Privacy Policy
Peters Insurance Agencies (2004) Ltd.
4801 50th Ave, Wetaskiwin AB, T9A 0S1
Ph: (780)352-3888 Fax: (780)352-2294
Email: info@petersinsurance.ca
Our Privacy Promise describes in clear language how Peters Insurance Agencies (2004) Ltd. ensures the protection of the personal information you entrust to us.
​
Please read this document carefully, because we want you to know that Peters Insurance Agencies (2004) Ltd, as defined in this document ("Peters", "we", "us", "our") protects your personal information. This Privacy Promise spells out the responsibility of Peters and your rights as our applicant, current, former or prospective customers ("you" or "your"), regarding the collection, use and disclosure of your personal information.
Data Collection
1. In Alberta, insurance brokerages must follow regulations set by the Alberta Insurance Council (AIC) and comply with federal privacy laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA). The policies and procedures of an insurance brokerage typically cover the following areas:
​
A) Licensing and Compliance
• Broker Licensing: All brokers must be licensed by the AIC and complete ongoing professional education.
• Regulatory Compliance: Brokerages must adhere to AIC guidelines and comply with the Insurance Act of Alberta.
• Errors and Omissions (E&O) Insurance: Brokerages are required to carry E&O insurance to protect against professional liability.
B) Client Onboarding and Data Collection
• Needs Assessment: Brokers assess the client’s insurance needs through questionnaires and interviews.
• Quoting and Recommendations: Based on the client’s data, brokers provide multiple insurance quotes from different providers and offer tailored recommendations.
• Policy Issuance and Documentation: Once a client selects a policy, the broker handles the documentation and ensures accuracy and compliance.
C) Claims Assistance
• Claims Reporting: Brokers assist clients in filing claims and act as intermediaries between the client and the insurer.
• Advocacy: They advocate for clients by ensuring timely claim processing and fair settlements.
D) Record-Keeping and Privacy
• Retention Period: Brokers must retain client records for a specified period (typically 7 years in Alberta).
• Confidentiality: Client information is protected in compliance with PIPEDA and AIC privacy standards.
​
​
2. Data Collection: What, How, and Why
​
Insurance brokerages collect and manage a variety of personal and financial data to assess risk, recommend appropriate products, and comply with legal requirements.
A) What Data Is Collected?
• Personal Information: Full name, date of birth, gender, marital status.
• Contact Information: Address, phone number, email.
• Identification Data: Driver’s license number, SIN (if required for financial products), or other ID for verification.
• Financial Information: Income, assets, and credit history (for life insurance or financial products).
• Insurance History: Past claims, coverage history, and policy details.
• Risk Factors: Driving record, medical history (for health/life insurance), or property details.
B) How Is Data Collected?
• Direct Collection: Via applications, quotes, or consultations (phone, online, or in person).
• Third-Party Sources: Brokers may access credit reports, claims history, or medical records from third parties with client consent.
• Consent Forms: Clients sign consent forms authorizing the collection, use, and sharing of personal data.
C) Why Is Data Collected?
• Risk Assessment: To evaluate the level of risk associated with insuring the client.
• Accurate Pricing: To determine premiums based on the client’s risk profile.
• Tailored Coverage: To recommend appropriate insurance products.
• Claims Processing: To validate claims and prevent fraud.
• Regulatory Compliance: To meet legal requirements for identity verification, fraud prevention, and record-keeping.
• Marketing and Client Management: With consent, brokerages may use data for marketing new products or renewals.
Privacy and Data Protection
Under PIPEDA and Alberta’s Personal Information Protection Act (PIPA), brokerages must:
-
Obtain informed consent for data collection and usage.
-
Use data only for the stated purpose (e.g., policy issuance, claims).
-
Protect data through encryption, firewalls, and access controls.
-
Allow clients to request access to or correction of their data.
Data Protection
1. Purpose
​
The purpose of this policy is to outline the procedures and measures in place to protect against unauthorized access, use, or disclosure of personal and confidential data. This policy ensures compliance with Alberta’s Personal Information Protection Act (PIPA) and other applicable privacy laws.
​
2. Scope
​
This policy applies to all employees, contractors, and third parties who access or process personal data related to clients, employees, or business operations.
​
3. Definitions
​
-
Personal Information (PI): Any information about an identifiable individual, including name, contact details, financial information, and insurance policy details.
-
Confidential Information: Business-related data, trade secrets, or proprietary information that must be protected from unauthorized access.
-
Unauthorized Access: Any access to personal or confidential information by individuals without the proper clearance or legitimate business need.
​
4. Data Protection Principles
​
To safeguard personal and confidential data, we adhere to the following principles:
-
Limiting Collection: Only collecting data necessary for insurance-related purposes.
-
Data Accuracy: Ensuring that collected data is accurate and up to date.
-
Access Control: Limiting data access to authorized personnel only.
-
Accountability: Regular audits and reviews to ensure compliance.
​
5. Procedures to Prevent Unauthorized Access
​
A. Physical Security Measures
• Office Access Control:
• Secure entry points with key and monitored alarm with cameras.
• Data Storage:
• Physical files stored in filing cabinets behind key required access doors.
• Restricted access to server rooms or areas with sensitive data.
• Workstation Security:
• Screen auto-lock after inactivity (e.g., 5 minutes).
• Clean desk policy: employees must clear documents at the end of each day.
B. Technical Security Measures
• Password Protection:
• Complex password requirements
• Multi-factor authentication (MFA) for remote access.
• Data Encryption:
• Encrypt personal and financial data during transmission and storage.
• Firewalls and Anti-virus Software:
• Use firewalls to block unauthorized access.
• Regular updates of anti-virus software.
• Network Monitoring:
• Use monitoring tools to detect suspicious activity.
• Log all access attempts and regularly review them.
C. Data Access Controls
• Role-Based Access:
• Employees are only granted access to data necessary for their job duties.
• Remote Access Restrictions:
• Use VPNs and secure connections for remote employees.
D. Employee Training and Awareness
• Privacy Training:
• Mandatory annual training on data protection and privacy regulations.
• Awareness campaigns on phishing and social engineering risks.
​
6. Incident Response and Reporting
​
If unauthorized access is detected:
1. Immediate Action:
• Isolate compromised systems.
• Suspend affected accounts.
2. Investigation and Documentation:
• Determine the scope of the breach.
• Record all relevant details (date, time, individuals involved, and data accessed).
3. Notification:
• Notify affected individuals
4. Corrective Measures:
• Implement additional security controls to prevent recurrence.
​
7. Data Retention and Disposal
​
• Retention:
• Retain data only as long as required for business or legal purposes.
• Secure Disposal:
• Shred physical documents with on-site shredding
​
8. Compliance and Review
​
• Regular internal and external audits to verify compliance.
​
• Policy Review:
• This policy is reviewed annually or whenever there are significant changes in privacy regulations. ​​
Data Protection
Purpose:
The purpose of the Clean Desk Policy is to promote a tidy, organized, and secure work environment. Maintaining a clean desk enhances workplace efficiency, protects sensitive information, and reduces the risk of unauthorized access.
Scope:
This policy applies to all employees and contractors
​
Policy:
1. Workstation Expectations:
• At the end of each workday, employees are required to clear their desks of all papers, files, and personal items.
• Confidential or sensitive documents must be securely stored in locked drawers or cabinets.
• Electronic devices (e.g., laptops, tablets) must be powered down or locked when unattended.
2. Daily Practice:
• Non-essential items should not be left on desks overnight.
• Work surfaces should be kept free of unnecessary clutter throughout the day.
• Shared workspaces (e.g., meeting rooms) must be cleared of materials after use.
3. Security and Confidentiality:
• Documents containing sensitive or confidential information must be properly filed or shredded when no longer needed.
• USB drives, external storage devices, and other portable media should not be left unsecured.
Enforcement and Compliance:
• Regular audits may be conducted to ensure compliance with the Clean Desk Policy.
• Failure to adhere to this policy may result in corrective action in accordance with company procedures.
Monitoring and Logging Data
1. Purpose
The purpose of this procedure is to establish a standardized process for monitoring and logging data activity within a virtual desktop environment hosted by a third-party IT provider. This ensures compliance with security policies, protects sensitive information, and enables timely detection of suspicious activity.
2. Scope
This procedure applies to all users, administrators, and third-party IT service providers managing or accessing the virtual desktop infrastructure (VDI). It covers monitoring and logging activities, including authentication events, data access, system modifications, and security incidents.
3. Roles and Responsibilities
• System Administrators (Third-Party IT Provider): NIRIX
• Configure and maintain logging systems.
• Ensure logs are properly stored and protected.
• Internal IT Security Team:
• Define monitoring and logging requirements.
• Review logs for potential security threats.
• Coordinate incident response.
• End Users:
• Adhere to company security policies.
• Report any suspicious activity.
4. Monitoring and Logging Procedure
4.1. System Access and Authentication Monitoring
• Authentication Logs:
• Record successful and failed login attempts, including timestamps, IP addresses, and device information.
• Monitor for unusual login patterns (e.g., multiple failed attempts, logins from unrecognized locations).
• Two-Factor Authentication (2FA):
• Log all 2FA events, including device registration and approval attempts.
• Trigger alerts for failed or bypassed 2FA attempts.
4.2. Data Access and Activity Logging
• File and Data Access:
• Include user ID, file name, timestamp, and action taken in the logs.
• Clipboard and File Transfers:
• Monitor clipboard and file transfer activities between local and remote systems.
• Log details of transferred files, including size, name, and destination.
4.3. System and Security Events
• Firewall and Antivirus Events:
• Log all firewall rule modifications and suspicious activity detections.
• Record antivirus scans, detected threats, and remediation actions.
• Configuration Changes:
• Track and log all administrative changes to the virtual desktop environment (e.g., policy updates, user role changes).
4.4. Incident Detection and Alerts
• Automated Alerts:
• Configure alerts for suspicious activities, such as multiple failed logins, unauthorized access attempts, or data exfiltration.
• Incident Response:
• Define escalation paths and incident response protocols for identified security events.
5. Log Retention and Storage
• Log Retention Period:
• Store logs in compliance with company policies and legal requirements.
• Secure Storage:
• Store logs in a secure, tamper-proof environment with access controls.
• Use encryption and hash verification to ensure log integrity.
6. Reporting and Documentation
• Incident Reports:
• Document all detected incidents, including timestamps, affected systems, and resolution steps.
• Audit Logs:
• Maintain detailed audit logs for internal review and external audits.
• Compliance Reporting:
• Generate periodic compliance reports for management review.
7. Security and Privacy Considerations
• Data Privacy:
• Ensure that monitoring practices comply with privacy regulations and do not infringe on user privacy rights.
• Access Control:
• Limit log access to authorized personnel only.
Data Protection
1. Purpose
This policy outlines the steps taken when a privacy breach occurs, ensuring compliance with Alberta’s Personal Information Protection Act
2. Definition of a Privacy Breach
A privacy breach occurs when there is unauthorized access to, collection, use, disclosure, or disposal of personal information. Examples include:
• Loss or theft of physical or electronic records containing personal information.
• Unauthorized disclosure of client information (e.g., sending information to the wrong recipient).
• Cyber incidents such as hacking, phishing, or malware attacks.
• Improper disposal of personal information.
3. Reporting a Privacy Breach
All employees must report suspected or confirmed privacy breaches immediately.
Procedure:
• Immediate Reporting:
• Report the breach to the direct supervisor or privacy officer.
• Provide details of the incident, including:
• Date and time
• Description
• Individuals or data involved.
• Actions taken.
• Documentation:
​
4. Containment and Mitigation
Upon identifying a breach, the Privacy Officer will coordinate containment efforts to limit further exposure.
Steps to Contain the Breach:
• Stop Unauthorized Access:
• Disable compromised accounts or systems.
• Reset compromised passwords.
5. Assessment and Investigation
The Privacy Officer will conduct a thorough investigation to determine the scope and impact of the breach.
Investigation Steps:
• Identify the type of personal information exposed.
• Determine how the breach occurred.
• Assess whether the breach poses a real risk of significant harm (RROSH), including:
• Financial loss.
• Identity theft.
• Reputational damage.
• Document all findings in the Privacy Breach Report Form.
6. Notification Process
If the breach creates a real risk of significant harm, the following notifications will be made:
To Affected Individuals:
A written notice will be sent to affected individuals, including:
• The nature of the breach.
• What information was compromised.
• Steps taken to mitigate the impact.
• Recommendations for protecting themselves (e.g., password changes).
• Contact details for further inquiries.
• The brokerage’s commitment to preventing future breaches.
To Third Parties (if applicable):
If third-party vendors or insurers are impacted, they will be notified promptly.
7. Record-Keeping
All breaches, regardless of severity, must be recorded in the Privacy Breach Log, including:
• The nature of the breach.
• Actions taken.
• Notifications made.
• Investigation outcomes.
Records will be retained for at least 7 years in accordance with Alberta PIPA requirements.
8. Prevention and Training
To prevent future breaches:
• Employees will receive annual privacy training.
• The brokerage will regularly review and update privacy policies.
• Security measures (e.g., encryption, multi-factor authentication) will be enhanced as necessary.
​
​
​
Policy and Procedures
Version 2.0
Effective: March 20, 2025
Last Revised: March 20, 2025