Incorporate Global’s policies, procedures and practices to protect clients’ information into everyday activities.
(Informing clients of the reason(s) for collecting their information, before or at the time of collection).
- Understand the client needs
- Provide ongoing service
- Establish and maintain communication with the client
Compile statistics to help understand the needs of the clients.
Global must ensure that full disclosure is made at the time of collection.
Client knowledge and consent is required before information is collected, used, or disclosed.
Every representative must record how the client’s consent was received.
A consent to disclose note can be added to a client file – with the name of the person to whom consent has been granted.
Whenever possible, every representative should obtain the information directly from the individual concerned.
Disclosure and Retention
Global will not provide sales representatives with existing client information - unless it is to fulfill the identified purpose.
Global will destroy, erase, or make anonymous any client information that is no longer required to fulfill the identified purpose.
Changes to client information should be verified with the client.
There should be procedures in place for working mobile/offsite to protect client information outside of Global’s premises.
All complaints received should be investigated.
Steps should be taken to correct practices after the outcome of a complaint.
Global investigates all complaints – and if well founded, Global takes appropriate measures, including amending policies and procedures if necessary.
Global must make changes and amend policies and procedures if necessary.
Privacy Breach Protocol
The following five steps will be initiated as soon as a privacy breach, or suspected breach, has been reported. The Privacy Officer will document the breach and guide the manager (employee or sales person) through the breach management process.
Step 1 – Report. Report and assess the report upon becoming aware of a possible breach of personal or confidential information. The suspected breach must be promptly reported to the Privacy Officer. This shall occur even if the breach is suspected and not yet confirmed. The report should capture:
- What happened?
- Where did it occur?
- When did the suspected incident occur?
- How was the potential breach discovered?
- What kind of information was breached e.g.: technology, paper files, shared through people?
- Was any corrective action taken when the possible breach was discovered?
Step 2 – Containment. This involves taking immediate corrective action to put an end to the unauthorized practice that lead to a breach. The main goal is to alleviate any consequences for both the individual(s) whose personal or confidential information was involved and Global. All containment activities or attempts to contain the privacy breach shall be documented by the Privacy Officer.
Step 3 – Investigate. Once the privacy breach is confirmed and contained, the Privacy Officer shall conduct an investigation to determine the cause and extent of the breach by:
- Identifying and analyzing the events that led to the privacy breach. Did Global take reasonable precautions to prevent the breach?
- Evaluating if the beach was an isolated incident or if there is risk of further privacy breaches. Revised Aug 2016
- Determining who was affected by the breach e.g. clients or personnel, and how many individuals were affected.
- Evaluating the effect of containment activities.
- Evaluating who had access to the information.
- Evaluating if the information was lost or stolen.
- Evaluating if the personal or confidential information has been recovered.
Step 4 – Notify. Notification includes notification to the affected individual(s), authorities and/or other organizations (like the police if identity theft or other crimes are suspected). Affected individuals will be promptly notified and receive the initial notification as soon as possible after the breach has occurred. Further communication with the affected individuals may occur during the process as updates occur. The method of notification shall be guided by the nature and scope of the breach and in a manner that is reasonable to ensure that the affected individual will receive it. Direct notification e.g. by phone, letter, email or in person shall be used where the individuals are identified.
Step 5 – Prevention of Future Breaches. Once the breach has been resolved, the Privacy Officer, Management and the Executive of Global will work with the together to develop a prevention plan or take corrective actions as required. Prevention activities might include: audits; review of policies, procedures and practices; employee training; or a review of service delivery.