As a trusted partner, processing significant volumes of sensitive personal information on behalf of its customers, Credit Bureau Canada Collections (CBCC) recognizes the critical importance of maintaining confidentiality. CBCC’s primary focus is on securely processing personal information and avoiding incidents. CBCC has always been committed to respecting the privacy of the personal information of its associates, clients and consumers. Under the Federal Personal Information Protection and Electronic Documents Act “PIPEDA” (introduced January 1, 2001), such protection has been required for all inter-provincial disclosures of information outside the province of origin.
CBCC has invested a great deal of time and resources to ensure the confidential information we receive from our Clients remains confidential. We acknowledge, under PIPEDA if were to collect, use or disclose someone’s personal information, we require the consumer’s consent, except in a few specific and limited circumstances. We can use or disclose personal information only for the purpose for which the person gave consent when it was originally collected. Even with consent, we acknowledge there is a limit to its collection, use and disclosure of personal information to purposes that a reasonable person would consider appropriate under the circumstances.
CBCC is committed to the safekeeping of personal information in order to prevent its loss, theft, unauthorized access, disclosure, duplication, use, or modification. CBCC will take all reasonable precautions to ensure that your personal information while in our possession, collected from you, is protected against loss and unauthorized access. This protection applies to information stored in both electronic and/or hard copy form.
It is the policy of CBCC to ensure and respect the privacy of the personal information of its associates, clients and consumers at all time under all circumstances in full compliance with the various provincial and federal privacy legislations.
“Collection” – the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means.
“Consent” – voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the persons seeking the consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
“Disclosure” – making personal information available to other persons.
“Personal Information” – means information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization.
“Use” – treatment and handling of personal information within Collectcents.
“Personal Information” – means any information relating to an identified or identifiable individual person. All information relating to individuals should be presumed to be Personal Information unless the contrary is clear. We define personal information for consumers as any information that is not publicly known. This includes;
- Date of Birth
- Government Issued Identification Numbers
- Driver’s Licenses
- Canadian Immigration
- Health Cards
- Financial Account Numbers
- Payment Records
- Record of Purchases
- Marital Status
- Health Information
- Medical Information
- E-mail address
- Religious beliefs
- Political beliefs
PRINCIPLE 1: ACCOUNTABILITY
All Collectcents associates are responsible for complying with the privacy principles.
Our President & CEO has appointed a Privacy Officer. The Privacy Officer may delegate other individuals to act in his or her behalf. The individual will be known as the “Privacy Officer”.
a) evaluating and improving procedures to protect personal information;
b) establishing procedures to receive and respond to complaints and inquiries;
c) training associates and communicating to associates information about our policies and practices; and
d) explaining our policies and procedures to our clients, consumers, suppliers, visitors and the public.
Collectcents is responsible for all personal information in its possession or custody, including information that has been transferred through any third party. When we enter into a contract with a third party that involves us transferring personal information to that third party, the individual(s) responsible will ensure that a comparable level of protection is available while the personal information is being processed by the third party. This includes:
b) ensuring the return of all personal information to us upon completion of the contract
c) an agreement not to use such information for any other purpose; and
d) the destruction of any remaining records in the possession of the third party.
PRINCIPLE 2: IDENTIFYING PURPOSES
The purposes for which personal information is collected shall be identified by Collectcents before or at the time the information is collected.
Members of Collectcents shall collect personal information only for the purposes of:
- providing debt collection services to clients, including locating individuals;
- identifying individuals and organizations interested in receiving information about our services, and other marketing purposes;
- hiring and employment purposes;
- training our associates;
- maintaining the security of client information, our premises, information and assets, and our individual associates;
- operating our website;
The specific purposes for which a member of Collectcents is collecting personal information shall be identified by the member at or before the time the information is collected. Only information that is necessary for the purposes that have been identified may be collected. The purposes for the collection shall be communicated to the subject individual.
PRINCIPLE 3: CONSENT
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except as provided by law.
Consent is generally required for the collection of personal information and the subsequent use or disclosure of such information. The exceptions to such requirement are specified in the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the applicable provincial statutes. Collectcents shall, as a general practice, provide each associate involved in the collection of personal information with a summary of such exceptions for use as a reference.
PIPEDA and the applicable provincial statutes contain provisions allowing clients to disclose personal information for the purpose of collecting a debt owed by the individual to the client. Notwithstanding this exception, when we are collecting a debt on behalf of a client, Collectcents may rely on and shall obtain and adhere to, any form of consent previously obtained by the client, subject to the exceptions provided for in the applicable legislation.
Collectcents will not, as a condition for the supply of services, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary for such purposes.
The adequacy of the form of consent depends upon the circumstances and the type of information that is being collected. Generally speaking, the more sensitive the information (such as heath records or employment evaluations), the more explicit or manifest is the form of consent that we will require. In obtaining consent, we will take the reasonable expectations of the individual into account. We will not obtain consent through deception.
An individual may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform the individual of the implications or consequences of withdrawal.
PRINCIPLE 4: LIMITING COLLECTION
The collection of personal information shall be limited to that which is necessary for the purposes identified by Collectcents. The information shall be collected by fair and lawful means.
We will not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which we need to fulfill the purposes identified.
PRINCIPLE 5: LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the individual or as permitted by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information that is no longer required to fulfill the identified purposes is destroyed, returned to the client that gave us the information originally, erased or made anonymous.
In keeping with the Credit Reporting Act, database and hard copy personal information are retained for a period of six years. Database files are purged and hard copy documentation is shredded at the expiration of the six year limitation, with the exception of Judgment accounts where information is retained for up to ten years.
Personal information in client files is retained for a period of one year after the relationship between the client and Collectcents concludes. Personal information is shredded at the end of the period.
PRINCIPLE 6: ACCURACY
Personal information shall be accurate, complete and as up-to-date as necessary for the purposes for which it is to be used.
This is particularly important where the information is being used to make some evaluation or judgment about the individual. The extent to which the personal information shall be accurate, complete and up -to-date will depend upon the use of the information, taking into account the interests of the individual.
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date.
PRINCIPLE 7: SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Collectcents takes significant security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. The nature of the safeguards varies according to the sensitivity of the information.
Our methods of protection include physical measures, organizational measures and technological measures. All personal information is handled on a “need-to-know” basis and each associate of Collectcents is responsible for the protection of the personal information used in his or her job function.
Collectcents regularly makes all of its associates aware of the importance of maintaining the security of personal information.
Care is used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
PRINCIPLE 8: OPENNESS
Collectcents shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Collectcents shall be open about its policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about Collectcents policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
The information made available must include:
a) how the individual may contact the company’s Privacy Officer with respect to complaints or inquiries;
b) advice that the individual can gain access to the personal information held by Collectcents by writing to Collectcents’ Privacy Officer, confirming and verifying their identity, and requesting the specified information;
c) a description of the type of personal information held by Collectcents, including a general account of its use;
d) a copy of any brochures or other information that explain Collectcents’ policies, standards or codes; and
e) what personal information is generally made available to related organizations.
PRINCIPLE 9: INDIVIDUAL ACCESS
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Before granting an individual access to their personal information, a Collectcents associate must consult the Privacy Officer or that person’s delegate. There are restrictions on the grant of access in PIPEDA and the provincial statutes. For example, where revealing the personal information about the requesting individual will reveal information about a third party that cannot be severed from the information about the individual; the personal information cannot be disclosed. Because there are some differences between the statutes, it is important for each request to be carefully reviewed in the context of the applicable legislation.
Access may be refused in a variety of situations, including, where revealing the personal information would also reveal confidential commercial information; where revealing the information could reasonably be expected to threaten the life or security of another individual; if the information was collected during an investigation of a breach of an agreement or a contravention of the laws of Canada or a province on the expectation that the knowledge or consent of the individual would compromise the availability or accuracy of the information; or where the information was generated in the course of a formal dispute resolution process.
Upon receiving a request, we shall inform the individual whether or not we hold personal information about the individual. When disclosure of the personal information is made to the individual, we will provide an account of the use that has been made or is being made of the information and an account of the third parties to whom the information has been disclosed.
Where the request for access relates to personal information collected, used or disclosed in the course of serving a client, the client shall immediately be provided with a copy of the request.
We shall respond to an individual’s request within 30 days and at minimal or no cost to the individual. We may require a reasonable payment for the information provided only if we inform the individual in advance of the approximate cost and the individual has advised us that the request is not being withdrawn.
When an individual successfully demonstrates that personal information we have is inaccurate or incomplete, we will amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by Collectcents associates. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.
PRINCIPLE 10: CHALLENGING COMPLIANCE
An individual shall be able to address a challenge concerning compliance with the above privacy principles to Collectcents’ Privacy Officer.
The individual accountable for Collectcents’ compliance is the Privacy Officer as appointed by the President & CEO from time to time. The Privacy Officer will establish procedures to receive and respond to complaints or inquiries about Collectcents’ policies and practices relating to the handling of personal information.
Collectcents associates shall inform individuals who make inquiries or lodge complaints of the existence of the relevant complaint mechanisms of Collectcents. The company shall investigate all complaints. If a complaint is found to be justified through either the internal or external compliant review process, Collectcents will take appropriate measures, including amending its policies and practices if necessary.
All Collectcents associates are required to complete and sign a Confidentiality/Non-Disclosure Agreement upon hire and annually thereafter. The Confidentiality/Non-Disclosure Agreement is available on the Intranet and through our Recruitment and Training Manager.