Head Office
  Location:
  Canora, SK
  Canada

  Teleservice
  563-2400
  Toll free
  1-877-535-1299

Crossroads Credit Union
Market Code
Privacy Code

Privacy

Code for the Protection of Personal Information

Crossroads Credit Union Adopted by Crossroads Credit Union Board of Directors this 19th day of December, 2002

Introduction

Saskatchewan Credit Union and its employees have always been committed to keeping our customer personal information accurate, confidential, secure and private. The Privacy Code that follows builds on this commitment. This code is based on the Credit Union Central of Canada Model Privacy Code and on the Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) included as Schedule 1 of the federal Personal Information Protection and Electronic Documents Act. This Code describes how Crossroads Credit Union subscribes to the principles set out in those model codes.

Principles

Ten interrelated principles form the basis of the Crossroads Credit Union Code for the protection of Personal Information (“the Code”). Each principle must be read in conjunction with the accompanying commentary.

1. Accountability

Crossroads Credit Union is responsible for personal information under its control and will designate a Privacy Officer who is accountable for the credit union's compliance with the principles of the Code.

2. Identifying Purposes

The purposes for which personal information is collected will be identified by the credit union at or before the information is collected.

3. Consent

The knowledge and consent of the Member are required for the collection, use, or disclosure of personal information, except in specific circumstances as described within this Code.

4. Limiting Collection

The collection of personal information will be limited to that which is necessary for the purposes identified by the credit union. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure, and Retention

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the Member or as required by law. Personal information will be retained only as long as necessary for the fulfilment of those purposes.

6. Accuracy

Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards

Security safeguards appropriate to the sensitivity of the information will protect personal information.

8. Openness

The credit union will make readily available specific, understandable information about its policies and practices relating to the management of personal information.

9. Individual Access

Upon request, a Member will be informed of the existence, use, and disclosure of their personal information, and will be given access to that information. A Member is entitled to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Compliance

A Member will be able to question compliance with the above principles to the credit union’s Privacy Officer. The credit union will have policies and procedures to respond to the Member’s questions and concerns.

Definitions

The following definitions apply in this Code:

Collection

The act of gathering, acquiring, or obtaining personal information from any source, including Third Parties, by any means.

Consent

Voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of Crossroads Credit Union. Implied consent arises where consent may reasonably be inferred from the action or inaction of the Member.

Disclosure

Making personal information available to others outside Crossroads Credit Union.

Organization

Includes an organization, partnership, association, business, charitable organization, club, government body, institution, professional practices and unions.

Third Party

Any person or organization other than Crossroads Credit Union or the Member.

Use

The treatment and handling of personal information within Crossroads Credit Union.

Person

Includes an individual and an entity.

Personal Information

Means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization

Member

Includes members and nonmembers that receive financial services from the credit union.

Principles

Principle 1 – Accountability

Crossroads Credit Union is responsible for personal information under its control and will designate a Privacy Officer who is accountable for Crossroads Credit Union's compliance with the principles of this Code.

1.1 Ultimate accountability for Crossroads Credit Union's compliance with the principles rests with the Crossroads Credit Union Board of Directors, who delegate day-to-day accountability to a Privacy Officer. Other persons within Crossroads Credit Union may be accountable for the day-to-day collection and processing of personal information, or to act on behalf of the Privacy Officer.

1.2 Crossroads Credit Union will identify to its employees and to other persons, where appropriate, the Privacy Officer who is responsible for the day-to-day compliance with the principles.

1.3 Crossroads Credit Union is responsible for personal information in its control. Crossroads Credit Union will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

1.4 Crossroads Credit Union will implement policies and procedures to give effect to the principles, including:

Procedures to protect personal information;
Procedures to receive and respond to concerns and inquiries;
Training staff to understand and follow Crossroads Credit Union's policies and procedures: and
Annual review of the effectiveness of polices and procedures to ensure compliance with the Code and consideration of any revisions as deemed appropriate.

Principle 2 - Identifying Purposes

Crossroads Credit Union will identify the purposes for which personal information is collected when or before the information is collected.

2.1 Crossroads Credit Union will document the purposes for which personal information is collected prior to the information being collected.

2.2 Crossroads Credit Union will make reasonable efforts to ensure that Members are aware of the purposes for which personal information is collected, including any disclosures to third parties.

2.3 The identified purposes should be specified to the person from whom the personal information is being collected. This can be done orally, electronically or in writing. An application form with the purposes highlighted, for example, may give notice of the purposes.

2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless law requires the new purpose, the consent of the Member is required before information can be used for that purpose.

2.5 Identifying the purposes for which personal information is being collected at or before the time of collection also defines the information needed to fulfill these purposes. Crossroads Credit Union will collect personal information for the following purposes:

Understand Members needs and eligibility for products and services
Open, maintain and administer Member accounts and provide financial services that meet Member needs;
Administer and manage security and risk in relation to Member accounts and the financial services provided to Members;
Comply with legal and regulatory requirements;
Assist in dispute resolution;
Offer and provide Members with the other products and services of the Credit Union and of its affiliates and service suppliers.
Meet personnel requirements

Principle 3 – Consent

The knowledge and consent of the Member are required for the collection, use, or disclosure of personal information, except in specific circumstances as described within this Code.

Note: In certain circumstances personal information may be collected, used, or disclosed without the knowledge or consent of the Member. These circumstances include, but are not limited to:

Where clearly in the interests of the Member and consent cannot be obtained in a timely way;
To avoid compromising information availability or accuracy and if reasonable to investigate a breach of an agreement or a contravention of the laws of Canada or a province;
Where the information is considered by law to be publicly available;
To act in respect of an emergency that threatens the life, health or security of a Member;
To investigate an offence under the laws of Canada, a threat to Canada’s security, to comply with a subpoena, warrant or court order, or rules of court relating to the production of records, or otherwise as required by law.

3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent may be sought after the information has been collected but before use (for example, when existing information is to be used for a purpose not previously identified). Crossroads Credit Union may be required to collect, use, or disclose personal information without a Member's consent for certain purposes, including the collection of overdue accounts, legal or security reasons.

3.2 The principle requires "knowledge and consent". Crossroads Credit Union will make a reasonable effort to ensure that Members are aware of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the Member can reasonably understand how the information will be used or disclosed.

3.3 Crossroads Credit Union will not, as a condition of the supply of a product or service, require a Member to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.

3.4 In determining the form of consent to use, Crossroads Credit Union will take into account the sensitivity of the information. Although some information (for example, medical and financial records) is almost always considered to be sensitive, any information can be sensitive depending on the context.

3.5 In obtaining consent, the reasonable expectations of the Member are relevant. For example, a credit union, its clients or other Members dealing with Crossroads Credit Union should reasonably expect Crossroads Credit Union to periodically supply information on credit union developments, products and services, and to provide ongoing services. Similarly, further consent will not be required when personal information is transferred to agents of Crossroads Credit Union to carry out functions such as data processing. In this case, Crossroads Credit Union can assume that the Member's request constitutes consent for specifically related purposes. On the other hand, a Member would not reasonably expect that personal information given to Crossroads Credit Union would be given to a third party company selling insurance products, unless consent was obtained. Consent will not be obtained through deception.

3.6 The way in which Crossroads Credit Union seeks consent may vary, depending on the circumstances and the type of information collected. Crossroads Credit Union will seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.

3.7 Members can give consent:

In writing, such as when completing and signing an application;
Through inaction, such as failing to check a box indicating that they do not wish their names and addresses to be used for optional purposes;
Orally, such as when information is collected over the telephone or in person;
At the time they use a product or service; and
Through an authorized representative (such as a legal guardian or a person having power of attorney).

3.8 A Member may withdraw consent at any time, subject to legal or contractual restrictions, provided that:

Reasonable notice of withdrawal of consent is given to Crossroads Credit Union;
Consent does not relate to a credit product requiring the collection and reporting of information after credit has been granted; and
The withdrawal of consent is in writing and includes understanding by the Member that withdrawal of consent could mean that Crossroads Credit Union cannot provide the Member with a related product, service or information of value.

Crossroads Credit Union will inform the Member of the implications of such withdrawal.

Principle 4 – Limiting Collection

The collection of personal information will be limited to that which is necessary for the purposes identified by Crossroads Credit Union. Information will be collected by fair and lawful means.

4.1 Crossroads Credit Union will not collect personal information indiscriminately. Crossroads Credit Union will specify both the amount and the type of information collected, limited to that which is necessary to fulfill the purposes identified, in accordance with Crossroads Credit Union's policies and procedures.

4.2 Crossroads Credit Union will collect personal information by fair and lawful means, and not by misleading or deceiving Members about the purpose for which information is being collected.

Principle 5 – Limiting Use, Disclosure, and Retention

5.1 When Crossroads Credit Union uses personal information for a new purpose, the purpose will be documented.

5.2 Crossroads Credit Union will maintain guidelines and procedures with respect to the retention of personal information. These guidelines include minimum and maximum retention periods. Personal information that has been used to make a decision about a Member will be retained long enough to allow the Member access to the information after the decision has been made. Crossroads Credit Union may be subject to legislative requirements with respect to retention of records.

5.3 Subject to any requirement to retain records, personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous. Crossroads Credit Union will develop guidelines and implement procedures to govern the destruction of personal information.

5.4 Crossroads Credit Union will protect the interests of Members by taking reasonable steps to ensure that:

Orders or demands comply with the laws under which they were issued;
Only the personal information that is legally required is disclosed and nothing more; and
Casual requests for personal information are denied.

Crossroads Credit Union will make reasonable efforts to notify Members that an order has been received, if not contrary to the security of Crossroads Credit Union and if the law allows it. Notification may be by telephone, or by letter to a Member's usual address.

5.5 A Member's health records at Crossroads Credit Union may be used for employment purposes, credit applications and related insurance purposes. A Member's health records will not be collected from, or disclosed to, any other organization.

Principle 6 – Accuracy

Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

6.1 The extent to which personal information will be accurate, complete, and up-to-date will depend upon the uses of the information, taking into account the interests of the Member. Crossroads Credit Union relies on Members to keep certain personal information, such as address information, accurate, complete and up-to-date. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a Member.

6.2 Crossroads Credit Union will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.

6.3 Personal information that is used on an on-going basis, including information that is disclosed to third parties, will generally be accurate and up-to-date unless limits to the requirement for accuracy are clearly set out.

Principle 7 – Safeguards

Security safeguards appropriate to the sensitivity of the information will protect personal information. Crossroads Credit Union will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.

7.1 The security safeguards will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure or disposal. Crossroads Credit Union will protect personal information regardless of the format in which it is held.

7.2 The nature of the safeguards will vary depending on the sensitivity, amount, distribution and format of the information, and the method of storage. A higher level of protection will safeguard more sensitive information.

7.3 The methods of protection will include:

Physical measures, for example, locked filing cabinets and restricted access to offices;
Organizational measures, for example, controlling entry to data centres and limiting access to information to a "need-to-know" basis;
Technological measures, for example, the use of passwords and encryption; and
Investigative measures, in cases where Crossroads Credit Union has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.

7.4 Crossroads Credit Union will periodically remind employees, officers and directors of the importance of maintaining the confidentiality of personal information. Employees, officers and directors are required to sign a declaration stating that they review Crossroads Credit Union’s Code of Conduct annually, including a commitment to keep all personal information in strict confidence.

7.5 Care will be taken in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

7.6 Third parties will be required to safeguard personal information disclosed to them in a manner consistent with the policies of Crossroads Credit Union. Examples include cheque printing, data processing, credit collection, credit bureaus and card production.

Principle 8 – Openness

Crossroads Credit Union will make readily available specific, understandable information about its policies and procedures relating to the management of personal information.

8.1 Crossroads Credit Union will be open about privacy policies and procedures with respect to the management of personal information and will make them readily available in a form that is generally understandable.

8.2 The information made available will include:

The name or title, and the address of the Privacy Officer who is accountable for compliance with Crossroads Credit Union's policies and procedures and to whom inquiries or complaints can be forwarded;
The means of gaining access to personal information held by Crossroads Credit Union;
A description of the type of personal information held by Crossroads Credit Union, including a general account of its uses;
A copy of any brochures or other information that explains Crossroads Credit Union's policies, procedures, standards or codes; and
The types of personal information made available to related organizations such as subsidiaries or other suppliers of services.

8.3 Crossroads Credit Union may make information on its policies and procedures available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, Crossroads Credit Union may choose to make brochures available in its place of business, mail information to Members, provide on-line access, or establish a toll-free telephone number.

Principle 9 – Individual Access

Note: In certain situations, Crossroads Credit Union may not be able to provide access to all the personal information it holds about a Member. Exceptions to the access requirement will be limited and specific. The reasons for denying access include, but are not limited to the following:

Providing access would likely reveal personal information about a third party, unless such information can be severed from the record or the third party consents to the disclosure, or the information is needed due to a threat to life, health or security;
The personal information has been requested by a government institution for the purposes of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out any investigation related to the enforcement of any law, the administration of any law, the protection of national security, the defense of Canada or the conduct of international affairs;
The information is protected by solicitor-client privilege;
Providing access would reveal confidential commercial information, provided this information cannot be severed from the file containing other information requested by the Member;
Providing access could reasonably be expected to threaten the life or security of another person, provided this information cannot be severed from the file containing other information requested by the Member;
The information was collected without the knowledge or consent of the Member for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
The information was generated in the course of a formal dispute resolution process.

9.1 Upon request, Crossroads Credit Union will inform a Member of the existence, use, disclosure, and source of personal information about the Member held by Crossroads Credit Union, and will allow the Member access to this information. However, Crossroads Credit Union may choose to make sensitive medical information available through a medical practitioner.

9.2 For Crossroads Credit Union to provide an account of the existence, use, and disclosure of personal information held by Crossroads Credit Union, a Member may be asked to provide sufficient information to aid in the search. The additional information provided will only be used for this purpose.

9.3 In providing an account of third parties to which it has, or may have, disclosed personal information about a Member, Crossroads Credit Union will be as specific as possible, including a list of third parties.

9.4 Crossroads Credit Union will respond to a Member's request within a reasonable time and at no cost, or reasonable cost, to the Member. The requested information will be provided or made available in a form that is generally understandable. For example, if Crossroads Credit Union uses abbreviations or codes to record information, an explanation will be provided.

9.5 When a Member successfully demonstrates the inaccuracy or incompleteness of personal information, Crossroads Credit Union will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.

9.6 When a challenge has not been resolved to the satisfaction of a Member, the substance of the unresolved challenge is to be recorded by Crossroads Credit Union. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.

Principle 10 – Challenging Compliance

A Member will be able to question compliance with the above principles to Crossroads Credit Union’s Privacy Officer. Crossroads Credit Union will have policies and procedures to respond to a Member’s questions and concerns.

10.1 All staff are to know the identity of the Privacy Officer. Information on how to contact the Privacy Officer will be identified to other Members periodically.

10.2 Crossroads Credit Union will maintain procedures to receive and respond to inquiries or complaints about their policies and procedures relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.

10.3 Members who make inquiries or lodge complaints will be informed by Crossroads Credit Union of the existence of relevant complaint procedures. Crossroads Credit Union will also inform Members of their right to file a complaint with the Privacy Commissioner of Canada.

10.4 Crossroads Credit Union will investigate all complaints. If a complaint is deemed justified, Crossroads Credit Union will take appropriate measures, including revision of the personal information and, if necessary, amending Crossroads Credit Union's policies and procedures.