NAL Insurance Privacy Policy
NAL Insurance Inc. including all of its subsidiaries shall duly be referred to as (the “Company”). The Company is committed to protecting the Company’s clients’, agents, brokers, employees’ and representatives’ (the “Individual’s”) privacy, and to ensuring the confidentiality of the personal information provided to it in the course of the Company’s business.
The Company’s Privacy Policy sets out the Company’s standards for collecting, using, disclosing and storing the Individual’s personal information. The Company’s Privacy Policy also explains how the Company safeguards the Individual’s personal information and the Individual’s right to access that information.
Personal Information
Personal Information is any information about an individual that identifies him or her, such as financial, lifestyle or health information, but does not include their name, title or business address, telephone or email.
Personal information has to be protected regardless of its characteristics or its form, whether written, graphic, audio, visual, computerized or any other form.
The Company is responsible for protecting personal information in its possession or custody, including personal information that has been transferred to a third party for processing on the Company’s behalf.
Purpose of Information Collection
Collecting information about the Individual is necessary in order for the Company to provide the Individual with high quality services. The nature and sensitivity of the information the Company collects about the Individual varies according to the services the Company provides the Individual, and to legal requirements imposed on it.
The purposes for which the Company collects personal information about the Individual are identified at or before the time of collection. In addition, should a situation change after the time of collection, the Company will re-evaluate the purposes of collecting such information.
Purposes for collecting information generally include providing products or services requested, confirming the Individual’s identity, protecting against fraud, or dealing with matters concerning the relationship between the Company and the Individual. More specifically, the Company collects uses and discloses your personal information for the following “Identified Purposes” set out below:
- To verify the Individual’s identity, including checking identity against money laundering, terrorist financing or similar watch lists established by regulatory agencies or similar bodies in Canada, the United States or in other countries;
- To determine the Individual’s eligibility for the Company’s insurance products and services and for products and services that may be of interest to the Individual so that the Company may offer the products and services in question;
- To assess and underwrite insurance risks;
- To determine prices, fees and premiums;
- To administer the insurance;
- To investigate, manage and settle claims;
- To detect and prevent fraud;
- To compile statistics and conduct market research;
- To report to regulatory and industry agencies;
- To comply with the law and to meet legal, regulatory, self-regulatory, risk management and security requirements; and
- To comply with tax requirements.
Social Insurance Numbers (if provided) will be used for identification purposes if the Individual has given the Company permission to do so, and will be used for taxation purposes when necessary.
Personal information may be collected, used or disclosed for any of the Identified Purposes set out above or for other purposes with the consent of the Individual or as permitted or required by law.
Any questions and concerns the Individual may have regarding the purposes for collecting information may be directed to the Company at the address provided below.
Consent
When the Company collects personal information from the Individual, the Company obtains the Individual’s consent to use the information for the purposes collected. The Company will obtain the Individual’s consent for any additional use or collection, or if the purpose of using the information is changed.
The Company generally seeks the Individual’s express written consent in order to collect, use or disclose personal information. Where appropriate, for less sensitive information, the Company may accept the Individual’s verbal consent. Occasionally, the Company may imply consent where the Company can infer consent from the Individual’s action or inaction.
Consent must be given by the Individual or the Individual’s authorized representative such as a legal guardian, a person having power of attorney or for which the Individual has specifically authorized in writing to the Company.
The Individual or their authorized representative may withdraw the Individual’s consent at any time, subject to legal or contractual restrictions. The Company will inform the Individual of the consequences of such withdrawal, including the possibility that the Company may not be able to provide a product, adjudicate a claim or process a request. If the Individual chooses not to consent, the Company will record the decision in the Company’s file.
In limited circumstances, the Company has the right (or obligation) to collect, use or disclose personal information without the Individual’s knowledge and consent. This occurs when legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the investigation of a potential breach of contract, the prevention or detection of fraud, or for law enforcement purposes, seeking consent might defeat the purpose of the information collection. Similarly, seeking consent may be impossible or inappropriate when the Individual is a minor, seriously ill or otherwise incapacitated.
The Company accepts any of the following ways of consent for existing use and future collection, use and disclosure of the Individual’s personal information for the Identified Purposes:
- The Individual’s receipt of this Privacy Policy unless the Company is advised in writing that the Individual does not agree with the terms stated in this Policy and therefore wishes to opt out of all or portions of it.
- The Individuals unrestricted provision of information to the Company, either directly or through licensed agents, insurance brokers, adjusters or service representatives.
- The Individual’s express written consent as obtained through an application process.
- The Individual’s consent as provided by the authorized representative, such as a legal guardian or power of attorney.
- If the Individual obtains insurance for someone else (for example, a driver in the fleet or family member), the Individual represents that they have obtained from the other person, even though they might not be present during the application process, their consent to the collection, use and disclosure of their personal information for the Identified Purposes.
- If the Individual has an existing insurance policy with the Company and requests amendments to the policy, it is assumed that the consent that the Individual gave to the Company when buying the original policy remains in effect.
Limits to Collection, Use and Disclosure
The Company limits the collection of the Individual’s personal information to what the Company needs in relation to the Identified Purposes for the Individual.
The Company collects the information directly from the Individual unless the Individual allows the Company to collect information from a third party or in accordance with the law.
The Company limits the use of the Individual’s personal information to the purposes the Company has identified to the Individual. This means that the Company cannot use the Individual’s personal information for other purposes without the Individual’s consent, except as required by law.
The Company cannot disclose the Individual’s personal information to anyone except with the Individual’s consent or as required by law. However, in connection with the Identified Purposes, and with the Individual’s consent, the Company may disclose personal information to any authorized physician, medical practitioner, health care professional, hospital, health care institution, medical organization, clinic and any other medical or medically-related facility, the Medical Information Bureau, any insurance company, corporation, organization, institution, association, provincial health insurer, or person that has any information, records or knowledge regarding the Individual’s insurance policies or claim, to release and exchange any and all medical records, including medical history, symptoms, treatments, examinations or diagnoses, claim information, or any information or records that may be requested to or by the Company’s Underwriter; Industrial Alliance Insurance and Financial Services Inc., its reinsurers, agents, third party administrators, or its legal representatives.
The Company may transfer personal information to third parties that perform services on its behalf, such as mailing, call center, billing, marketing, information technology and/or data hosting or processing services or similar services, or otherwise to collect, use, disclose, store or process personal information on the Company’s behalf for the Identified Purposes. Some of these service providers may be located outside of Canada, including but not limited to in the United States or in India, and the Individual’s personal information may be collected, used, disclosed, stored and processed outside of Canada for the Identified Purposes. Other reasonable contractual measures the Company may take to protect the Individual’s personal information while processed or handled by these service providers are subject to legal requirements in Canada and other foreign countries applicable to those service providers, for example, lawful requirements to disclose personal information to government authorities in such countries.
The Company may also use and disclose personal information to parties connected with the proposed or actual financing, securitization, insuring, sale, assignment or other disposal of all or part of the Company’s business or assets, for the purposes of evaluating and/or performing the proposed transaction. Successors or assignees of the Company or assets may use and disclose the Individual’s personal information for similar purposes as those described in this Privacy Policy.
The Individual’s personal information is only accessible to certain authorized persons, and only to the extent necessary to perform their duties.
The Individual has the right to know, on request to whom the information was disclosed. Only in rare instances is the Company prevented by law from making such disclosure. The Company maintains accurate records, recording to whom it discloses personal information and in what circumstances the information was disclosed.
The Company will occasionally share the Individual’s personal information with service providers or agents to ensure the proper administration of products or to provide an Individual with the services the Individual requires. These service providers or agents must agree to comply with privacy legislation before receiving any personal information.
In certain circumstances, the Company may use service providers outside Canada, including the United States or India. The Company is responsible for the service provider’s compliance with the Company’s Privacy Policy and will ensure that the level of protection of personal information is comparable to that provided by the Company. Any questions concerning the collection, transfer or use of personal information outside Canada can be forwarded to the Privacy Officer at the address provided below.
The Company may gather information from the following sources:
- From the Individual, on applications for insurance products and services, or on other forms filled out through telephone, e-mail or face-to-face interviews;
- From licensed agents, insurance brokers, intermediaries and service representatives with whom the Individual has a relationship, as well as adjusters and inspectors;
- From the Individual’s employer or fleet administrator; for example, if they register the Individual for insurance on the Company’s Fleet Portal;
- From other insurers; for example, the Company may collect the claims information if it is in conjunction with the claim the Individual has with the other insurer or vice versa;
- From doctors and other health care providers; for example, health information where necessary to manage or settle insurance claims;
- From the Individual’s interactions with the Company; for example through underwriting; and
- From government entities; for example the Individual’s driving record.
Retention
The Company only retains the Individual’s personal information for as long as needed for the purpose it was collected. The Company must destroy this information in accordance with the law and the Company’s file retention guidelines. When the Company destroys the Individual’s personal information, the Company makes sure that confidentiality is secured and that no unauthorized person can access the information during the destruction process.
Client List
The Company may establish a list of clients (names, addresses and telephone numbers) and share this list with other companies of NAL Insurance Inc. The purpose of this list is to allow the Company to better serve the Individual by offering relevant and available products and services. The Individual may request that the Individual’s name be removed from such a list by writing to the Privacy Officer at the address provided below.
The Company does not sell client lists to third parties.
Accuracy
The Company makes every possible effort to ensure that the Individual’s personal information is as accurate and complete as necessary for the purposes it is collected, used, or disclosed. Should the Company become aware of an inaccuracy in the personal information; the Company will make every effort to contact the Individual to update the information.
Accountability
The Company is responsible for the Individual’s personal information in the Company’s possession or control, including information that may be transferred by the Company to third parties for processing. The Company requires such third parties to keep personal information under strict standards of privacy and protection.
The Company adheres to legislated and self-imposed rules, aimed to safeguard the Individuals’ privacy. The rules are established by this Privacy Policy, the Code of Business Conduct (applicable to directors, officers and employees), Market Conduct Standards (applicable to agents and brokers) as well as insurance industry guidelines and applicable law.
The Company’s staff is trained on these processes and procedures and is provided with information about privacy laws.
Safeguards
The Company has implemented and continues to implement rigorous safeguards so that the Individual’s personal information remains strictly confidential and is protected against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
Protection methods include organizational measures such as requiring security clearances and limiting access to a “need-to-know” basis, physical measures (e.g. building access cards for employees, visitor registration, off-site backups and archiving), and technological measures such as the use of password and encryption (e.g. the use of routinely changing passwords, firewalls and segmented operator access).
Request for Access to Information and Amendments
The Individual has the right to be informed whether the Company holds personal information about the Individual and to see that information. The Individual also has the right to enquire as to how the Company collected the Individual’s information, how the Company used it and to whom it may have been disclosed.
This information will be provided to the Individual within a reasonable time from the date the Company receives the Individual’s written request. The Company may charge a reasonable fee for processing the Individual’s request.
In certain limited and specific circumstances, the Company may refuse to provide to the Individual the requested information. Exceptions to the Individual’s access right can include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, information that has been obtained in the course of an investigation of a potential breach of contract or fraud, and information that is subject to solicitor-client or litigation privilege.
In cases where the Company holds medical information about the Individual, the Company may refuse to provide the Individual with direct access to this information and may instead request that a health care professional be designated to provide the information to the Individual.
In other situations, the Company may be permitted or required to refuse the Individual’s request for access to personal information, including if:
- The information is protected by solicitor-client privilege;
- Granting access would reveal confidential commercial information;
- Doing so would reasonably be expected to threaten the life or security of another individual;
- The information was collected for purposes related to the detection and prevention of fraud;
- The information was generated in the course of a formal dispute resolution process; or
- The information would likely reveal personal information about another individual.
The Individual may challenge the accuracy and completeness of the Individual’s personal information. The Company will respond to an amendment request within a reasonable time.
Any request for access to information or request for amendment must be sent to the following address:
Privacy Officer
NAL Insurance Inc.
361 Dufferin Avenue
London ON N6B 1Z5
Toll free number: 1-800-265-1657
Email: privacy@nalinsurance.com
Complaints and Concerns
The Company’s employees and representatives are trained to respond to the Individual’s questions or concerns about personal information. Should the Individual be unsatisfied with the Company’s employees or representative’s response, the Individual may contact the Privacy Officer at the address mentioned above.
A complaint concerning the protection of personal information should be addressed to the Privacy Officer at the address provided above.