Servus Credit Union is a member owned and controlled financial institution and, as such, has an inherent responsibility to be open and accessible while, at the same time, demonstrating the greatest respect for the protection of privacy for our members. Our priority is to comply with all applicable privacy legislation as well as striving for industry standard privacy practices in all aspects of our product and service offerings.
Our Commitment:
1. Accountability: Servus Credit Union is responsible for all personal information under its control and shall designate an individual who is responsible for compliance to this policy and the applicable privacy legislation.
1.1. Ultimate accountability for Servus’ compliance to this policy rests with the President and CEO; who delegates the day-to-day responsibility to the Privacy Officer. Other Servus employees may be responsible for the day-to-day collection and processing of personal information or to act on behalf of the Privacy Officer. The Privacy Officer (or designate) shall be identified to all Servus employees as well as to the Servus membership.
1.2. Servus accepts responsibility for personal information that has been disclosed to a third party as part of our business practices/operations. Servus shall safeguard the privacy of this personal information through a contract or other means with the third party.
1.3. Servus shall implement procedures to support this policy and the applicable privacy legislation, including:
- procedures to protect personal information
- procedures to receive and respond to concerns and inquiries
- procedures to notify individuals and authorities as applicable in the event of a breach of personal information
- training requirements for all employees and contractors who handle personal information to understand and follow Servus’ policies and procedures around privacy and personal information protection.
2. Identifying Purposes: Servus Credit Union shall identify the purposes for which personal information is collected either before the information is collected or at the time of collection.
2.1. All purposes for which personal information is collected shall be documented prior to collection.
2.2. Servus shall make reasonable efforts to ensure that the member is aware of the purposes for which personal information is collected, including use by third parties. These purposes can be specified orally, electronically, or in writing.
2.3. Collection of Member Information Servus may collect and use member personal information for the following purposes:
- to meet legal and regulatory requirements.
- to establish a member's identity.
- to protect the member and Servus against illegal activity.
- to determine the suitability of products and services for a member as well as determining a member's eligibility to obtain products and services, including a member eligibility for obtaining credit and to exchange credit information on an ongoing basis with other credit suppliers and credit reporting agencies.
- to set up, operate and administer products and services as requested by the member; including the provision of personal information to other service providers involved in the operation and administration of services on behalf of the credit union.
- to provide information and advice on products and services that may be of the member's interest.
- to conduct research to assist the credit union in developing its products and services, to determine products and services that may be of interest to the membership, and to obtain feedback on the credit union’s current products and services.
- to disclose information to third parties in connection with the ongoing management of the credit union’s assets, including the assignment or sale of loans, and the subsequent collection, use or disclosure of that information by those third parties and any of their agents or assignees for purposes of managing those assets.
- to provide ombudsman or mediation services to address member concerns regarding Servus products or services.
2.4. When personal information that has been previously collected is to be used for a purpose that has not been previously identified, the new purpose shall be identified and the member's consent shall be obtained prior to the information being used for the new purpose. If the new use is either required by law or it is otherwise impossible or impractical to obtain consent, the member's consent will not be obtained. Refer to Section 3 (Consent) for more information.
3. Consent: The knowledge and consent of the member is required for the collection, use, or disclosure of personal information, except where inappropriate.
3.1. Consent is required for the collection, use or disclosure of personal information. In certain circumstances, consent may be obtained after the information has been collected but before its use.
3.2. Servus shall make a reasonable effort to ensure that the member is aware of the purposes for which the information will be used. The purposes for collection, use, or disclosure will be explained to the member in a clear, understandable way before consent is obtained.
3.3. Servus shall not require a member to consent to the collection, use or disclosure of information beyond what is required to fulfil explicitly specified and legitimate purposes as a condition for supplying a product or service. Servus shall not obtain a member's consent through deceptive measures.
3.4. The way in which Servus shall seek consent may vary, depending on the circumstances and the type of information collected.
Members can give consent in the following manner:
- in writing, such as completing and signing an application
- through inaction, such as failing to check a box indication that they do not wish their information to be used for optional purposes.
- orally, such as information collected over the telephone or in person
- at the time a product or service is used
- through an authorized representative, such as a legal guardian or Attorney
3.5. Servus may collect, use or disclose personal information without consent in circumstances where it is legally impossible or impractical to obtain consent. Legal exemptions to the consent requirement are covered in Section 4 (Limiting Collection), and Section 5 (Use, Disclosure, and Retention) of this policy. Other circumstances where consent may not be obtained include:
- instances where consent may not possible or appropriate in the event the member is a minor, seriously ill, incapacitated, or otherwise unable to provide consent.
- express consent will not be obtained when personal information is given to suppliers or agents of the credit union who need it to carry out functions that would reasonably be expected to be required in connection with a service.
- when the credit union obtains customer lists from another organization, the credit union will assume that the organization providing the personal information will have obtained consent of the individuals appearing on the list prior to disclosing it to the credit union.
3.6. Subject to legal or contractual restrictions on Servus, a member may withdraw consent at any time provided that:
- reasonable notice of the withdrawal is given to the credit union in writing and includes the understanding by the member that withdrawal of consent could mean that the credit union is prohibited from providing the member with a related product, service, information of value, and possibly continued membership
- consent does not relate to a credit product requiring the collection and reporting of information after credit has been granted
Servus Credit Union shall inform the member of the implications of such withdrawal.
4. Limiting Collection: Servus Credit Union shall limit the collection of personal information to that which is necessary for the purposes outlined in Section 2 (Identifying Purposes) of this policy. The information shall be collected using fair and lawful means.
4.1 Servus shall not collect personal information indiscriminately. Servus shall specify the amount and type of the information collected, and ensures that it is limited to the information necessary to fulfil the identified purposes and in accordance with our documented policies and procedures.
4.2 Servus shall collect personal information via fair and lawful means, and not by misleading or deceiving members about the purpose for which the information is being collected.
4.3. Collection of Member Information without Consent The knowledge and consent of a member is required for the collection of personal information except in the following circumstances:
- a reasonable person would consider the collection of the information to be clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not be reasonable expected to withhold consent.
- the collection of the information is authorized or required by:
- a provincial or federal statute or regulation
- a bylaw of a local government body
- legislative instrument of a professional regulatory organization
- the collection of the information is from a public body and that public body is authorized or required by a provincial or federal enactment to disclose the information
- the collection of information is reasonable for the purposes of an investigation or legal proceeding
- the information is publicly available
- the collection is necessary to determine the individual’s suitability to receive an honour, award, or similar benefit, including an honorary degree, scholarship, or bursary
- the information is collected by a credit reporting agency where the individual has consented to the disclosure to the credit reporting organizations by the organization that originally collected the information
- the collection of the information is necessary in order to collect a debt owed to the organization or for the organization to repay the individual money owed by the organization.
4.4. In the event that Servus uses a Service Provider located outside Canada to collect personal information from a member who has given consent, or directly or indirectly transfers to a Service Provider located outside Canada personal information about a member who has given consent, Servus shall provide notification to the member about the following:
- the way in which a member can obtain access to Servus’ policies and procedures pertaining to Service Providers outside Canada
- contact information for the person who is able to answer, on behalf of Servus, member questions about the collection, use, disclosure or storage of personal information by Service Providers outside Canada.
5. Use, Retention and Disclosure: Servus Credit Union shall not use or disclose personal information for purposes other than those for which it was collected, except with member consent or as required by law. Personal information shall be retained only for as long as necessary.
5.1. When personal information is used for a new purpose, Servus shall document the new purpose and obtain consent as required.
5.2. Use of Member Information without Consent The knowledge and consent of a member is required for the use of personal information except in the following circumstances:
- a reasonable person would consider the use of the information to be clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not be reasonable expected to withhold consent.
- the use of the information is authorized or required by:
- a provincial or federal statute or regulation
- a bylaw of a local government body
- legislative instrument of a professional regulatory organization
- the collection of the information is from a public body and that public body is authorized or required by a provincial or federal enactment to disclose the information
- the use of information is reasonable for the purposes of an investigation or legal proceeding
- the information is publicly available
- the use is necessary to determine the individual’s suitability to receive an honour, award, or similar benefit, including an honorary degree, scholarship, or bursary
- a credit reporting organization was permitted to collect the information and the information is not used by the credit reporting organization for any purpose other than to create a credit report
- the use of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public
- the use of the information is necessary in order to collect a debt owed to the organization or for the organization to repay the individual money owed by the organization.
5.3. Disclosure of Member Information without Consent The knowledge and consent of a member is required for the disclosure of personal information except in the following circumstances:
- a reasonable person would consider the disclosure of the information to be clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not be reasonable expected to withhold consent.
- the disclosure of the information is authorized or required by:
- a provincial or federal statute or regulation
- a bylaw of a local government body
- legislative instrument of a professional regulatory organization
- the disclosure of the information is to a public body and that public body is authorized or required by a provincial or federal enactment to collect the information
- the disclosure of the information id for the purpose of complying with a subpoena, warrant or order issued or made by a court, person, or body having jurisdiction to compel the production of information or with a rule of court that relates to the production of information
- the disclosure of the information is to a public body or law enforcement agency in Canada to assist in an investigation undertaken with a view to a law enforcement proceeding, or from which a law enforcement proceeding is likely to result
- the disclosure of the information is necessary to respond to an emergency that threatens the life, health, or security of an individual or the public
- the disclosure of the information is for purposes of contacting the next of kin, or a friend of an injured, ill, or deceased individual
- the disclosure of the information is necessary in order to collect a debt owed to the organization or for the organization to repay the individual money owed by the organization.
- the information is publicly available
- the disclosure of the information is to the surviving spouse or adult interdependent partner or to a relative of a deceased individual if, in the opinion of the organization, the disclosure is reasonable
- the disclosure is necessary to determine the individual’s suitability to receive an honour, award, or similar benefit, including an honorary degree, scholarship, or bursary
- the disclosure of the information is reasonable for the purposes of an investigation or a legal proceeding
- the disclosure of the information is for purposes of protecting against, or for the prevention, detection, or suppression of, fraud, and the information is disclosed to or by
- an organization that is permitted or otherwise empowered or recognized to carry out any of these purposes under a federal or provincial statute or regulation, or a Ministerial order made under a federal or provincial statute or regulation
- Investigative Services, a division of the Insurance Bureau of Canada
- the Canadian Bankers Association, Bank Crime Prevention and Investigative Office
- the organization is a credit reporting organization and is permitted to disclose the information under the Fair Trading Act
5.4. Servus shall protect the interests of its members by taking reasonable steps to ensure that:
- any orders or demands received by the credit union comply with the laws under which they were issued
- only the personal information that is legally required is disclosed and nothing more
- casual requests for information are denied
- personal information disclosed to unrelated Third Party suppliers of non-financial services is strictly limited to programs endorsed by Servus Credit Union
Servus Credit Union shall make a reasonable effort to notify a member if an order has been received, if not contrary to the security of the credit union and the law allows it. Notification may be by telephone, letter to the member's usual address, or by any other means as the credit union deems appropriate.
5.5. Health records collected by the credit union may be used to verify the authority of trust representatives (for purposes of account management), for credit applications and related insurance purposes. Health records shall not be collected from or disclosed to any other organization.
5.6. Servus shall maintain guidelines and procedures with respect to the retention of personal information. These guidelines shall include the minimum and maximum retention periods regarding personal information and may be subject to legislative requirements. Personal information that has been used to make a decision about a member shall be retained long enough to allow the member access to the information after the decision has been made.
5.7. Subject to any legal or regulatory requirement to retain records, personal information that is no longer required to fulfil the identified purposes shall be destroyed, erased or made anonymous. Servus shall develop and implement guidelines and procedures to govern the destruction of personal information.
6. Accuracy: All personal information under the control of Servus Credit Union shall be as accurate, complete and up-to-date a necessary for the purposes for which it is to be used.
6.1. The extent to which personal information will be accurate, complete, and up-to-date will depend upon the use of the information and take into account the interests of the member. Servus will rely on the member to keep certain personal information accurate such as name and address. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a member.
6.2. Servus shall not routinely update personal information, unless the process is necessary for the purposes for which the information is used or as required by law or regulation.
6.3. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date unless limits to the requirement for accuracy are clearly set out.
7. Safeguards: Servus Credit Union shall protect personal information with security safeguards that are appropriate to the sensitivity of the information. Servus will take the same standard of care as it takes to safeguard its own confidential information of a similar nature.
7.1. Servus shall use security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Servus shall protect personal information regardless of the format in which it is held.
7.2. The nature of the safeguards will vary depending on the sensitivity, amount, distribution and format of the information, and the method of storage.
7.3. Servus shall use the following methods of protection for personal information:
- Physical Safeguards such as locked filing cabinets, and restricted access to offices.
- Organizational Safeguards such as controlled entry to data centres and limiting access to information on a “need to know” basis.
- Technical Safeguards such as personal identification numbers, passwords and encryption
- Investigative Safeguards in cases where Servus has reasonable grounds to believe that personal information is being inappropriately collected, used, or disclosed
7.4. Servus shall regularly remind employees, directors and officers of the importance of maintaining the confidentiality of member personal information.
7.5. Servus may disclose personal information to third parties such as printing cheques, data processing, collection, and credit bureau reports in the provision of services to our members. These third parties shall be required to safeguard the personal information disclosed to them in a manner consistent to personal information under credit union control.
7.6. Servus shall use care in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
8. Openness: Servus Credit Union shall make information about its policies and procedures relating to the management of personal information readily available to members.
8.1. Servus shall be open about its privacy policies and procedures with respect to the management of personal information and shall make them readily available in an understandable format. The information made available shall include the following:
- the name, title and address of the designated individual who is accountable for compliance with the credit union’s policies and procedures and to whom complaints can be forwarded
- the process for accessing personal information held by the credit union
- a description of the type of personal information held by the credit union as well as a general account of its use
- a copy of any brochures or other information that explains the credit union’s policies, procedures, standards, or codes
- the types of personal information that Servus shares with its Affiliates or other suppliers
8.2. The information regarding Servus’ policies and procedures may be available in a variety of ways, depending on the nature of service members are using and the sensitivity of personal information. Methods of availability include: in branch brochures, mail outs to members, online or telephone access.
9. Individual Access Upon request, a member shall be informed of the existence, use and disclosure of their personal information and shall be given access to that information. A member is entitled to challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1. Upon request, Servus shall inform a member of the existence, use, disclosure, and source of personal information about him/her held by the credit union and shall allow reasonable access to this information.
9.2. In some cases, Servus may not be able to provide access to all of the personal information that it holds. Servus shall limit these cases and make them specific in its policies and procedures.
Servus may deny access to personal information for the following reasons:
- the information is protected by legal privilege
- disclosure of the information would reveal confidential information that is of a commercial nature and it is not unreasonable to withhold this information
- the information was collected for an investigation or legal proceeding
- the information was generated in the course of a formal dispute resolution
Servus shall deny access to personal information for the following reasons:
- the disclosure of the information could reasonably be expected to threaten the life or security of another individual
- the information would reveal personal information about another individual
- the information would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to the disclosure of his/her identity
If Servus can reasonably omit the information referred to in the above sections from record(s) that contain personal information about the member, Servus shall provide access to the remaining parts of the record.
9.3 In order for Servus to provide an account of the existence, use, and disclosure of personal information it holds, the member may be asked to provide sufficient information to aid in the search. The additional information provided shall only be used for this purpose.
9.4 Servus shall be specific as is reasonable in identifying the type of information and the identity of third parties to whom information has been disclosed, including a list of organization that may receive personal information.
9.5 Servus shall respond to a member request within a reasonable time and at a reasonable cost to the member. The requested information shall be provided or made available in a form that is generally understandable. For example, Servus will provide an explanation for any abbreviations or codes used to record information.
9.6 When a member successfully demonstrates the inaccuracy or incompleteness of his/her personal information, Servus shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to Third Parties having access to the information in question.
9.7 When a challenge is not resolved to the satisfaction of the member, Servus shall record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge shall be transmitted to Third Parties having access to the information in question.
10. Compliance: Members shall be able to question compliance with this policy to the Privacy Officer. Servus Credit Union shall have policies and procedures in place to respond to member questions and concerns.
10.1. Servus shall maintain procedures to receive and respond to complaints and inquiries about their policies and procedures relating to the handling of personal information. These complaint procedures will be easily accessible and simple to use.
10.2. Servus shall inform members who make inquiries or lodge complaints about the existence of the relevant complaint procedures. If the complaint is not satisfactorily resolved by the Privacy Officer, it may be escalated to the President and CEO for final arbitration. If the issue is unable to be resolved satisfactorily by the President and CEO, Servus shall implement procedures to refer the member to the Office of the Information and Privacy Commissioner of Alberta.
10.3. Servus shall investigate all reasonable concerns. If a concern is found to be justified, Servus shall take appropriate measures, including the revision of personal information and, if necessary, amending its policies and procedure.