Last Updated: October 2023
This Policy applies to Personal Information Processed by us about or on behalf of our clients, including their employees or plan members, and about our website visitors and business partners, which may include contractors, subcontractors, agents, vendors and suppliers (“you” or “your”). Personal Information Processed by us about employees or plan members of a client is provided by the client. Clients are responsible for ensuring that in providing the Personal Information of their employees or plan members to us, they have complied with and will comply with applicable laws. Business partners, in the course of conducting their duties, for or on our behalf, may also have access to and collect Personal Information. This Policy also applies to you if we have a professional or business relationship or connection with you or if you use our services, sign up for events or participate in seminars, subscribe to our publications, complete a survey or contact us with an enquiry using the forms on our website or by email.
As actuaries and other professionals, we have professional and ethical obligations to maintain information we have received from our clients and others in confidence and this Policy supplements such obligations. Any Personal Information that we collect or is provided to us will be Processed by us in compliance with applicable laws.
We are also committed to providing you with understandable and easily available information about our privacy practices. If there are any changes to our privacy practices or applicable laws which necessitates a change to our Policy, we will update this Policy without notice and post a revised Policy to our website. We will indicate at the top of the Policy the date when it was last updated. You may therefore wish to refer to this Policy periodically to review any such changes.
When we refer to “Process” or “Processing” or “Processed” in this Policy, this means carrying out any operation or set of operations on the Personal Information, including collection, obtaining, accessing, recording, organization, storage, adaptation, alteration, retrieving, consultation, use, transferring, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.
1. What is Personal Information?
“Personal Information” is any information, in any form, about an identified or identifiable individual or an individual whose identity may be inferred or determined from such information (for example if it is combined with other available information). However, it generally does not include business contact information when used to contact a person in respect of their business role or function.
2. Limited Processing
Where possible, we strive to limit the amount of Personal Information we collect to that necessary and appropriate for the identified purposes. Accordingly, we collect Personal Information for specified and legitimate purposes and we will not further Process such information in a manner that is incompatible with those purposes, except with your consent or as permitted or required by applicable laws.
3. Lawful Basis for Processing
In general, in accordance with applicable laws, we do not require your consent to Process your Personal Information because the Processing is necessary or permitted:
- to provide you with the information or services that you’ve requested;
- to respond to your inquiry;
- to protect your vital interests or those of another person;
- for our legitimate interests, which include, among others, performance of a contract for services or products requested by you, direct marketing, business development, IT security and fraud prevention, and the purposes set out in s. 7 of this Policy; or
- to comply with applicable law, legal or regulatory obligations, or a lawful order.
By using our website or otherwise interacting with us, you consent to the Processing of your Personal Information by us in accordance with the terms of and for the purposes set out in this Policy. If we wish to Process your Personal Information for any additional purposes, we will obtain your express consent (by verbal, written or electronic agreement).
Prior to submitting Personal Information to us, clients are responsible for ensuring that they have given their plan members and employees appropriate notice that they are providing such plan member and employee Personal Information to us and for obtaining the necessary consent or authority from the relevant plan members and employees to permit us to Process such Personal Information for the purposes set out in this Policy. As such, if you are an employee or plan member of a client (e.g., an employer or plan sponsor) we will rely on the consent you provided to your employer or plan sponsor in the Processing of your Personal Information.
If you do not agree to the terms of this Policy, you should exit the website or other software platform or portal, and cease use of all of our services immediately, or contact us to withdraw your consent where applicable.
5. What Personal Information do we Collect?
The following is a non-exhaustive list of some of the information we may collect about you:
- Clients, prospective clients, business contacts: name, title/position, address, phone number, email address, billing information, account name, insurance policy number
- Employees and plan members of clients: unique personal identifiers, gender, sex, age, date of birth, wage rate, hours of work, employment dates and work history, union membership, pension income, benefits information, date of death, retirement date, not actively at work status (e.g. leave of absence, disability), marital or family status, information regarding a member’s spouse (including spouse’s name, unique identifier, date of birth, sex, date of death), former spouse, survivors or beneficiaries (including dependent’s name, unique identifier, date of birth, sex), insurance policy number, information disclosed by a member’s insurance or health plan provider or plan sponsor regarding claims made under their policy.
- Business partners: name, address, phone number, email address, banking information, tax ID numbers.
- Website visitors, others we interact with or people who contact us with an enquiry: name, organization name, title, contact details, publication and content preferences, preferred location, IP address, information provided in the course of communications with us.
Occasionally, we may collect special categories of Personal Information (also known as “Sensitive Personal Information”), which can include information about a person’s sex, union membership, not at work status due to a disability, and banking information, where the rules about how we Process it are stricter.
6. How do we Collect Personal Information?
Individuals have the right to know how their Personal Information is collected. We act as a data processor and we only ask for and collect Personal Information in the course of the following interactions with us:
- When individuals contact us or otherwise provide us with their Personal Information
- When individuals create (or are provided) accounts with any software platform or portal operated by us
- When individuals use or request our products and services through our website or otherwise
- When individuals respond to online or email surveys, subscribe to newsletters or provide information to us in person, in writing, or over the telephone when asked for such information; and
- In the course of the performance of a contract for the provision of our goods or services, where Personal Information of plan members or employees is provided by clients, as applicable.
7. How we Use Personal Information
We use Personal Information for the following purposes, among others:
- To develop, perform and deliver products and services;
- For the performance and delivery of webinars;
- To send publications to our stakeholders;
- To process transactions for the purchase of goods and services;
- To improve our products, services, programs and website;
- To enter and maintain contractual relationships with business partners and clients;
- To inform or offer clients or prospective clients goods or services;
- To comply with our legal, regulatory, contractual and professional obligations or any lawful order;
- To respond to your enquiry;
- To assist with business development and sales opportunities;
- To inform our research and analysis;
- To verify the identify of prospective and existing clients; and
- To generate anonymized or statistical data.
We do not use automated decision-making (e.g. making a decision about an individual solely by automated means or processing of that individual’s Personal Information without any human involvement).
8. Transferring and Sharing Personal Information
To the extent we need to share your Personal Information with third parties, we use contractual and other means to provide a comparable level of privacy protection while the information is being Processed or handled by such third parties. We will take steps to ensure that they keep the Personal Information secure and confidential and use it only for the agreed purposes. These third parties are committed by contractual agreements with us to protect Personal Information from unauthorized access, collection, use or disclosure.
We may share your Personal Information with third parties as follows:
- Our subsidiaries for the purposes of providing our products and services, including delivering joint products and services, maintaining security, and facilitating your requests;
- Service providers and suppliers, subject to contractual requirements, who support our business including contractors and subcontractors providing products and services on our behalf, IT support and security, cloud computing and back up, data storage and processing, auditing, and communication and marketing suppliers;
- Third parties in the event of a potential merger or acquisition, transfer of assets, or business reorganization; and
- Law enforcement bodies, regulatory authorities, or the courts, when required as a matter of law or as necessary to protect our rights.
Some of these third parties may be located outside Canada. Consequently, subject to contractual requirements, Personal Information may also be transferred outside Canada and/or outside Québec to another province or territory, Jamaica or Barbados, where data protection laws may be different. However, we will comply with applicable laws and this Policy when making any such cross-border transfers (for example, by signing appropriate contracts) to ensure your Personal Information is protected.
9. How we Protect Personal Information
We use physical, technical and organizational security controls commensurate with the amount and sensitivity of the Personal Information to prevent unauthorized access, use, loss, destruction and damage. In addition, Processing is performed in accordance with applicable laws taking into consideration the nature, scope, context and purposes of Processing and the risks of varying likelihood and severity to the rights and freedoms of individuals. We have developed and are continuing to enhance security procedures to safeguard and protect Personal Information from security breaches. We maintain appropriate safeguards and security procedures that reflect the types of documents under our custody or control, including electronic or paper records, organizational measures including limiting access to Personal Information on a “need-to-know” basis, and technological measures such as authentication and encryption in accordance with applicable laws. Physical and logical access to electronic and hard copy files is further restricted based upon job responsibilities and business needs. While we endeavor to protect all information, Personal Information, including Sensitive Personal Information, receives the highest level of protection.
We ensure that our employees receive regular training about privacy, information security and data protection. We regularly review all our systems, policies and technologies to ensure that they continue to work effectively to protect your Personal Information.
10. We Limit how Long we Keep Personal Information
We retain Personal Information only as long as necessary to fulfill the purposes for which it was Processed, unless a longer retention period is required and not prohibited by applicable laws. In addition, we may keep Personal Information to deal with legal claims or disputes or as necessary to comply with legal, accounting or regulatory requirements. This period may extend beyond the end of your relationship or contract with us.
If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Information for any other purpose for which we still have legal grounds for Processing such Personal Information (such as for the purposes of complying with a legal obligation or our legitimate interests).
If you want to opt-out from a specific electronic communication service or marketing offer, you can unsubscribe at any time by using the opt-out link on such communication e-mail or send us an e-mail at: email@example.com. Unsubscribing from a special service or product information may not automatically end the Processing of your Personal Information by us unless we receive a specific e-mail request from you in this respect. Any complaints about un-solicited marketing communications can be sent by e-mail to us at the same e-mail address.
When we delete or destroy Personal Information, we use safeguards to prevent unauthorized third parties from gaining access to the Personal Information or compromising it in any way.
The website may present links to other websites. Please be aware that operators of linked websites may also collect your Personal Information and information generated using cookies when you follow such a link to their websites. We are not responsible for how such third parties process your Personal Information, so it is important to review their privacy policies before providing them with your Personal Information.
Cookies are very small text files that are used to store small pieces of information on your device when a website is loaded on your browser. When cookies are used in ways that could identify users then the information is considered Personal Information. Cookies may be used to distinguish you from other users, customize the website according to your preferences (e.g., preferred language), personalize your experience, analyze the website’s usage, and monitor and improve our website. For more information about cookies and how we use them, please see our Cookie Notice.
13. Your Rights
You have the following rights in relation to your Personal Information:
- To request access to your Personal Information;
- To request that your Personal Information is corrected if it is out of date, inaccurate or incomplete;
- To request that your Personal Information is deleted or removed from our records and systems;
- To make a complaint to the applicable privacy commissioner or regulator;
- To object to or restrict the Processing of your Personal Information (where we don’t need your consent to Process your Personal Information);
- To withdraw consent to the Processing of your Personal Information (where we need your consent for such Processing); and
- To obtain an electronic file of your Personal Information or have it transferred to another data controller in limited circumstances.
Asking us to stop Processing your Personal Information or to delete or destroy your Personal Information will likely mean that you are no longer able to use our services, or at least those aspects of the services which require the Processing of the types of Personal Information you have asked us to delete.
Where you request that we rectify or erase your Personal Information or restrict any Processing of such Personal Information, we may notify third parties to whom such Personal Information has been disclosed of such request. However, such third parties may have the right to retain and continue to Process such Personal Information in their own right or on other lawful grounds without your consent.
If we are Processing Personal Information of a plan member or employee on behalf of a client and we receive a request from such plan member or employee in relation to the exercise of any of their foregoing rights or inquiries pertaining to the Personal Information we maintain for them, we will refer such request to the applicable client and cooperate accordingly.
If you would like to make a request to access or correct your Personal Information, or to exercise any of your other rights as described above, you can contact us at any time using the details set out under section 16 (Contact Us).
14. Data Breaches
A “breach of security safeguards” is the loss of, unauthorized access to or unauthorized disclosure of Personal Information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards. In the case of a breach of security safeguards, we will notify you and the appropriate and applicable federal or provincial privacy commissioners, in compliance with applicable laws. We may also notify any other organization or government institution that can reduce the risk or mitigate the harm from the breach. We will keep a record of any breach of security safeguards.
15. How to Register Complaints
Privacy-related complaints may be registered by contacting the Privacy Officer, who will explain our complaint procedure and investigate all complaints. We shall take the appropriate steps to remedy the situation that is the subject of a complaint, including changing our policies and practices, if necessary. We shall also advise what other complaint procedures may be available.
16. Contact Us
We have established policies and procedures with the objective of protecting your Personal Information and we have appointed a Privacy Officer to oversee privacy matters for our company. If you have any questions about our privacy policies, please contact our Privacy Officer in writing at Suite 1700, 5140 Yonge Street, Toronto, Ontario, M2N 6L7 or by email at firstname.lastname@example.org.