Definition of Terms
Prudent Benefits Administration Services Inc., Benchmark Decisions Ltd., and Student Benefits Administrators Inc. (hereinafter referred to collectively as “PBAS”, for ease of reference).
Personal Information is any factual or subjective information, recorded or not, about an identifiable individual. In general, Personal Information, does not include business contact information, including your name, title, and business telephone number.
Chief Privacy Officer
The person at PBAS who is responsible for overseeing that privacy practices are carried out to ensure overall compliance with federal and provincial privacy legislation. This includes ensuring that all staff are trained on privacy best practices and carrying out any disclosure requirements under the applicable privacy legislation including privacy breaches.
The Office of the Privacy Commissioner of Canada (“OPC”) defines a “breach of security safeguards” as:
the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
According to the OPC, a privacy breach is:
the loss of, unauthorized access to, or disclosure of, personal information. Breaches can happen when personal information is stolen, lost or mistakenly shared.
Only breaches including personal information are in scope for PIPEDA, based on a test for a “real risk of significant harm.”
The law defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
PIPEDA’s Ten Fair Information Principles
The following ten principles of privacy are interrelated and are based on fair information practices. They are intended to recognize an individual’s right of privacy while balancing the need for an organization to collect, use or disclose Personal Information for legitimate business purposes.
2) Identifying the Purposes of Collecting Personal Information
Unless additional purposes are identified to an individual before or at the time of collection, PBAS will collect Personal Information only for the following purposes.
3) Obtaining Consent
PBAS will collect, use or disclose Personal Information only with an individual’s knowledge and consent, except where required or permitted by law. This is commonly acquired through the completion of a benefit enrolment form. An individual can provide consent to the collection, use and disclosure of Personal Information about them expressly, or through an authorized representative. The latter would require written authorization from the individual to release the Personal Information. For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney. Subject to certain legal or contractual restrictions and reasonable notice, an individual can withdraw consent at any time. PBAS will inform individuals of the consequences of refusing or withdrawing consent when individuals seek to do so. Refusing or withdrawing consent could precipitate the destruction of an individual’s Personal Information and may, therefore, render ongoing participation in a benefit plan impossible.
4) Limits for Collecting Personal Information
PBAS will limit the amount and type of Personal Information collected. PBAS will collect Personal Information only for the identified purposes or as otherwise permitted by law and, will only collect the information about an individual primarily from the individual or, from external sources if individuals have consented to such collection.
5) Limits for Using, Disclosing and Keeping Personal Information
PBAS will use or disclose Personal Information only for the reasons it was collected, unless an individual provides consent to use or disclose it for another reason. Under certain circumstances, PBAS may have a legal duty or right to disclose Personal Information without consent. PBAS will keep Personal Information only as long as necessary for the identified purposes.
6) Keeping Personal Information Accurate
PBAS will keep the Personal Information in its possession or control accurate, complete, current and relevant, based on the most recent information available to PBAS. Individuals may challenge the accuracy and completeness of Personal Information about them and have it amended as appropriate.
If an individual demonstrates that Personal Information is inaccurate, incomplete, out-of-date or irrelevant, PBAS will revise or delete the Personal Information and, disclose the revised Personal Information to any third parties to whom wrong or outdated information was disclosed in order to permit them to revise their records.
7) Safeguarding Personal Information
PBAS will protect Personal Information with safeguards appropriate to the sensitivity of the information.
The use of encryption, firewalls, anti-virus programs and robust authentication procedures, including updating passwords on a regular basis, are some examples of the security controls in place.
Disaster Recovery (“DR”) tests are performed annually at a remote DR location. As part of this test, all server based systems are recovered and verified. Privacy protection is outlined in a contractual agreement we enter into on an annual basis with the company that performs the DR testing.
8) Making Information About Policies and Procedures Available
PBAS will be transparent about the procedures used to manage Personal Information.
9) Providing Access to Personal Information
When requested to do so PBAS will advise an individual what Personal Information is in its possession or control about the individual, what it is being used for, and to whom it has been disclosed. PBAS will respond to the request no later than thirty (30) days after receipt of the request. This timeframe may be extended for a maximum of thirty (30) additional days, if, for example, additional time is required to conduct consultations. If that were to happen, PBAS would notify the individual in writing. In the unlikely event that PBAS determines that there may be a cost to the individual in granting such access, PBAS shall inform the individual of the costs permitted by law prior to granting such access.
10) Handling Complaints and Questions
Complaints and inquiries should be directed, in writing, to the Chief Privacy Officer at the following address:
110-61 International Blvd
Toronto, Ontario M9W 6K4
All complaints will be investigated. If a complaint is found to be justified, PBAS will take appropriate measures, including, if necessary, amending policies and practices. If individuals are not satisfied with the way PBAS has responded to their complaint or inquiry they may file a written complaint with:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Revised Date: June 17, 2020