10 Fair Information Principles
As a private sector federally regulated bank, HomeEquity Bank (“the Bank”) is subject to PIPEDA. PIPEDA establishes rules for handling personal information, in the course of conducting commercial activities, that are based on 10 Fair Information Principles.
The Bank’s privacy principles reflect PIPEDA’s 10 Fair Information Principles as follows:
HomeEquity Bank takes full responsibility for personal information in its possession and under its control and has designated a Chief Privacy Officer who oversees the Bank’s privacy compliance.
- A senior Bank employee is appointed the Chief Privacy Officer (“CPO”) responsible for designing, implementing, monitoring, assessing and maintaining an effective privacy framework. The CPO may, from time to time, designate one or more individuals to act on his/her behalf. Contact details for the CPO can be found on the Bank’s websites and in the Bank’s Privacy Brochure.
- The Bank is accountable for all personal information in its possession or control, including personal information disclosed to third parties (other organizations) providing services to the Bank. Any personal information shared with a third party service provider acting on the Bank’s behalf is protected by contractual agreements, the service provider’s written commitments, and the service provider’s own legal obligations. The Bank also ensures that the practices of the third party can be audited by the Bank as necessary.
- To give effect to the principles of privacy, the Bank has developed a privacy program which includes specific procedures and practises for each aspect of privacy, and established a privacy training program for Bank employees.
2. Identifying the Purpose
The purposes for which personal information is collected are identified by HomeEquity Bank at or before the time the information is collected.
- The Bank identifies the purposes for which personal information is being collected and how it will be used.
- The purpose is communicated to the individual from whom the information is collected, either verbally or in writing, at or before the time that the information is collected. The purpose is communicated in a manner that is clear and can be reasonably understood.
- The collection of personal information is documented in the consumer’s file. The purpose for collection typically includes the following:
- Verify the identity of the consumer and investigate the consumer’s background and title interests;
- Better understand the consumer’s financial situation;
- Provide products and services to the consumer;
- Help the Bank better understand the current and future needs of the consumer;
- Communicate to the consumer any benefit, feature and other information about the Bank’s products and services; and
- Manage the Bank’s risk and operations.
- Should the Bank propose to use or disclose personal information that has been collected for a purpose not previously identified, the individual’s consent is first obtained. However, under certain circumstances, such as when law enforcement agencies are investigating a contravention of the law, or a government institution has requested the information for law enforcement or national security reasons, the Bank is prohibited from informing the individual.
- Consumers are informed that telephone calls to the Bank’s Contact Centre and Client Relationship Service may be recorded to provide a record of the conversation, to ensure quality of service, and to assist with staff training.
Informed consent is sought by HomeEquity Bank before collecting, using or disclosing personal information, except when inappropriate due to solicitor-client privilege, confidential commercial information, personal security, the outcome of a formal dispute resolution process, or prohibited by law due to a law enforcement or government agency investigation.
- The Bank obtains consent for the collection, use or disclosure of an individual’s personal information. Generally, such consent is obtained from the individual at the time of collection, as well as when a new use is identified.
- The Bank may obtain express consent in writing, through electronic means, or verbally. Alternatively, consent may be implied through an action the individual has taken. In determining the appropriate form of consent, the Bank takes into consideration the sensitivity of the personal information and the reasonable expectations of the consumer. Consent is never obtained through deception. Consumers may give consent in a variety of ways. For example:
- Completing and signing an application form or client acknowledgement;
- Agreeing to certain collections, uses or disclosures of information on the telephone;
- Using a product or service offered by the Bank;
- Through an authorized representative of a consumer (for example a power of attorney); or
- Affirmatively clicking an “I Agree” or similar icon electronically.
- The Bank does not, as a condition of the provision of a product or service, require a consumer to consent to the collection, use or disclosure of their personal information beyond what is required to fulfill the stated purposes.
- In limited circumstances, the Bank may be legally permitted or required to collect, use or disclose personal information without the knowledge and consent of the individual.
- An individual may withdraw consent to the use of their personal information for specific purposes at any time, subject to legal or contractual restrictions and reasonable notice. As soon as the Bank becomes aware that an individual intends to withdraw consent, it will inform the individual of the implications of doing so.
4. Limiting Collection
HomeEquity Bank limits the information collected to what is needed for the purposes identified. Information is always collected by fair and lawful means.
- The amount and type of information collected by the Bank is limited to those details necessary for the purposes identified and is primarily collected from consumers.
- Personal information is collected by fair and lawful means. No such information is collected in a misleading or indiscriminate fashion.
5. Limiting Use, Disclosure and Retention
Personal information is never used or disclosed by HomeEquity Bank for purposes other than those for which it was collected, except with the consumer’s consent or as required by the law. Personal information is only retained as long as necessary for fulfillment of those purposes, or at the Bank’s discretion for other particular purposes.
- The Bank only uses or discloses personal information for purposes for which it was collected, unless the individual has otherwise consented or as required by law. See Section 2.3 for list of typical purposes.
- In order to verify a consumer’s eligibility for a product or service, the Bank may disclose personal information to a credit reporting agency, property appraisers, and title search companies.
- The Bank may disclose personal information to a third party conducting marketing activities on the Bank’s behalf.
- The Bank may disclose personal information about a consumer without consent in order to respond to an order or valid request from a regulator, government institution or law enforcement authority. The Bank will make every effort to protect the consumer’s privacy in this case by ensuring that such an order or request appears to comply with the laws under which it was issued and only the personal information legally required is disclosed to the appropriate entity.
- The Bank does not sell or provide any personal information to third parties without the consumer’s consent, except to a third party service provider acting on behalf of the Bank, or except as permitted or required by law.
- Personal information is only retained for the amount of time needed to fulfill the purpose for which it was collected. Personal information that is no longer required for an identified purpose or to comply with a legal requirement is destroyed, erased or made anonymous.
HomeEquity Bank makes every reasonable effort to keep consumers’ information as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
- The Bank keeps personal information as accurate, complete and up-to-date as is reasonably necessary to fulfill the purposes for which it is to be used.
- The Bank also relies on the consumer to provide accurate information to avoid inaccurate personal information from being used to make a decision concerning a consumer.
- Personal information is only routinely updated if it is necessary to fulfill the purposes for which it was collected, needed to determine the consumer’s eligibility for the Bank’s products or services or required to meet legal/regulatory requirements.
HomeEquity Bank protects consumers’ information with safeguards that are appropriate to the sensitivity of the information. This includes physical, organizational and technical security measures.
- Personal information, regardless of the format in which the information is held, is protected by security safeguards appropriate to the sensitivity of the information. With the use of appropriate physical, administrative and technical security measures, the Bank protects personal information against unauthorized disclosure, loss, theft, unauthorized access, copying, use or modification or destruction of the information. The nature of the safeguards varies depending on the type and amount of information, the extent of distribution, the format of the information, and its method of storage.
- Only the Bank’s employees with a business-related need to know, or whose duties reasonably so require, are granted access to personal information about consumers.
HomeEquity Bank makes readily available to consumers specific information about its policies and practices relating to the management of personal information.
- The Bank makes information available to consumers and third parties about the policies and practices it uses to manage personal information. Privacy information for consumers is available on all of the Bank’s websites and in its Privacy Brochure. Privacy information is also available to the Bank’s employees on the Bank’s internal intranet site.
9. Individual Access
Consumers have the right to access the information that the Bank has about them in its files. If consumers identify information that is not correct, the Bank will make the necessary changes.
- If a consumer wishes to access their personal information which the Bank has on file, the consumer must provide an access request in writing with sufficiently specific information concerning the nature of the information so as to reasonably enable the Bank to retrieve it. In order to safeguard personal information a consumer may be required to provide sufficient identification information to permit the Bank to respond to an access request. Any such information shall be used only for this purpose.
- The Bank has a defined process and specific turnaround times for responding to any such requests.
- The Bank promptly informs the individual of the personal information it has concerning him/her, explains how it is or has been used and gives the individual access to such information, unless access is prohibited by law. The Bank also tells the individual the names of any organizations to which their personal information has been or may have been disclosed.
- Consumers may confirm the accuracy and completeness of the personal information the Bank holds about them as well as its source. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Bank shall amend the information as required.
- Consumers who have requested access to their personal information may be charged a fee. Consumers are given notice in advance describing any proposed charges, if charges are to apply.
- If a request for access is denied or information is severed from the records released, a written explanation will be provided to the individual.
10. Challenging Compliance
- The complainant is required to follow the Bank’s complaint handling procedure. This procedure can be found on all of the Bank’s websites.
- The Bank reviews and takes appropriate measures to resolve all complaints and the complainant is informed of the outcome of the investigation. Any inquiry regarding personal information that cannot be dealt with through the normal business process is escalated to the CPO.
- Any privacy complaint or inquiry is recorded by the Bank for its future reference.
- Failing a satisfactory response from the CPO, the individual may have recourse to additional remedies under PIPEDA. For further information, contact the Privacy Commissioner at www.priv.gc.ca or call 1-800-282-1376.