Canadian privacy legislation recognizes the right of the individual to have his or her personal information protected and the need of organizations such as ASEBP to collect, use or disclose personal information for purposes that are reasonable. ASEBP is committed to protecting the privacy of personal information under the custody or control of ASEBP in accordance with the Personal Information Protection Act of Alberta ("PIPA" or "the Act") which came into force in January 2004. In situations when collection or disclosure of personal information crosses Alberta’s borders, the Personal Information Protection Electronic Documents Act of Canada (“PIPEDA”) applies.
At the root of our information management practice is the belief that we must be and safeguard the personal information entrusted to us. Fundamentally, we protect all personal information and only share information with those we are authorized to, whether by the consent of the individual whom the information is about or when required by legislation.
We rely upon internal practices and procedures to support these principles including procedures to respond to access requests, inquiries and complaints regarding our information handling practices.
Section 1: Accountability
1.1 ASEBP is accountable for the protection of all personal information under its custody or control. This accountability extends to all ASEBP Trustees and employees, regardless of role or position.
1.2 The overall responsibility for the protection of personal information and compliance with this policy rests with ASEBP's Chief Executive Officer and Privacy Officer.
1.3 ASEBP shall have policies and/or procedures for protection of personal information, processing requests for access to information and for responding to suspected or known privacy breaches. These policies are available to ASEBP covered members and staff upon request.
1.4 All new Trustees and employees shall undergo an orientation regarding privacy, access to and safeguarding of personal information. Regular refresher and ad hoc training shall also be provided as deemed necessary. (2015-12-30)
Section 2: Identifying Purposes
2.1 ASEBP shall communicate the purpose(s) for which information is being collected, either orally or in writing. The primary purpose for collecting personal information is to provide benefit coverage* to ASEBP covered members. Secondary purposes include, but are not limited to the following:
a. To understand the health needs of its covered members;
b. To develop and manage products and services to meet the needs of its members;
c. To contact members directly for ASEBP products and services that may be of interest;
d. To determine eligibility for services;
e. To ensure a high standard of service for its members;
f. To meet regulatory requirements;
g. To verify identity;
h. To conduct audits of claims;
i. To administer the terms and conditions of the benefit plans; and
j. To answer questions or communicate information related to job opportunities at ASEBP.
2.2 ASEBP is required to collect certain types of personal information to satisfy legal requirements.
For example, ASEBP is required to collect an individual’s Social Insurance Number in accordance with the Income Tax Act in order to issue T4A slips for income replacement benefits or Wellness Spending Accounts
2.3 Unless required by law, ASEBP shall not use or disclose, for any new purpose, personal information that has been previously collected without first identifying and documenting the new purpose and obtaining the consent of the covered member.
Section 3: Consent
3.1 ASEBP shall obtain consent to collect, use, or disclose any personal information except where detailed in this Policy or where allowed by legislation. ASEBP shall make reasonable efforts to ensure that members understand how their personal information will be collected, used and disclosed.
3.2 Pursuant to section 8(2.2) of PIPA, ASEBP does not require consent from a covered member’s dependants (i.e. spouse and children) where collection, use or disclosure of their personal information is for the purpose of enrolment in or coverage under an insurance policy or benefit plan as these individuals are deemed to have provided such consent. ASEBP shall obtain consent from dependants when collection, use or disclosure of their personal information is required for any purpose not consistent with enrolment in or coverage under an insurance policy or benefit plan. (2010-08-11)
3.3 PIPA states that minors can act on their own behalf if they understand the nature of the rights and powers conferred upon them by the Act, and the consequences of exercising them. ASEBP has considered the nature of its business in light of this provision and has deemed that the majority of individuals who are 16 to 18 years of age would understand their rights in regards thereto as set out in the Act. ASEBP has identified these individuals as "knowledgeable dependants." Accordingly, ASEBP requires all knowledgeable dependants to provide consent for the collection, use or disclose their personal information where such collection, use or disclosure is not for the purpose of enrolment in or coverage under an insurance policy or benefit plan. (2010-08-11)
3.4 Consent regarding the collection, use or disclosure of personal information related to an individual under 16 years of age, for a purpose that is not consistent with enrolment in or coverage under an insurance policy or benefit plan will be obtained from the individual’s parent, guardian or legal representative. (2010-08-11)
3.5 In some situations, an authorized representative may take the place of the covered member. This means that another person has the authority to do what the individual can do under the Act. An authorized representative may be:
a. A guardian of a minor (someone who has the care and custody of a minor or takes daily care of the minor – for example, a married parent, a divorced parent with a custody order, a guardian appointed by a court, etc.);
b. An executor or administrator of the estate of an individual who has died;
c. A guardian or trustee of a dependent adult;
d. An individual acting with the written authorization of an individual; or
e. An individual who is acting under a power of attorney.
3.6 Consent may be express, implied or given through an authorized representative.
3.7 Privacy legislation sets out certain situations that allow an organization to collect, use or disclose information without consent, including, but not limited to, the following:
a. When such collection, use or disclosure is permitted or required by law;
b. When use or disclosure of information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
c. When the information is publicly available;
d. When ASEBP needs to collect a debt from a covered member;
e. When a reasonable person would consider that the collection, use or disclosure of the information is clearly in the interest of the individual and consent cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; and
f. When ASEBP is required to disclose information pursuant to a subpoena, warrant or court order, or to comply with a rule of court that relates to production of information;
Note: A full list of circumstances that allow the collection, use or disclosure of personal information without consent is detailed in the Personal Information Act of Alberta and the federal Personal Information Protection Electronic Documents Act.
3.8 Consent may be given orally, in writing or electronically, depending on the sensitivity of the information. For example, consent for disclosing benefit entitlement information to a spouse or service provider may be given over the phone, whereas ASEBP requires that consent to use/disclose bank account information for direct deposit or withdrawal purposes be provided in writing. ASEBP has developed specific consent forms for use by covered members and their dependants - these forms can be accessed via the ASEBP website.
3.9 Consent may be withdrawn or varied at any time subject to legal or contractual restrictions and reasonable notice. Individuals withdrawing consent may be notified of any impact this may have on their eligibility for services provided by ASEBP. ASEBP shall not unreasonably withhold services or information from covered members who refuse or withdraw consent; however, most services cannot be provided without collection, use or disclosure of personal information; therefore consent is usually required in order for ASEBP to continue providing it`s suite of services. Anyone considering withdrawing or varying their consent should contact ASEBP to determine the implications this may have. If consent is withdrawn or varied, a reasonable period of time is required to process the request. (2014-10-01)
Section 4: Limiting Collection of Personal Information
4.1 ASEBP only collects personal information required for business purposes. ASEBP does not collect information indiscriminately.
Where appropriate, ASEBP shall collect personal information directly from covered members or their authorized representative. Nevertheless, it is sometimes necessary to collect personal information from third-parties such as employers (e.g. salary), service providers (e.g. treatment costs) and physicians (e.g. diagnoses). When ASEBP is required to collect information from such third parties we will do so with consent of the individual. ASEBP is not responsible for any additional information covered members provide directly to these parties. (2010-08-11)
4.2 ASEBP may record telephone conversations and will provide advance notice of any such recordings. Additionally, although not recorded, calls are sometimes monitored for training purposes as well as documented to enhance customer service and confirm discussions with covered members. (2014-10-01)
Section 5: Limiting Use, Disclosure and Retention of Personal Information
5.1 Personal information will only be used or disclosed for the purpose for which it was collected or as required by legislation. ASEBP shall only use information for a different purpose if granted consent to do so.
5.2 In order to optimize the services ASEBP provides, we may disclose or transfer personal information to third party service providers, including service providers located outside Canada. ASEBP selects all service providers carefully and insists that they have privacy and security standards that meet ASEBP’s strict requirements. ASEBP shall only provide to these service providers the personal information required for them to perform the services or functions for which they have been engaged. We require them to retain any personal information in strictest confidence and we restrict their use of covered members’ personal information to what is necessary to act on ASEBP’s behalf. ASEBP remains accountable for ensuring compliance with PIPA. ASEBP’s contracts with service providers will impose on these service providers those privacy and security requirements imposed on ASEBP by PIPA. (2018-10-09)
5.3 The length of time that personal information is retained by ASEBP varies depending upon the reason why the personal information was collected and the nature of the information. This period may extend beyond the end of the relationship with the individual but only for so long as required for business purposes or as required by legislation.
5.4 Reasonable and systematic controls shall be maintained to ensure that records retention and destruction schedules are followed for personal information that is no longer required. Personal information that is no longer required shall be destroyed, erased or made anonymous. ASEBP shall use appropriate security measures when disposing of personal information no longer required.
5.5 ASEBP does not engage in any activity involving the selling, trading, renting or leasing of personal information.
5.6 ASEBP may disclose personal information without consent when required pursuant to the provisions of applicable privacy legislation. In these circumstances, ASEBP shall protect the rights of the individual by making reasonable efforts to ensure that:
a. orders, warrants or demands appear to comply with the laws under which they were issued;
b. only the personal information that is legally required, and nothing more, is disclosed; and
c. it shall not comply with casual requests for personal information from government or law enforcement authorities.
ASEBP may notify individuals that such disclosure of personal information has been made pursuant to an order, warrant or demand if allowed by legislation.
Section 6: Accuracy
6.1 ASEBP shall make reasonable efforts to ensure that personal information is as accurate, complete, and up-to-date as possible as required for the purposes for which it was collected. In some cases, ASEBP relies on its members and school jurisdictions to ensure that certain information, such as the member's address or telephone number, is current, complete, and accurate.
6.2 Personal information used by ASEBP shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a covered member.
6.3 ASEBP shall update personal information as necessary to fulfill the identified purpose(s) or upon notification.
6.4 An individual who believes that his or her personal information is incorrect or incomplete may ask ASEBP to correct it as follows:
a. The individual must submit the request for correction in writing and provide sufficient background information so that ASEBP can locate the information. ASEBP shall not charge a fee for handling requests for correction.
b. If ASEBP agrees to correct the information, the correction will be done as soon as possible. If it is reasonable to do so, ASEBP shall convey the corrected information to whomever the incorrect information was disclosed.
c. ASEBP will not correct or change an opinion, including an opinion from a professional (e.g. a doctor) or an expert. Opinions about an individual are based upon the other person’s view at the time the opinion was given. If ASEBP decides not to make a correction, ASEBP must make a note on the personal information saying that a correction was requested. If the personal information is only retained in electronic form, the request shall be documented in an appropriate manner on the covered member`s electronic file.
d. When ASEBP receives a notice that another organization has corrected an individual’s personal information, ASEBP must also correct that same personal information about the individual that is in its custody or under its control.
Note: Corrections to names and addresses must be submitted through the employer (Early Retirees and those participating in the Supplemental Package submit corrections directly to ASEBP).
6.5 If an individual notifies ASEBP that a third party has provided information which is not correct, ASEBP will give the individual the name and address of that third party so that the information may be corrected.
Section 7: Safeguarding Personal Information
7.1 ASEBP is committed to the safekeeping of personal information, regardless of the format in which it is held (e.g. paper or electronic), in order to prevent its loss, theft, unauthorized access, disclosure or modification.
7.2 In order to ensure the security of personal information, ASEBP will employ reasonable security measures, including physical security of offices, electronic security measures such as passwords and encryption as well as employee training. Extensive controls are in place to maintain the security of our operations and information systems.
7.3 ASEBP employees shall use authorized authentication methods to verify the identity of the individual during telephone conversations or in person attendances at its offices.
7.4 As a condition of employment, all ASEBP Trustees and employees are required to sign a confidentiality agreement. In addition, ASEBP regularly informs employees about its policies and procedures for protecting personal information. Throughout the term of employment, ASEBP employees are expected to respect and maintain confidentiality of personal information.
7.5 Covered members are responsible for notifying ASEBP about any relevant breaches to their personal information security. For example, if an individual’s ASEBP wallet identification card is stolen, he or she should contact ASEBP immediately so appropriate steps can be taken to protect his or her personal information.
7.6 Although ASEBP provides its covered members with access to their customer profile online, including the ability to enter Health Spending Account expenses, and takes all reasonable steps to safeguard the transmissions, ASEBP is not responsible if the information submitted electronically is intercepted.
7.7 The development of ASEBP's policies and procedures for the protection and handling of personal information is an ongoing process. As technology changes, ASEBP shall update, review, and develop information protection guidelines to ensure ongoing information security.
7.8 When ASEBP destroys personal information, appropriate safeguards shall be in place to prevent unauthorized access to the information during the destruction process.
7.9 When ASEBP transfers personal information to its trusted third party service providers, appropriate safeguards shall be in place to prevent loss or unauthorized access to the information during the transfer process. (2015-12-30)
7.10 In the event of a suspected or confirmed breach of personal information, ASEBP shall take immediate action, including but not limited to investigation of the incident, steps to contain the breach, evaluation of the risks associated with the breach, consideration as to whether the affected individual and/or the Office of the Information and Privacy Commissioner should be notified and what steps are necessary to safeguard against further breaches. If there is a real and significant risk of harm to an individual as a result of the breach, ASEBP shall notify the affected individual and the Office of the Information and Privacy Commissioner.
Section 8: Openness
8.1 ASEBP is transparent about the policies it uses to protect personal information.
8.2 ASEBP makes its policies regarding privacy available to any person upon request. However, to ensure the integrity of its security procedures and business methods, ASEBP will not disclose proprietary information.
8.3 ASEBP shall, upon request, make the following available:
a. The name, title, and address of the person accountable for the policies and to whom inquiries can be forwarded;
b. A description of the type of personal information held by ASEBP and a general account of its use; and
c. An explanation of what personal information is made available to third parties.
8.4 Once anonymized, personal information collected in accordance with the various ASEBP Plan Documents may be combined in order to enhance services provided to our covered members. Such anonymized data is not personal information pursuant to the Act; accordingly, the Act shall not apply to anonymized data. (2015-12-30)
8.5 ASEBP shall, upon request, provide individuals access to their personal information and respond openly, completely, and accurately. To safeguard personal information, ASEBP may request specific information to verify an individual's identity prior to providing access to the requested information. Any personal information collected to verify identity shall not be used for any other purpose.
8.6 If asked, ASEBP shall:
a. Give the individual access to his or her personal information;
b. Tell the individual what the information has been, or is being, used for; and
c. Tell the individual to whom, and in what situations, the information is being, or has been, disclosed.
8.7 The only exceptions to the above are if ASEBP has no such record, or if legislation permits otherwise.
8.8 In most cases, requests for access to personal information will be straight forward and will be accommodated with a minimum of bureaucratic procedure. However, the following details should be considered when a formal request for personal information is made:
8.8.1. A request for access to personal information must be written and provide sufficient details so that ASEBP can make a reasonable effort to locate the information;
8.8.2. Upon receiving the request, ASEBP shall take reasonable measures to respond to an applicant within 45* calendar days of receipt; and
Note: If PIPEDA applies, the request must be provided within 30 days of receipt
8.8.3. If the request involves information that pre-dates January 2004, ASEBP may not have a record of the persons or organizations to whom the individual’s personal information may have been disclosed. In these cases, ASEBP shall advise the individual about the person(s) or organization(s) to whom ASEBP may have disclosed the information.
8.9 If an individual has a sensory disability ASEBP shall provide access in an alternative format, if available and if reasonable to do so.
8.10 An applicant who makes a request for access to a record containing personal information may be required to pay a basic fee of $25 for performing one or more of the following steps to produce a copy of the information:
a. Receiving and clarifying the request;
b. Obtaining consent if necessary;
c. Locating and retrieving the records;
d. Preparing the record for copying, including removing staples and paper clips;
e. Preparing a response letter;
f. Packaging copies for shipping or faxing, or both;
g. Postage and faxing costs;
h. Photocopying or printing a record.
8.11 Processing of a request may not commence until the basic fee has been paid, if applicable.
8.12 In addition to the basic fee, additional fees in accordance with the ASEBP Fee Schedule may be charged for producing a copy of a record.
8.13 If additional fees are charged in accordance with the ASEBP Fee Schedule, ASEBP will, prior to processing the request, provide a written estimate of the fee. A deposit equal to one-half of the estimate must be paid before ASEBP will complete the request. The outstanding balance must be paid prior to release of the requested records.
8.14 Individuals may challenge the reasonableness to charge fees to respond to an access request; however, ASEBP shall require information or documentation to validate the reduction or elimination of the fees.
Responding to a request for personal information
8.15 ASEBP has a duty to assist individuals who request access to their personal information (“applicants”). If it is reasonable to do so, ASEBP will explain terms, abbreviations, and codes used in it records.
8.16 Records consists of not only the paper file documents, but also electronic data.
8.17 ASEBP shall respond to a request for personal information within 45* calendar days of receiving the request. However, if there are situations that require extensive review, or a need for other input, the Act allows for extra time to respond. The 45-day timeframe to respond does not include the time between when clarification or additional information is requested and received, the fee estimate is given and the deposit is received or when the applicant is advised of the balance owing and when payment is made in full.
*Note: 30 days if PIPEDA applies
8.18 PIPA allows ASEBP to take an extra 30 days to respond if:
a. The request does not give enough information to allow one to identify the personal information or the record requested;
b. A large amount of personal information is requested or must be searched;
c. Completing the request in 45 days would unreasonably interfere with the operations of ASEBP; or
d. ASEBP must consult with another organization or public body to decide if access should be given.
8.19 If necessary, ASEBP may ask the Office of the Information and Privacy Commissioner of Alberta for a further time extension beyond the additional 30 days set out in paragraph 8.18 in which to respond to the request.
8.20 If ASEBP takes extra time to respond to a request, the applicant will be advised:
a. Why more time is required;
b. When ASEBP will respond to the request; and
c. That the applicant may ask for a review or make a complaint to the Office of the Information and Privacy Commissioner of Alberta.
8.21 If ASEBP is unable to respond to a request for access to information within the legislated time days, the applicant must be informed:
a. If ASEBP has a record;
b. Whether he/she is entitled to all or part of the information requested;
c. If entitled, whether access will be given to all or part of the information; and
d. If access will be given, where, when, and how it will be given; and
e. The reason for the delayed response.
8.22 If ASEBP refuses access to all or part of the information, the applicant is advised:
a. The reason(s) for refusing and the section(s) of the legislation that allow, or require ASEBP to refuse access;
b. The name of the person in the organization who can answer questions about the refusal; and
c. That he/she may ask ASEBP or the applicable Privacy Commissioner to review the organization’s decision to refuse access.
8.23 If an applicant requests access to medical information, ASEBP may, where appropriate, release this information through the applicant's treating physician or specialist.
Exceptions to giving access
8.24 ASEBP may refuse access in a number of situations as set out in privacy legislation. The exceptions most likely to be relied upon are:
a. When the information is protected by any legal privilege - for example, information in a letter sent between lawyers about a lawsuit or other legal action, or between a lawyer and client when the client is asking for legal advice or the lawyer is giving legal advice to the client; or
b. When disclosure would reveal confidential business information, and it is not unreasonable to hold back the information.
8.25 Pursuant to privacy legislation, ASEBP must refuse disclosure if disclosure:
a. Could reasonably be expected to threaten the life or security of another individual;
b. Would reveal personal information about another individual; or
c. Would identify the individual who gave an opinion about another individual, and the individual giving the opinion does not give his or her consent to disclose his or her identity. ASEBP can hold back the identity of the person who wrote the opinion while still giving access to the opinion itself, unless the applicant could determine who gave the opinion by reading it.
8.26 If any of the information in a record meets the criteria set out in 8.25, that information should be severed and the applicant will be advised of the relevant legislative authority used to sever such information. The remaining information shall then be given to the applicant provided that the integrity of the record is not compromised or destroyed as a result of the severing.
Section 9: Compliance and Complaints
9.2 All complaints, questions and concerns will be acknowledged, recorded and responded to by ASEBP in a timely manner.
9.3 If the Privacy Officer is unable to address the concern, the issue may be referred to ASEBP's Chief Executive Officer.
9.4 If a complaint is found to be justified, appropriate measures will be taken, including if necessary, amendment of ASEBP’s policies, practices and procedures. ASEBP shall advise the complainant of the results of the investigation and any action taken.
Date of Original Issue: September 24, 2008
Dates Modified: August 11, 2010; January 4, 2016; October 9, 2018