This document sets out the obligations of Sutton Special Risk Inc. ("the Company") with regard to data protection and the rights of people with whom it works in respect of their personal data. In order to provide our products and services, the Company is required to collect sensitive and confidential personal information from our clients. We are committed to protecting the privacy and the confidentiality of such personal information. The following Privacy Guidelines have been developed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), HIPAA, and Lloyd’s.
Personal Information includes any information, recorded or not, about an identifiable individual. This includes information such as name, age, sex, social insurance/security number, health status, health history, financial information or benefit claims information.
Personal Information does not include the name, title, business address or telephone number of an employee or an organization.
Sutton Special Risk is responsible for the personal information in its control, including information that may be transferred to a third party service provider performing services for, or on its behalf.
The purposes for which personal information is collected shall be identified before or at the time of collection.
Personal information is collected, used and disclosed only with the consent of the individual, or as otherwise permitted by law.
Consent to the collection, use, or disclosure of personal information may be expressed or implied, and may be given in writing, verbally, electronically or through an authorized representative.
Individuals may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice. Individuals will be advised of the implications of such withdrawal, which may include the termination of a policy or the inability to process a claim.
Only personal information that is necessary for the purposes identified is collected. Such information is collected directly from the individual and may, with consent or as otherwise allowed by law, be collected from other sources.
Use, Disclosure And Retention
Personal information will not be used, disclosed or retained for purposes other than those for which the information was collected, except with the permission of the individual, or as permitted or required by law.
Any personal information that is collected, used or disclosed shall be as accurate, complete and current as is necessary the purpose for which it is collected.
Personal information will be protected by safeguards appropriate to the sensitivity of the information.
Specific information about our policies and practices relating to the management of personal information will be made available upon receipt of written request addressed to the Privacy Officer.
The information made available may include:
• a description of the personal information held, and a general account of its use;
• the means of gaining access to personal information held;
• a copy of these guidelines;
• an account of personal information made available to third party service providers.
An individual may request to be informed of the existence, use and disclosure of personal information pertaining to him or her. Appropriate access will be provided to such information held.
Sutton Special Risk may choose to make personal medical information available only through a physician designated by the individual.
In certain situations as permitted by law, access to all personal information held with respect to an individual may not be possible. Exceptions to the access requirement will be limited and specific, and the reasons for denying access will be provided to the individual.
Individuals may request correction to their personal information held, if such information is shown to be in error.
Data Protection Procedures
The Company shall ensure that all of its employees, contractors, agents, consultants, partners or other parties working on behalf of the Company comply with the following when processing and / or transmitting personal data:
•All emails containing personal data must be encrypted;
•Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;
•Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
•Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
•Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
•Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient. Using an intermediary is not permitted unless otherwise unavoidable;
•All hardcopies of personal data should be stored securely in a locked box, drawer, cabinet, file room or similar;
•All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and
•All passwords used to protect personal data should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised.
The Company shall ensure that the following measures are taken with respect to the collection, holding and processing of personal data:
•All employees, contractors, agents, consultants, partners or other parties working on behalf of the company are made fully aware of both their individual responsibilities and the Company’s responsibilities under PIPEDA, HIPAA, and Lloyd’s.
•All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be appropriately trained to do so.
•Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed.
•All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of PIPEDA, HIPAA, Lloyd’s and this Policy by contract. Failure by any employee to comply with the principles or this Policy shall constitute a disciplinary offence. Failure by any contractor, agent, consultant, partner or other party to comply with the principles or this Policy shall constitute a breach of contract. In all cases, failure to comply with the principles or this Policy may also constitute a criminal offence.
•All contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and PIPEDA.
•Where any contractor, agent, consultant, partner or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Concerns, Inquiries Or Requests
Any concern inquiry or request related to privacy should be made in writing to one of the following addresses:
Sutton Special Risk Inc.
33 Yonge Street