compliance with PIPEDA by writing to the Privacy Officer of the Bank. The Bank has issued a Complaint Resolution Brochure that provides the contact details of the Privacy Officer of the Bank as well as the contact details of the OPC.