Respecting privacy is an integral part of our services. That is why we have adopted this Insight Risk Services Ltd. Privacy Code (this “Privacy Code“), which explains our privacy protection practices in accordance with applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (“PIPEDA“).
The ten principles that form the basis of this Privacy Code are interrelated and we adhere to the ten principles as a whole. Each principle should be read in conjunction with the accompanying commentary. The commentary in this Privacy Code has been drafted to reflect privacy issues specific to us.
We will continue to review and revise this Privacy Code to make sure that it remains current with changing industry standards, technologies and applicable laws.
Scope and Application
This Privacy Code applies to the personal information of individuals that we collect, use, retain or disclose in the course of our commercial activities.
This Privacy Code does not apply to the personal information of individuals that is collected, used, retained or disclosed by other businesses with whom we may deal, provided that:
- we have not disclosed such personal information to these businesses; and
- these businesses have not disclosed such personal information to us.
This Privacy Code does not impose any limits on the collection, use, retention or disclosure of the following information by us:
- certain business contact information, such as the name, title or business address or telephone number of an employee of an organization;
- aggregate information that cannot be reasonably associated with an identifiable individual; or
- other publicly available information as exempted by applicable privacy laws, including PIPEDA.
The application of this Privacy Code is subject to the requirements and provisions of PIPEDA, an order of any court and other applicable legislation or regulation.
collection: The act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.
consent: Voluntary agreement for the collection, use and disclosure of personal information for defined purposes. The form of consent we seek may vary, depending upon the circumstances and the type of personal information. In determining the form of consent, we take into account the sensitivity of the personal information and the reasonable expectations of individuals. Consent may be provided directly by an individual or by an authorized representative in accordance with applicable law.
disclosure: Making personal information available to a third party.
employee: An employee of, or an independent contractor to, us. The inclusion of independent contractors within the definition of “employee” is for convenience of reference only, and should in no manner imply that such independent contractors are our employees within the meaning of employment legislation or are in an employee-employer relationship with us.
Insight Risk: Means Insight Risk Services Ltd.
personal information: Information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization.
use: Our treatment, handling, and management of personal information by us and within our company.
we: Means (and “us”, “our”, and “ours” refer to) Insight Risk, and its successors and assigns.
you: Means (and “your” refers to) the user of our services and products, and your heirs, administrators, executors and assigns.
Principle 1 – Accountability
We are responsible for personal information under our control and shall designate one or more persons who are accountable for our compliance with this Privacy Code.
We are responsible for all personal information under our control and have designated the Insight Risk Privacy Officer to oversee our privacy compliance. Other individuals within our company may be delegated to act on behalf of the Insight Risk Privacy Officer or to take responsibility for the day to day management of personal information.
As appropriate, we implement privacy policies and procedures to properly enforce this Privacy Code and we use contractual or other means to provide a comparable level of privacy protection while personal information is being processed or used by a third party or our agents.
We have implemented privacy policies and procedures to give effect to this Privacy Code, including:
- implementing privacy procedures to protect personal information and to oversee compliance with this Privacy Code;
- establishing privacy procedures to receive and respond to inquiries or complaints;
- training employees about our privacy policies and procedures; and
- developing publicly available information to explain our privacy policies and procedures.
Principle 2 – Identifying Purposes for Collection of Personal Information
We shall identify the purposes for which personal information is collected at or before the time such information is collected.
As part of our services, we have collected and are collecting personal information for the following purposes:
- to verify your identity and the accuracy of your personal information through, for example, the exchange of information with government agencies, industry associations, property and motor vehicle information databases, insurers, brokers, adjusters, or other insurance intermediaries; be assured the foregoing organizations are also required to comply with privacy laws in the same manner as we are;
- analyzing and assessing risk;
- investigating your insurance history;
- determining an appropriate policy type and number for you;
- to conduct investigations relating to breaches of agreements or contraventions of laws, including fraud;
- to compile statistics and to report to regulatory or industry entities in accordance with prudent insurance practices;
- to establish and maintain responsible business/relations with individuals, including you;
- to develop, enhance and market our services;
- to manage and develop our business and operations, including personnel and employment matters;
- to meet legal and regulatory requirements, including to protect or defend a legal interest, and in connection with an actual or possible Insight Risk corporate reorganization, merger or amalgamation with another entity, or an actual or possible sale of all or a substantial portion of the assets of Insight Risk, provided that the personal information disclosed continues to be used by the entity acquiring the personal information either for evaluation of the possible transaction, or, on completion of any transaction, for the purposes permitted by this Privacy Code; or
- to carry out any other purpose that an individual has authorized or that is required or permitted by law.
Further reference to “identified purposes” mean the purposes identified in this Principle.
Principle 3 – Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of an individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual.
In obtaining an individual’s consent, whether express or implied, we will explain the purposes for which we will manage an individual’s personal information. We will not depart from these original and stated purposes unless an individual provides further consent or unless otherwise required or permitted by law.
Individuals may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Individuals may contact us for more information regarding the implications of withdrawing consent.
Principle 4 – Limiting Collection of Personal Information
We shall limit the collection of personal information to that which is necessary for the purposes we have identified. We shall collect personal information by fair and lawful means.
In most cases, we will only collect personal information that is necessary for the purposes identified in this Privacy Code. We may collect personal information from other sources as permitted by applicable laws.
Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information
We shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. We shall retain personal information only as long as necessary for the fulfillment of those purposes.
We will not disclose personal information for purposes other than those purposes for which it was collected, except with the consent of the individual or as required or permitted by law. For example, we may disclose an individual’s personal information:
- when we have an individual’s consent, whether express or implied;
- to authorized representatives of the individual;
- to third party agents or suppliers we engage to perform functions on our behalf;
- to meet legal and regulatory requirements, including to protect or defend a legal interest, in connection with an actual or possible Insight Risk corporate reorganization, merger or amalgamation with another entity, or actual or possible sale of all or a substantial portion of the assets of Insight Risk; and
- where required or permitted by law.
In such circumstances, we will comply with applicable privacy laws and, in doing so, not disclose more personal information than is required for the identified purposes. We may also, whenever it is reasonable and practicable to do so, enter privacy agreements with third parties with whom we disclose personal information.
We will retain personal information for a period of time only as long as it remains necessary or relevant for the identified purposes or as required or permitted by law.
Depending on the circumstances, where personal information has been used to make a decision about an individual, we shall retain, for a period of time that is reasonably sufficient to allow for access by the individual, either the actual personal information or the rationale for making the decision.
Only our employees who require access for legitimate reasons or whose duties reasonably so require, are granted access to personal information.
We maintain reasonable and systemic controls, schedules and practices for personal information retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required or permitted by law to be retained. Such personal information is destroyed, erased or made anonymous as appropriate.
Principle 6 – Accuracy of Personal Information
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
We make reasonable efforts to ensure that the personal information we collect, use or disclose is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
If an individual finds any errors in our personal information holdings, we should be informed and we will make the appropriate corrections. We will convey these corrections to anyone that we may have misinformed. In circumstances where the accuracy or completeness of personal information remains in dispute, we will make a note in our records of an individual’s opinion as to the accuracy or completeness of the relevant personal information.
Principle 7 – Security Safeguards
We shall protect personal information by security safeguards appropriate to the sensitivity of the information.
We protect personal information against such risks as loss, theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. We protect personal information regardless of the format in which it is held.
All of our employees who have access to personal information are required as a condition of employment or engagement to respect the confidentiality of personal information and obligations set forth in this Privacy Code.
Principle 8 – Openness Concerning Policies and Procedures
We shall make readily available to individuals specific information about our policies and procedures relating to the management of personal information.
Individuals should forward questions or concerns regarding our privacy practices to the Insight Risk Privacy Officer.
Principle 9 – Access to Personal Information
Upon request, we shall inform an individual of the existence, use, and disclosure of his or her personal information and shall provide access to that information. An individual shall be able to challenge the accuracy and completeness of the personal information and have it amended as appropriate.
An individual may request access to any personal information that we have concerning them by sending a written request to the Insight Risk Privacy Officer. We may advise an individual in advance if there is a minimal charge to conduct a search of our records and we will respond within 30 days.
In accordance with applicable laws and/or our policies or procedures, we may not be able to provide personal information to an individual if:
- doing so could violate the privacy of a third party;
- the personal information is subject to solicitor-client privilege;
- doing so would reasonably be expected to threaten the life or security of another individual;
- the personal information was generated in the course of a formal dispute resolution process;
- the personal information was collected for purposes related to the detection and the prevention of fraud; and
- the personal information contains confidential commercial information or cannot be disclosed for other legal reasons.
If we are unable to provide access to all or part of an individual’s personal information, we will explain our reasons for such a decision to the greatest extent permitted by law.
Personal information that is disclosed to third parties by us will be subject to the general laws of applicable in the jurisdiction in which the third party conducts business. As a result, and in certain limited situations, we may not legally be permitted to account for certain collections, uses or disclosures of personal information. In most circumstances, however, we shall provide an account of the use and disclosure of personal information and, where reasonably possible, we shall state the source of the personal information. In providing an account of disclosure, we shall provide a list of organizations to which we may have disclosed personal information about an individual when it is not possible to provide an actual list.
In order to safeguard personal information, an individual may be required to provide sufficient identification information to permit us to account for the existence, use and disclosure of personal information and to authorize access to an individual’s personal information. Any such information shall only be used for this purpose.
Where an individual has been provided with access to their personal information, they shall be able to challenge the accuracy and completeness of their personal information and have it amended as appropriate.
Principle 10 – Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for our compliance with this Privacy Code.
Questions or concerns regarding our privacy practices should be directed to the Insight Risk Privacy Officer.
We will investigate all complaints concerning compliance with this Privacy Code and if a complaint is found to be justified, we shall take the appropriate measures to resolve the complaint including, if necessary, amending our privacy policies and procedures. We shall inform an individual of the outcome of an investigation regarding his or her complaint.
For more information regarding this Privacy Code or our privacy practices, please contact the Insight Risk Privacy Officer at:
The Insight Risk Privacy Officer
Suite 300, 180 – 235 Vermillion Road
Winnipeg, MB R2J 3M7
For additional information about your privacy rights, please visit the Office of the Privacy Commissioner of Canada’s Internet web site at www.privcom.gc.ca.