Definition of Terms
PBAS
PRIVACY POLICY
Prudent Benefits Administration Services Inc., and Benchmark Decisions Ltd., (hereinafter referred to collectively as “PBAS”, for ease of reference).
PBAS Data
Is data that is entrusted to PBAS for the purpose of administering the business on behalf of PBAS clients and their plan participants, including financial records, employee/participant files or any other data deemed as private and confidential. This Privacy Policy supplements PBAS’s professional and ethical obligations of the personal information entrusted to PBAS from our clients, and from PBAS employees.
Personal Information is any factual or subjective information, recorded or not, about an identifiable individual. In general, Personal Information, does not include business contact information, including your name, title, and business telephone number.
Chief Privacy Officer
The person at PBAS who is responsible for overseeing that privacy practices are carried out to ensure overall compliance with federal and provincial privacy legislation. This includes ensuring that all staff are trained on privacy best practices and carrying out any disclosure requirements under the applicable privacy legislation including privacy breaches.
Introduction
PBAS has always recognized and respected the privacy and confidentiality of Personal Information collected in the course of its daily business activities. As a further commitment, PBAS has created this Privacy Policy, which is an embodiment of PBAS’s adherence to the principles outlined in the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applies to all PBAS operations. A copy of PIPEDA is available at www.priv.gc.ca. PBAS complies with all applicable federal and provincial privacy legislation. In addition, PBAS has a documented process for reporting a breach incident for information in its possession or custody, including information that has been transferred to a third party for processing. This approach is consistent with the General Data Protection Regulation (“GDPR”). A copy of GDPR is available at www.gdpr.eu.
The Office of the Privacy Commissioner of Canada (“OPC”) defines a “breach of security safeguards” as:
- the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
According to the OPC, a privacy breach is:
- the loss of, unauthorized access to, or disclosure of, personal information. Breaches can happen when personal information is stolen, lost or mistakenly shared.
Only breaches including personal information are in scope for PIPEDA, based on a test for a “real risk of significant harm.”
The law defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The following ten principles of privacy are interrelated and are based on fair information practices. They are intended to recognize an individual’s right of privacy while balancing the need for an organization to collect, use or disclose Personal Information for legitimate business purposes.
- Accountability
PBAS is accountable for all Personal Information in its possession or control, including any Personal Information transferred to third parties. PBAS has established policies and procedures to comply with this Privacy Policy. All staff are required to sign a Confidentiality Agreement as a condition of their employment. Whenever PBAS engages the services of a third-party provider, a Confidentiality and Non-Disclosure Agreement is executed to ensure safeguards are in place to protect Personal Information. In addition to regular audits and other compliance procedures, employee training is conducted regularly to ensure that standards set by federal and provincial privacy legislation are followed.
- Identifying the Purposes of Collecting Personal Information
Unless additional purposes are identified to an individual before or at the time of collection, PBAS will collect Personal Information only for the following purposes.
- compute and/or pay a benefit
- payroll purposes
- satisfy the reporting requirements of the provincial and federal governments
- pay taxes and comply with civil and criminal law
- determine future operating costs
- accommodate audits
- transfer applicable PBAS Data to a new or replacement benefit plan
- Obtaining Consent
PBAS will collect, use or disclose Personal Information only with an individual’s knowledge and consent, except where required or permitted by law. This is commonly acquired through the completion of a benefit enrolment form. An individual can provide consent to the collection, use and disclosure of Personal Information about them expressly, or through an authorized representative. The latter would require written authorization from the individual to release the Personal Information. For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney. Subject to certain legal or contractual restrictions and reasonable notice, an individual can withdraw consent at any time. PBAS will inform individuals of the consequences of refusing or withdrawing consent when individuals seek to do so. Refusing or withdrawing consent could precipitate the destruction of an individual’s Personal Information and may, therefore, render ongoing participation in a benefit plan impossible.
- Limits for Collecting Personal Information
PBAS will limit the amount and type of Personal Information collected. PBAS will collect Personal Information only for the identified purposes or as otherwise permitted by law and, will only collect the information about an individual primarily from the individual or, from external sources if individuals have consented to such collection.
- Limits for Using, Disclosing and Keeping Personal Information
PBAS will use or disclose Personal Information only for the reasons it was collected, unless an individual provides consent to use or disclose it for another reason. Under certain circumstances, PBAS may have a legal duty or right to disclose Personal Information without consent. PBAS will keep Personal Information only as long as necessary for the identified purposes.
- Keeping Personal Information Accurate
PBAS will keep the Personal Information in its possession or control accurate, complete, current and relevant, based on the most recent information available to PBAS. Individuals may challenge the accuracy and completeness of Personal Information about them and have it amended as appropriate.
If an individual demonstrates that Personal Information is inaccurate, incomplete, out-of-date or irrelevant, PBAS will revise or delete the Personal Information and, disclose the revised Personal Information to any third parties to whom wrong or outdated information was disclosed in order to permit them to revise their records.
- Safeguarding Personal Information
PBAS will protect Personal Information with safeguards appropriate to the sensitivity of the information.
The use of encryption, firewalls, anti-virus programs and robust authentication procedures, including updating passwords on a regular basis, are some examples of the security controls in place.
Disaster Recovery (“DR”) tests are performed annually at a remote DR location. As part of this test, all server-based systems are recovered and verified. Privacy protection is outlined in a contractual agreement we enter into on an annual basis with the company that performs the DR testing.
- Making Information About Policies and Procedures Available
PBAS will be transparent about the procedures used to manage Personal Information.
- Providing Access to Personal Information
When requested to do so PBAS will advise an individual what Personal Information is in its possession or control about the individual, what it is being used for, and to whom it has been disclosed. PBAS will respond to the request no later than thirty (30) days after receipt of the request. This timeframe may be extended for a maximum of thirty (30) additional days, if, for example, additional time is required to conduct consultations. If that were to happen, PBAS would notify the individual in writing. In the unlikely event that PBAS determines that there may be a cost to the individual in granting such access, PBAS shall inform the individual of the costs permitted by law prior to granting such access.
- Handling Complaints and Questions
Complaints and inquiries should be directed, in writing, to the Chief Privacy Officer at the following address:
PBAS
110-61 International Blvd Toronto, Ontario M9W 6K4
All complaints will be investigated. If a complaint is found to be justified, PBAS will take appropriate measures, including, if necessary, amending policies and practices. If individuals are not satisfied with the way PBAS has responded to their complaint or inquiry they may file a written complaint with:
Office of the Privacy Commissioner of Canada 30 Victoria Street
Gatineau, Quebec K1A 1H3
Changes to This Privacy Policy
In order to ensure that this Privacy Policy is kept up-to-date, PBAS reserves the right to amend it from time to time. Notice of changes to the Privacy Policy may be distributed through bulletins, statements, newsletters and/or posted on the PBAS website.
Revised Date: July 14, 2023