Privacy Code

PURPOSE

To protect the interests of those who do business with the Credit Union from any unauthorized use of personal information, which members have made available in the course of conducting their business with the Credit Union.

POLICY STATEMENTS

The Credit Union enforces strict compliance with the confidentiality requirements as per its Code of Conduct.

RESPONSIBILITY:

Ultimate accountability for the Credit Union's compliance with the policy statements rests with the Credit Union's Board of Directors.
Management, through the Privacy Officer, is responsible for the day to day accountability, implementation of, and compliance with this policy, including, but not limited to:

·        Ensuring policy and procedures remain relevant;

·        On-going compliance monitoring;

·        On-going staff training and mentoring;

·        On-going member communication;

·        Complaints processing and dispute resolution;

·        Required reporting;

·        Review of Service Provider and third party contracts

·        Review of Credit Union facilities and other access points such as data systems, computers, internet, and waste disposal

·        Recommend changes to policy.

The Board will review this policy at least annually at the meeting at which compliance observations are reported by management.

Nothing in this policy is intended to prohibit the proper and responsible use of information given with consent, for the purposes of enhancing services or delivering services to members. This policy does not diminish the Credit Union's need to make fully informed decisions about the services it provides or persons to whom services may be provided. This policy does not authorize the taking of any business risks without all information needed to support prudent decisions.

MONITORING AND REPORTING:

The Privacy Officer will maintain a record of any member privacy complaints and the resolution of such complaints.

The Privacy Officer will report to Management any concerns relating to compliance of the Code principles or policies, and if necessary, such issues may be forwarded on to the Board.


On a frequency no less than annual, Management, through the Privacy Officer, will report to the Board on compliance with this policy.

ABCU Credit Union Ltd.
Code for the Protection of Personal Information

1. Accountability

Alberta's Credit Union is accountable for all personal information in their control. The Credit Union will designate one or more persons to be accountable for compliance with this privacy code.

1.1 Ultimate accountability for the Credit Union’s compliance with the principles rests with the Alberta's Credit Union Ltd. Board of Directors, who delegates day-to-day accountability to a Privacy Officer. Other persons within the Credit Union may be accountable for the day-to-day collection and processing of personal information, or to act on behalf of the designated individual.

1.2 The Credit Union will identify to staff and to members the person (persons) who is (are) responsible for the day-to-day procedures of compliance (see also 8.2).

1.3 The Credit Union accepts responsibility for personal information that has been disclosed to a third party in order to deliver a product or service. The Credit Union will safeguard the privacy of this personal information through a contract or other means with the third party.

1.4 To practice the principles of this privacy code, the Credit Union will:

·        Establish day to day procedures to protect the privacy of personal information,

·        Receive and respond to members' questions,

·        Train staff to understand and follow privacy procedures, and

·        Oversee compliance with an annual review of procedures.

2. Identifying Purposes

The Credit Union will identify the purposes of collecting personal information, before or when the member provides it.

2.1 The Credit Union will document the purposes for which personal information is collected prior to the information being collected.

2.2 The Credit Union will ensure that the member information is readily available to the member (see 2.4) disclosing the purposes for which personal information is collected, including use by third parties.

2.3 The Credit Union will collect and use personal information for the following purposes:

·        To meet regulatory and legal requirements

·        To establish your identification

·        To protect you from illegal activity

·        To determine the suitability of products and services to you, and your eligibility for products and services (including determining your eligibility for credit on an ongoing basis with other credit suppliers and credit reporting agencies). When we request your credit report, either to make credit decisions or update your information, using your SIN is the best way to ensure that the information we have received actually refers to you, and not to someone else. If you choose to limit the use of your SIN to income tax reporting purposes only, it will not prevent you from accessing credit or other services. Providing your SIN for purposes other than income tax reporting is voluntary.

·        To operate and administer products and services, which you have requested, including providing information to related services providers involved in the operation and administration of those services on behalf of us.

·        To provide you with information or advice on products and services that may be of interest to you (whether you currently have a product or service with us.)

·        To conduct research to assist us in designing products and services, and determining products and services that may be of interest to you, and to obtain your feedback on current products and services.

·        To disclose information to third parties in connection with the ongoing management of our assets, and the further subsequent collection, use or disclosure of that information by those third parties and any of their agents or, assignees for the purposes of managing those assets.

·        To provide ombudsman or mediation services to address concerns with Credit Union products or services raised by you.

2.4 The identified purpose should be communicated directly to the member from whom personal information is being collected. This can be done orally, electronically, or in writing.

2.5 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified and the member's consent will be received before the information is used. If the new use is required by law the member's consent will not be required.

3. Consent

The knowledge and consent of the member is required for the collection, use, or disclosure of personal information except where inappropriate.

Note: In certain circumstances personal information may be collected, used, or disclosed without the knowledge or consent of the Member. These circumstances include, but are not limited to:

·        Where clearly in the interests of the Member and consent cannot be obtained in a timely way;

·        To avoid compromising information availability or accuracy and if reasonable to investigate a breach of an agreement or a contravention of the laws of Canada or a province;

·        Where the information is considered by law to be publicly available;

·        To act in respect of an emergency that threatens the life, health or security of a Member;

·        To investigate an offence under the laws of Canada, a threat to Canada's security, to comply with a subpoena, warrant or court order, or rules of court relating to the production of records, or otherwise as required by law.

·        Collecting a debt

3.1 At the time the Credit Union collects personal information, the member's consent will be required before or when the personal information is collected, used, or disclosed.

Sometimes, the Credit Union may seek consent to use and disclose personal information after it has been collected. This can happen when the Credit Union wants to use the information for a purpose that was not previously identified to the member.

The Credit Union may choose to collect, use, or disclose personal information without the member's consent for the collection of overdue accounts, legal or security reasons.

3.2 The Credit Union will make a reasonable effort to communicate the purpose for collecting, using and disclosing information in a clear and understandable way so as not to deceive. The Credit Union will explain to members how personal information will be used or disclosed before consent is received.

3.3 The Credit Union may not, as a condition of the supply of a product or service, require a member to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.

3.4 In determining the form of consent to use, the Credit Union will take into account the sensitivity of the information. Although some information (for example, medical and financial records) is almost always considered to be sensitive, any information can be sensitive depending on the context. Members can give consent:

·        In writing, such as when completing and signing an application;

·        Through inaction, such as failing to check a box indicating that they do not wish their names and addresses to be used for optional purposes;

·        Orally, such as when information is collected over the telephone or in person;
at the time they use a product or service; and

·        Through an authorized representative (such as a legal guardian or a person having power of attorney).

3.5 The Credit Union may collect, use, or disclose personal information without the knowledge and consent of the member when legal, security, or certain processing reasons make it impossible or impractical to get this consent. For example:

·        Consent will not be obtained when personal information is collected, used or disclosed to:

·        Detect and prevent fraud,

·        Collect overdue accounts,

·        Comply with the law.

·        Consent may not be possible or appropriate when the member is a minor, seriously ill, or mentally incapacitated

·        Consent will not be obtained, and will be implied when personal information is given to suppliers or agents of the Credit Union who need it to carry out functions that would reasonably be expected to be required in connection with a service. For example; processing functions, such as data processing or the printing of cheques and credit cards.

·        When the Credit Union obtains customer lists from another organization, the Credit Union will assume that the organization providing the personal information obtained the consent of persons who appear on the list before disclosing it to the Credit Union.

3.6 Subject to legal and contractual restrictions on the Credit Union, members can withdraw consent to the use or disclosure of information for a particular purpose at any time as long as:

·        Reasonable notice of the withdrawal is given to the Credit Union in writing,

·        Consent does not relate to a credit product when the Credit Union must collect and report information after credit has been granted.

·        The Credit Union will let the member know the consequences of withdrawing consent when members seek to do so. Withdrawing consent to collect, use, or disclose personal information could mean that the Credit Union cannot provide the member with some product, service, information of value, or even continued membership.

4. Limiting Collection

The Credit Union will limit the amount and type of personal information that is collected to the purposes already identified to the member. The Credit Union will collect personal information using procedures that are fair and lawful.

4.1 The Credit Union will collect only the amount and type of information needed for the purposes identified to the member, in accordance with the Credit Union's policies and procedures.

4.2 The Credit Union will collect personal information by fair and lawful means, and not by misleading or deceiving members about the purpose for which information is being collected.

 5. Limiting Use, Disclosure, and Retention

The Credit Union will use or disclose personal information only for the purposes it was collected, unless a member gives consent to use or disclose it for another purpose or as required by law.

The Credit Union will keep personal information only as long as necessary for the identified purposes or as required by law.

5.1 The Credit Union may disclose personal information without consent when required by law. For example:

·        Subpoenas,

·        Search warrants,

·        Other court and government orders,

·        Demands from other parties who have a legal right to personal information.

5.2 In these circumstances, the Credit Union will protect the interests of members by taking precautionary steps to ensure that:

·        Orders or demands appear to comply with the laws under which they were issued,

·        Only the personal information that is legally required is disclosed, and nothing more,

·        The Credit Union will not comply with casual requests for personal information from government or law enforcement authorities,

·        Personal information is not disclosed to unrelated third party suppliers of non-financial services.


The Credit Union may notify members that an order has been received, if the law allows it. (Notification may be by telephone or by letter to the member's address on file or any other means that the Credit Union deems appropriate in the given circumstance).

5.3 Health records will only be collected to verify authority of trust representatives (account Management), for credit application purposes and credit related insurance sales. Health records will not be disclosed to, or received from any other unrelated organization.

5.4 Credit Union policies and procedures will specify the shortest and longest periods of time it will keep personal information. Some of these time periods may be determined by legislation. If personal information has been used to make a decision about a member, the personal information will be kept long enough for the member to have access to it after the decision has been made.

5.5 The Credit Union will destroy, erase, or make anonymous any personal information no longer needed for its identified purposes or for legal requirements. The Credit Union will develop guidelines and implement procedures to govern the destruction of personal information.

 6. Accuracy

The Credit Union will keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.

6.1 The extent to which personal information will be accurate, complete, and up-to-date will depend upon the use of the information taking into account the interests of the member. The Credit Union will rely on the member to keep certain personal information accurate, complete and current, such as name and address.

6.2 The Credit Union will not routinely/automatically update personal information unless updating is necessary for the purposes for which the information is used.

6.3 Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date.

 7. Safeguard Personal Information

The Credit Union will protect member's personal information with safeguards appropriate to the sensitivity of the information.

7.1 The Credit Union will safeguard personal information from loss or theft and from unauthorized access, disclosure, copying, use or modification. Appropriate safeguards will be applied regardless of the format in which that information is held.

7.2 Credit Union safeguards will vary depending on the sensitivity, amount, distribution, format, and storage of the personal information. The highest level of protection will be given to the most sensitive personal information.

7.3 Personal information will be safeguarded through appropriate security measures. For example:

·        Physical security, such as secure locks on filing cabinets and restricted access to offices,

·        Organizational security, such as controlled entry in data centres and limited access to relevant information on a "need to know" basis,

·        Electronic security, such as passwords, personal identification numbers and encryption.

·        Investigative measures, in cases where the Credit Union has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.

7.4 Employees, directors and officers will be regularly informed about the Credit Union's policies and procedures for protecting member personal information and will emphasize the importance of complying with them. Employees and directors will be required to sign an oath of ethical conduct annually including commitment to keep member's personal information in strict confidence.

7.5 The Credit Union may disclose personal information to third parties for example; printing cheques, data processing services, collection, credit bureau reports, or for the supply of other goods and services. The Credit Union will require that these third parties safeguard all personal information in a way that is consistent with safeguards the Credit Union would apply to personal information in their control.

7.6 The Credit Union will use care when disposing of, or destroying personal information, to prevent unauthorized access to the information.

7.7 The Credit Union will not disclose any information pertaining to a members relationship with Alberta's Credit Union (ABCU) on voice mail.  Further, any texting or emailing between ABCU and the members must be authorized by the member and consent and disclosure parameters documented and authorized.

 8. Openness

The Credit Union will make the policies and procedures used to manage personal information readily available.

8.1 The Credit Union will make available to members information about the policies and procedures used to protect privacy in accordance with this code. The Credit Union will make available copies of this privacy code.

8.2 The privacy information made available will include:

·        The title and office address of the person (persons) in the Credit Union who is (are) responsible for protecting the privacy of members' personal information, so members know where to address complaints and questions,

·        How to access member personal information held by the Credit Union, to review its accuracy,

·        What type of personal information is controlled by the Credit Union and its use,
the personal information disclosed to subsidiaries, affiliates, or other suppliers of the Credit Union,

·        A copy of any brochures or other information that explains the Credit Union's policies, procedures, standards, or codes.

8.3 The Credit Union may make information about its privacy policies and procedures available in a variety of ways, depending on the nature of the service members are using and the sensitivity of the personal information. For example, a Credit Union may make brochures available in its branches, mail information to its members, establish a toll-free telephone service, or provide on-line access.

 9. Individual Access

When members request it, the Credit Union will tell them what personal information the Credit Union has, what it is being used for, and to whom it has been disclosed.

Members may challenge the accuracy and completeness of personal information in the Credit Union's control and have it amended as appropriate.

When members request it, the Credit Union will give them access to their personal information.

Note: Exceptions to the access requirement will be limited and specific.

9.1 A member has the right to know, by request, what personal information the Credit Union has in its control and to obtain access to that information.

9.2 Members may be requested to assist the Credit Union in locating information by providing information required for the search. Information provided will only be used for the purpose of assisting in a search.

9.3 The Credit Union will be as specific as possible in identifying the type of information and the identity of third parties to which information has been disclosed including a list of organizations that may receive personal information.

9.4 The Credit Union will respond to member requests within a reasonable time. The information will be made available at a cost that will vary with the type and amount of information requested. The requested information shall be provided or made available in a form that is easy to understand. For example, if the Credit Union uses abbreviations or codes to record information, an explanation will be provided.

9.5 In some cases, the Credit Union may not be able to provide the personal information that is in its control. The Credit Union will seek to limit these cases, and make them specific in policies and procedures. For example, some personal information may not be provided, or not provided in full, because:

·        Providing access would likely reveal personal information about a third party, unless such information can be severed from the record or the third party consents to the disclosure, or the information is needed due to a threat to life, health or security;

·        The personal information has been requested by a government institution for the purposes of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out any investigation related to the enforcement of any law, the administration of any law, the protection of national security, the defense of Canada or the conduct of international affairs;

·        The information is protected by solicitor-client privilege;
providing access would reveal confidential commercial information, provided this information cannot be severed from the file containing other information requested by the Member;

·        Providing access could reasonably be expected to threaten the life or security of another person, provided this information cannot be severed from the file containing other information requested by the Member;

·        The information was collected without the knowledge or consent of the Member for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;

·        The information was generated in the course of a formal dispute resolution process.

9.6 When a member successfully demonstrates the inaccuracy or incompleteness of personal information, the Credit Union shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be forwarded to third parties having access to the information in question.

9.7 If the Credit Union denies the member's request for access to personal information, the member must be told why. The member may then question the decision under the procedures in this privacy code. When a challenge is not resolved to the satisfaction of the member, the substance of the unresolved challenge will be recorded by the Credit Union. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.

 10. Compliance

Members are welcome to question the Credit Union concerning compliance with this privacy code. The Credit Union will have policies and procedures for responding to member questions.

10.1 The Credit Union will have policies and procedures to receive, investigate, and respond to member's questions and concerns relating to personal information.

The process will be easily accessible and simple to use.

It will be clear whom members must contact with a question or concern. The designated individual accountable for the Credit Union's compliance will be known to staff and identified to the membership periodically.

10.2 All member complaints will first attempt resolution by Alberta's Credit Union privacy officer with full disclosure to the Board.  All members will have the right to take concerns that are not satisfactorily resolved to the Privacy Commissioner.  The Credit Union will inform members who make inquiries or lodge complaints of the existence of relevant complaint mechanisms.

10.3 The Credit Union will investigate all concerns. If the Credit Union finds a concern justified, the Credit Union will have an appropriate resolve, including changing policies and procedures to ensure other members will not experience the same situation.

 If you have any questions about the policy, please contact our privacy officer via email to cbennett@alberta-cu.com, subject line should read: privacy concern.  Phone calls may be directed to same at (780) 929-8561.

Notice:  Alberta's Credit Union reserves the right to amend its Internet Policy Statement and its Privacy Code at any time with or without notice.  Please check this page periodically for changes.