Privacy Code






Definition Of Terms Used In This Privacy Code

The PBAS Group

“The PBAS Group” is the operating style name of Benchmark Decisions Ltd., Prudent Benefits Administration Services Inc. and, Student Benefits Administrators Inc.

PBAS Data

Is data that is entrusted to PBAS for the purpose of administering the business on behalf of PBAS clients, financial records, employee files or any other data deemed as private and confidential.

Personal Information

Information about an identifiable individual, but does not include the name, title or business address or business telephone number of an employee of an organization.

Chief Privacy Officer

The person at The PBAS Group who is responsible for overseeing that management practices are carried out to ensure overall compliance with the Act.

Introduction

Effective January 1, 2004, The PBAS Group was required to comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  A copy of PIPEDA is available at www.priv.gc.ca.

We have always recognized and respected the privacy and confidentiality of Personal Information we collect in the course of our daily business activities.  As a further commitment, we have created this Privacy Code, which is an embodiment of our adherence to the principles outlined in PIPEDA and applies to all our operations.

PIPEDA’s Ten Fair Information Principles

The following ten principles of privacy are interrelated and are based on fair information practices.  They are intended to recognize an individual’s right of privacy while balancing the need for an organization to collect, use or disclose Personal Information for legitimate business purposes.

1) Accountability

The PBAS Group is accountable for all Personal Information in its possession or control, including any Personal Information transferred to third parties. We have established policies and procedures to comply with this Privacy Code. All staff are required to sign a Confidentiality Agreement as a condition of their employment. In addition to regular audits and other compliance procedures, employee training is conducted regularly to ensure that standards set by federal and provincial privacy legislation are followed.

2) Identifying The Purposes Of Collecting Personal Information

Unless additional purposes are identified to an individual before or at the time of collection, we will collect Personal Information only for the following purposes.

compute a benefit
satisfy the reporting requirements of the provincial and federal governments
pay taxes and comply with civil and criminal law
determine future operating costs
accommodate audits
transfer applicable PBAS Data to a new replacement benefit plan

3) Obtaining Consent

We will collect, use or disclose Personal Information only with an individuals’ knowledge and consent, except where required or permitted by law. This is commonly acquired through the completion of a benefit enrolment form.  An individual can provide consent to the collection, use and disclosure of Personal Information about them expressly, or through an authorized representative.  The latter would require written authorization from the individual to release the Personal Information.  For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney.  Subject to certain legal or contractual restrictions and reasonable notice, an individual can withdraw consent at any time.  We will inform individuals of the consequences of refusing or withdrawing consent when individuals seek to do so.  Refusing or withdrawing consent could precipitate the destruction of an individual’s Personal Information and may, therefore, render ongoing participation in a benefit plan impossible.

4) Limits For Collecting Personal Information

We will limit the amount and type of personal information we collect.  We will collect Personal Information only for the identified purposes or as otherwise permitted by law and, will only collect the information about an individual primarily from the individual or, from external sources if individuals have consented to such collection.

5) Limits For Using, Disclosing And Keeping Personal Information

We will use or disclose Personal Information only for the reasons it was collected, unless an individual provides consent to use or disclose it for another reason.  Under certain circumstances, we may have a legal duty or right to disclose Personal Information without consent.  We will keep Personal Information only as long as necessary for the identified purposes.

6) Keeping Personal Information Accurate

We will keep the Personal Information in our possession or control accurate, complete, current and relevant, based on the most recent information available to us.  Individuals may challenge the accuracy and completeness of Personal Information about them and have it amended as appropriate. 

If an individual demonstrates that Personal Information is inaccurate, incomplete, out-of-date or irrelevant, we will revise or delete the Personal Information and, disclose the revised Personal Information to any third parties to whom we disclosed wrong or outdated information in order to permit them to revise their records.

7) Safeguarding Personal Information

We will protect Personal Information with safeguards appropriate to the sensitivity of the information.

Disaster Recovery (DR) tests are performed annually at a remote DR location. As part of this test, all server based systems are recovered and verified. Privacy protection is outlined in a contractual agreement we enter into on an annual basis with the company that performs the DR testing.

8) Making Information About Policies And Procedures Available

We will be transparent about the procedures used to manage Personal Information. 

9) Providing Access To Personal Information

When requested to do so we will advise an individual what Personal Information we have in our possession or control about the individual, what it is being used for, and to whom it has been disclosed. We will respond to the request no later than thirty (30) days after receipt of the request.  This timeframe may be extended for a maximum of thirty (30) additional days, if, for example, additional time is required to conduct consultations.  If that were to happen, we would notify the individual in writing.  In the unlikely event that we determine that there may be a cost to the individual in granting such access, we shall inform the individual of the costs permitted by law prior to granting such access.  All requests for Personal Information should be addressed, in writing, to our Chief Privacy Officer.

10) Handling Complaints And Questions

Complaints and inquiries should be directed, in writing, to our Chief Privacy Officer.

Wayne Murphy, CEBS
The PBAS Group
110-61 International Blvd
Toronto, Ontario M9W 6K4
wayne_murphy@pbas.ca

All complaints will be investigated. If a complaint is found to be justified, we will take appropriate measures, including, if necessary, amending our policies and practices. If individuals are not satisfied with the way we have responded to their complaint or inquiry they may file a written complaint with:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3

Changes To This Privacy Code

In order to ensure that this Privacy Code is kept up-to-date, we reserve the right to amend it from time to time.  Any changes will be effective thirty (30) days following The PBAS Group providing you with notice.  Notice of changes to the Privacy Code may be distributed through bulletins, statements, newsletters and/or posted on our website.