Prudent Benefits Administration Services Inc., Benchmark Decisions Ltd., and Student Benefits Administrators Inc. (hereinafter referred to collectively as “PBAS”, for ease of reference).
Personal Information is any factual or subjective information, recorded or not, about an identifiable individual. In general, Personal Information, does not include business contact information, including your name, title, and business telephone number.
The person at PBAS who is responsible for overseeing that privacy practices are carried out to ensure overall compliance with federal and provincial privacy legislation. This includes ensuring that all staff are trained on privacy best practices and carrying out any disclosure requirements under the applicable privacy legislation including privacy breaches.
The Office of the Privacy Commissioner of Canada (“OPC”) defines a “breach of security safeguards” as:
According to the OPC, a privacy breach is:
Only breaches including personal information are in scope for PIPEDA, based on a test for a “real risk of significant harm.”
The law defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The following ten principles of privacy are interrelated and are based on fair information practices. They are intended to recognize an individual’s right of privacy while balancing the need for an organization to collect, use or disclose Personal Information for legitimate business purposes.
Unless additional purposes are identified to an individual before or at the time of collection, PBAS will collect Personal Information only for the following purposes.
PBAS will collect, use or disclose Personal Information only with an individual’s knowledge and consent, except where required or permitted by law. This is commonly acquired through the completion of a benefit enrolment form. An individual can provide consent to the collection, use and disclosure of Personal Information about them expressly, or through an authorized representative. The latter would require written authorization from the individual to release the Personal Information. For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney. Subject to certain legal or contractual restrictions and reasonable notice, an individual can withdraw consent at any time. PBAS will inform individuals of the consequences of refusing or withdrawing consent when individuals seek to do so. Refusing or withdrawing consent could precipitate the destruction of an individual’s Personal Information and may, therefore, render ongoing participation in a benefit plan impossible.
PBAS will limit the amount and type of Personal Information collected. PBAS will collect Personal Information only for the identified purposes or as otherwise permitted by law and, will only collect the information about an individual primarily from the individual or, from external sources if individuals have consented to such collection.
PBAS will use or disclose Personal Information only for the reasons it was collected, unless an individual provides consent to use or disclose it for another reason. Under certain circumstances, PBAS may have a legal duty or right to disclose Personal Information without consent. PBAS will keep Personal Information only as long as necessary for the identified purposes.
PBAS will keep the Personal Information in its possession or control accurate, complete, current and relevant, based on the most recent information available to PBAS. Individuals may challenge the accuracy and completeness of Personal Information about them and have it amended as appropriate.
If an individual demonstrates that Personal Information is inaccurate, incomplete, out-of-date or irrelevant, PBAS will revise or delete the Personal Information and, disclose the revised Personal Information to any third parties to whom wrong or outdated information was disclosed in order to permit them to revise their records.
PBAS will protect Personal Information with safeguards appropriate to the sensitivity of the information.
The use of encryption, firewalls, anti-virus programs and robust authentication procedures, including updating passwords on a regular basis, are some examples of the security controls in place.
Disaster Recovery (“DR”) tests are performed annually at a remote DR location. As part of this test, all server based systems are recovered and verified. Privacy protection is outlined in a contractual agreement we enter into on an annual basis with the company that performs the DR testing.
PBAS will be transparent about the procedures used to manage Personal Information.
When requested to do so PBAS will advise an individual what Personal Information is in its possession or control about the individual, what it is being used for, and to whom it has been disclosed. PBAS will respond to the request no later than thirty (30) days after receipt of the request. This timeframe may be extended for a maximum of thirty (30) additional days, if, for example, additional time is required to conduct consultations. If that were to happen, PBAS would notify the individual in writing. In the unlikely event that PBAS determines that there may be a cost to the individual in granting such access, PBAS shall inform the individual of the costs permitted by law prior to granting such access.
Complaints and inquiries should be directed, in writing, to the Chief Privacy Officer at the following address:
All complaints will be investigated. If a complaint is found to be justified, PBAS will take appropriate measures, including, if necessary, amending policies and practices. If individuals are not satisfied with the way PBAS has responded to their complaint or inquiry they may file a written complaint with: