Privacy Policy

This document sets out the obligations of Sutton Special Risk Inc. and its affiliates ("the company", “we”, “us” or “our”) with regard to data protection and the rights of people whose personal information or personal data (both referred to as “personal information”) we collect, use, or disclose (“you” or “your”). In order to provide our products and services, the company is required to collect sensitive and confidential personal information from our clients. We are committed to protecting the privacy and the confidentiality of such personal information. The following privacy guidelines have been developed in accordance with applicable privacy requirements.

Personal information includes any information, recorded or not, about an identifiable individual. This includes information such as name, age, sex, social insurance/security/national identity number, health status, health history, financial information, or benefit claims information.

For Canadian residents, please note that personal information does not include the name, title, business address or telephone number of an employee or an organization when used or shared for business communications.

Accountability

Sutton Special Risk is the controller and is responsible for the personal information in its control, including information that may be transferred to a third party service provider performing services for, or on, its behalf.

Sources of Personal Information

Personal information we collect is often collected directly from you or through your broker. However, we also collect personal information from other sources, including:

  • Your employer or other third party obtaining insurance or making a claim on your behalf

  • Insurance carriers and other businesses we partner with to provide our products and services

  • Government and law enforcement agencies and registries

  • Public records, such as bankruptcy or criminal records

  • Credit bureaus, such as Equifax or TransUnion

  • Other financial or lending institutions, if it is relevant to your coverage or processing a claim

  • Healthcare providers and medical facilities

  • Any insurance company, government agency, or organization that manages public information data banks, or insurance information bureaus, that have knowledge of your personal information

  • Other people or organizations who may have information relevant to a claim we are investigating or confirming, such as witnesses of eventsOther people or organizations we work with in order to provide you with supports or services in the context of processing your claim.

Types of Personal Information We Collect and Use

We collect and use the following types of personal information:

  • Contact information, such as your name, address, and email.

  • Background and biographical information, such as your date of birth, gender, marital and family status, and employment.

  • Financial information, such as your banking, credit, income and asset information.

  • Health, medical and lifestyle information. We use this information to assess your eligibility for and provide our insurance products, as well as to process claims.

  • Government identification and information, such as your driver’s license, residency or citizenship status, passport, or social insurance number (SIN).

  • Your insurance and claims information, such as your insurance application and claims history, broker, and other current policies. This can also include the circumstances of a claim you or a third party submits.

  • Information about the interactions you have with us, such as email communications or recordings of phone calls.

  • Any other information you choose to provide us or that might be relevant to an application for insurance or an insurance claim.

We may collect other related information as well if it is relevant to the purposes identified below.

Purposes

We may collect, use and/or disclose personal information for the following purposes:

  • Communicate with you.

  • Verify your identity. Note that the use of your SIN for identity verification and credit checks is optional.

  • Provide and manage our insurance products. This includes the processes of evaluating and processing insurance applications, identifying appropriate insurance products for our clients, underwriting insurance, determining premiums, and confirming coverage.

  • Process insurance claims. This includes receiving, investigating and adjudicating claims. The claims investigation process includes verifying the information provided to us. It also includes paying out or providing services associated with claims.

  • Manage our business. This includes developing and improving our products and services, internal research and analytics, training our personnel, managing and assessing our risks, and other business operations.

  • Provide you with offers or information related to our products and services, or the products and services of our partners.

  • Conduct transactions with you or third parties. This includes receiving payment from you, or providing payment to you. It also includes exploring or engaging in business transactions that involve the sale of all or part of our or another company’s business or its assets.

  • Detect and prevent fraud or other criminal or malicious activity.

  • Meet legal requirements and obligations. We may have to collect, use or disclose your information to meet legal, regulatory or contractual requirements and to ensure compliance. It may also include abiding by industry rules.

  • Protect our interests and stakeholders. This includes enforcing our legal rights such as collecting a debt or investigating and ensuring compliance with legal obligations owed to us. It also includes taking steps to protect our clients, property, employees or business partners.

  • Respond to emergencies.

Sharing Your Information

We may share your information internally within the Company or with our service providers and advisors that support us in carrying out the purposes set out above, such as IT support, external counsel, and accounting firms. In addition, we may provide your information to the following third parties:

  • Your broker or other person acting on your behalf.

  • Beneficiaries under your policy.

  • Your employer, if relevant to providing or managing our insurance products or processing insurance claims.

  • Insurance carriers and other businesses we partner with to provide our products and services.

  • Government and law enforcement agencies, to meet legal requirements.

  • Credit bureaus, such as Equifax or TransUnion, to conduct credit checks.

  • Other financial or lending institutions, if it is relevant to your coverage or processing a claim

  • Healthcare providers and medically-related facilities, if relevant to providing or managing our insurance products or processing insurance claims.

  • Organizations, including insurance information bureaus, that manage insurance information data banks. We provide this information to support the insurance system and insurance-granting process.

  • Other people or organizations who may have information relevant to a claim we are investigating or confirming, such as witnesses of events.

  • Other people or organizations we work with in order to provide you with supports or services in the context of processing your claim.

  • Another company if we explore or enter into a business transaction, such as the sale of all or part of our business, or the securitization or insurance of our assets.

  • Any other person or organization with your consent.

Our privacy practices

Only personal information that is necessary for the purposes identified is collected. Such information is collected directly from the individual and may, with consent or as otherwise allowed by law, be collected from other sources. Personal information will not be used, disclosed or retained for purposes other than those for which the information was collected, except with the permission of the individual, or as permitted or required by law. Personal information will not be retained for longer than necessary to meet the purposes for which it was collected. Any personal information that is collected, used or disclosed shall be as accurate, complete and current as is necessary the purpose for which it is collected.

Specific information about our policies and practices relating to the management of personal information will be made available upon receipt of written request addressed to the Privacy Officer.

The information made available may include:

  • a description of the personal information held, and a general account of its use;

  • the means of gaining access to personal information held;

  • a copy of these guidelines;

  • an account of personal information made available to third party service providers.

Data Protection Procedures & Safeguards

Personal information will be protected by safeguards appropriate to the sensitivity of the information.

The Company shall ensure that all of its employees, contractors, agents, consultants, partners or other parties working on behalf of the Company comply with the following when processing and/or transmitting personal information:

  • All emails containing personal information must be encrypted;

  • Personal information may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;

  • Personal information may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;

  • Personal information contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;

  • Where personal information is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

  • Where personal information is to be transferred in hardcopy form it should be passed directly to the recipient. Using an intermediary is not permitted unless otherwise unavoidable;

  • All hardcopies of personal information should be stored securely in a locked box, drawer, cabinet, file room or similar;

  • All electronic copies of personal information should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and

  • All passwords used to protect personal information should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised.

Organizational Measures

The Company shall ensure that the following measures are taken with respect to the collection, holding and processing of personal information:

  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the company are made fully aware of both their individual responsibilities and the Company’s privacy responsibilities.

  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal information will be appropriately trained to do so.

  • Methods of collecting, holding and processing personal information shall be regularly evaluated and reviewed.

  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal information will be bound to do so in accordance with applicable privacy requirements by contract. Failure by any employee to comply with the principles or this Policy shall constitute a disciplinary offence. Failure by any contractor, agent, consultant, partner or other party to comply with the principles or this Policy shall constitute a breach of contract. In all cases, failure to comply with the principles or this Policy may also constitute a criminal offence.

  • All contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal information must ensure that any and all of their employees who are involved in the processing of personal information are held to the same conditions as those relevant employees of the Company arising out of this Policy.

Where any contractor, agent, consultant, partner or other party working on behalf of the Company handling personal information fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

Cross-border transfers of Personal Information

We and our service providers operate in multiple jurisdictions and underwrite insurance that provides international coverage. This means that we may transfer, store or disclose your personal information in jurisdictions other than the one in which your information was originally collected for the purposes described in this Privacy Policy. Your personal information may be subject to the laws in these jurisdictions. This means that your personal information may be subject to disclosure to foreign courts, law enforcement or governmental authorities. When we transfer personal information across borders, we consider a variety of safeguards that may apply to such transfers and comply with applicable legal requirements for the lawful transfer of personal information.

Individual Access

An individual may request to be informed of the existence, use and disclosure of personal information pertaining to him or her. Appropriate access will be provided to such information held. Sutton Special Risk may choose to make personal medical information available only through a physician designated by the individual.

In certain situations as permitted by law, access to all personal information held with respect to an individual may not be possible. Exceptions to the access requirement will be limited and specific, and the reasons for denying access will be provided to the individual.

Depending on your jurisdiction and subject to certain conditions and limitations under applicable law, you may also have the legal right to rectify the personal information that we hold about you. You can submit these requests by using our contact details in the section below. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions and make a note of the request and result on your file.

Concerns, Inquiries Or Requests

Any concern, complaint, inquiry or request related to privacy should be made in writing to one of the following addresses:

privacyofficer@suttonspecialrisk.com

or

Privacy Officer
Sutton Special Risk Inc.
33 Yonge Street
Suite 400
Toronto, Ontario
M5E 1G4

Changes to this Notice

The Company reserves the right to change this Privacy Policy at any time. When we update this Privacy Policy, we will notify you of changes that are deemed material under applicable legal requirements by updating the date of this Privacy Policy and providing other notification as required by applicable law.

FOR UNITED KINGDOM (UK) AND EUROPEAN UNION (EU) RESIDENTS

Legal basis

The law requires us to have a legal basis for collecting and using your personal data. In addition to collecting and using your personal data for the performance of a contract with you, our legal obligation and with your consent, we may use your personal data where it is necessary to conduct our business and pursue our legitimate interests. We consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Transfers outside of the UK or EU

Whenever we transfer your personal data out of the UK or EU, we ensure a similar degree of protection is afforded to it by ensuring that:

  • the recipient countries have been deemed to provide an adequate level of protection for personal data; or

  • we have implemented standard contractual terms approved by the applicable data protection authority, which give the transferred personal data the same protection as it has in the original jurisdiction.

Your legal rights

You have a number of rights under data protection laws in relation to your personal data. You have the right to:

  • Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

  • Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes.

  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:

  • If you want us to establish the data's accuracy;

  • Where our use of the data is unlawful but you do not want us to erase it;

  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

If you wish to exercise any of the rights set out above, please contact us at the contact details specified under “Concerns, Inquiries Or Requests” above.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.