Gulf & Fraser will establish privacy policies that respect the code and ensure that the credit union complies with applicable privacy legislation, including the Personal Information Protection Act (PIPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the legislation commonly known as Canada’s Anti-Spam Legislation (CASL). [Collectively, referred to as the “privacy legislation”] Gulf & Fraser will also develop a process to respond to complaints that may arise, and make information available on request about the policies and practices and the complaint process.

Gulf & Fraser’s Board of Directors is responsible for the credit union’s compliance with the privacy legislation, the approval of privacy policies, and the designation of the credit union’s Privacy Officer and Alternate Privacy Officer.

The Board of Directors, in consultation with the CEO’s Office, will designate a Privacy Officer who is responsible for managing and implementing the privacy policies and ensuring that the credit union’s privacy policies comply with the privacy legislation. The Board of Directors will notify all employees, the credit union’s members, and any affected third parties of the appointment. The Credit Union will designate a Privacy Officer and an alternate to oversee the protection of personal information in compliance with the BC Financial Institutions Act, the BC Personal Information Protection Act, and the Credit Union's privacy policies and practices.

The Board of Directors, in consultation with the CEO’s Office and the Privacy Officer, will designate an Alternate Privacy officer who will have identical responsibilities to the Privacy Officer in the event of the absence of the Privacy Officer.

The Privacy Officer will continually review compliance with the privacy policies within the credit union and its third-party suppliers and report to the Board of Directors and CEO’s Office any material matters concerning non-compliance with these privacy policies. 

The Privacy Officer will prepare a quarterly report for the Board of Directors ​that identifies key activities, any known contraventions of privacy laws by the credit union, including privacy breaches. 

The Privacy Officer will annually make recommendations (if required) for revisions to the privacy policies.

The Board of Directors will review and approve the changes to the privacy policies (as required).

When collecting personal information, the credit union will state its purpose for collecting personal information, as well as how it will be used and disclosed. The credit union will also provide, on request, the contact information for the Privacy Officer or Alternate Privacy Officer who can answer the individual’s questions about the collection.

The Privacy Officer is responsible for approving any new purpose for the collection, use, or disclosure of personal information, prior to the collection of personal information for the new purpose.  

The credit union will make reasonable efforts to ensure that all individuals are aware of and understand the purpose(s) for which their personal information is collected, used, and/or disclosed.

Express consent is when the individual giving consent has clearly stated, whether in writing, verbally, or through electronic means, his or her acceptance of the terms contained in a request for consent. Express consent is contrasted with implied or deemed consent, which is consent that is inferred from an individual’s actions and the facts and circumstances of a particular situation. 

Once express consent is obtained from an individual, further express consent will not be required when personal information is supplied to agents of the credit union who carry out functions such as data processing, cheque printing, and cheque processing, provided the use is consistent with the original stated purpose. 

The credit union’s Privacy Officer must review all instances that are brought to the Privacy Officer’s attention where an individual’s personal information is collected, used, and/or disclosed without the individual’s knowledge and consent. The Privacy Officer can authorize further action following the review, such as the removal, destruction, or anonymization of the personal information from or on the credit union’s systems.

The credit union will obtain express written consent for the collection, use, and/or disclosure of personal information through the use of standardized forms, except in circumstances permitted by the Personal Information Protection Act or other law.

The credit union will rely on express verbal consent only on an exception basis with the prior approval of the manager of the employee collecting the personal information. If the obtaining of verbal consent is approved, the employee will use a CRM note to record the date and time that the individual provided express verbal consent. 

Notwithstanding the above exception, under no circumstances will the credit union rely on express verbal consent to send a commercial electronic message (CEM) as this is a legislative requirement in the Privacy Legislation (CASL).  

The Privacy Officer must review and approve all forms used to obtain consent. The Privacy Officer must also review and approve the standardized scripts used to obtain express verbal consent.

The credit union will not, as a condition of supplying a product or service, require an individual to consent to the collection, use, and/or disclosure of personal information beyond what is required to fulfill explicitly specified and legitimate purposes. 

Where consent to the collection of additional, non-essential personal information for a product or service is sought from an individual, this will be identified as optional information, and collected only with the express consent of the individual. 

Where consent to an additional, non-essential use or disclosure of personal information is sought from an individual, this will be identified as an optional collection, use, or disclosure, and will be collected, used, or disclosed only with the express consent of the individual.

Refusal to consent to such optional collection, use, and/or disclosure will not influence the individual’s consideration for a product or service.

The credit union will require a written request from an individual who wants to withdraw consent. This written request will include the individual’s acknowledgement that he or she has been advised that the credit union may not be able to provide a product or service that the individual requests, now or in the future, as a consequence of the withdrawal. 

In addition, when an individual makes a request to withdraw consent, the employee processing the request will communicate the consequences of withdrawing consent to ensure that the individual can make an informed decision of whether or not to proceed. 

The withdrawal of consent is subject to any legal or contractual restrictions. The credit union will not allow the individual to withdraw consent if the withdrawal would impede the performance of a legal or contractual obligation.

The credit union will not collect personal information unless there is a legitimate purpose for the collection. At the time of collection, the credit union will specify the information to be collected, limited to what is necessary to fulfill the specified and legitimate purposes in accordance with the privacy policies.

Limiting use of personal information

The credit union will not use personal information for purposes other than those for which it was collected, except with the express consent of the individual or as required or authorized by law. 

Limiting disclosure of personal information 

The credit union may share personal information with its subsidiaries and other carefully selected organizations with the express consent of the individual or as required or authorized by law. 

The credit union will not disclose personal information except with the express consent of the individual or as required or authorized by law. 

When disclosing personal information, the credit union will take all reasonable steps to protect the privacy of its members and other individuals to ensure that:

• Orders or demands comply with the laws under which they were issued;
• Only personal information that is required or authorized to be disclosed is disclosed, whether to comply with legal requirements or to fulfill contractual obligations (e.g., with a third-party service provider);
• Information is only disclosed to the person authorized to receive it; and
• All personal information disclosed to third parties is protected by the same standards of care as personal information held by the credit union. 

If the credit union intends to provide an individual’s personal information to a third party under a legal order or demand, the credit union will notify the individual, unless the credit union is prohibited from doing so. Notification will be by mailed letter to the address on file.

Limiting retention of personal information

The credit union will retain personal information used to make a decision that affects an individual for at least one year after using it to make the decision. 

The Privacy Officer will ensure that minimum and maximum retention periods are reviewed on a regular basis to ensure that they comply with legislative requirements. The Privacy Officer will also ensure that the credit union disposes of, destroys, erases, or anonymizes personal information when there is no legal or business reason to retain it to prevent unauthorized parties from gaining access to the information.

The Privacy Officer will ensure that personal information held by the credit union is as accurate, complete, and current as necessary to fulfill the purposes for which the information was collected. The credit union will update personal information as necessary to fulfill the purposes for which the information was collected and/or at the request of the individual.

The Privacy Officer will ensure that personal information held on the credit union’s behalf by third parties (e.g., data service providers) is kept accurate, complete, and current. If an individual demonstrates the inaccuracy or incompleteness of personal information, the Credit Union will amend the information as required. If appropriate, the Credit Union will send the amended information to third parties to whom the information has been disclosed. When a challenge regarding the accuracy of personal information is not resolved to the satisfaction of the individual, the Credit Union will annotate the personal information under its control with a note that the correction was requested but not made.

Credit union safeguards

The credit union will protect personal information under its control through the combination of physical, electronic, and organizational controls.

The credit union’s controls will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure, or disposal. The credit union will protect personal information under its control regardless of the format in which it is held.

• Physical measures such as locked fire resistant filing cabinets and restricted access to offices
• Organizational measures, such as restricting employee access to files and databases
• Electronic measures, such as passwords and encryption
• Investigate measures if the Credit Union has reasonable grounds to believe that personal information is being inappropriately collected, used, or disclosed

Third-party safeguards 

The credit union will require third-party agents, or suppliers of products or services to the credit union, to safeguard personal information disclosed to them in a manner consistent with the Privacy Policies. The credit union will use contractual or other means to provide a comparable level of protection while the information is being held or processed by a third party. 

The credit union will not enter into any commercial relationships with organizations that do not, or cannot, agree to the credit union’s restrictions on the use and disclosure of personal information and any safeguards required by the credit union. 

The Privacy Officer must be satisfied that the personal information is adequately safeguarded by the third party. 

Ensuring adequate safeguards

The Privacy Officer will:

• Collaborate with third parties specializing in security safeguards, as required, to ensure the required level of protection;
• Conduct regular reviews of organizational and employee practices related to the safeguarding of personal information; and
• Periodically remind employees, officers, and directors of the importance of maintaining the security and confidentiality of personal information. 

Employees, officers, and directors are each required to commit in writing, on an annual basis, to keeping all personal information held by the credit union secure and confidential. This commitment can be included in the credit union’s Code of Conduct. 

Destruction of personal information

When personal information is no longer required for legal or business reasons, the credit union will securely dispose of, destroy, erase, or anonymize personal information, as appropriate. The disposal, destruction, or anonymization will prevent unauthorized access, use, and/or disclosure of personal information.  

The Privacy Officer will periodically review and evaluate the effectiveness of the disposal, destruction, and anonymization methods used by the credit union and will provide recommendations for improvement, if required.

The Credit Union will direct inquiries about the credit union’s privacy policies and processes to the Privacy Officer. The credit union will provide the name and contact information of the Privacy Officer to the individual making the inquiry. 

When responding to inquiries, the Privacy Officer can provide information that includes the following:

• The means that an individual can use to gain access to the personal information held by the credit union
• A description of the type of personal information held at the credit union, including a general explanation of what the personal information is used for
• Types of personal information made available to other organizations, such as affiliates or third-party service providers. The Privacy Officer will respond to inquiries in a form that is understandable and accessible to accommodate the reasonable needs of the individual making the inquiry. 

The credit union will provide routine account information, such as copies of recent statements, recent transaction slips, and account agreements, upon request to the individual entitled to receive the information. The credit union will charge its standard fee(s), in accordance with its standard fee schedule, for providing the information. 

The credit union will provide non-routine account information after receiving and reviewing a written request (an “Access to Information Request”). The individual making the Access to Information Request must provide adequate proof of his or her identity, and sufficient information to allow the credit union to locate the requested information.  

The credit union will direct an inquiry about non-routine account information and/or an Access to Information Request to the Privacy Officer. The Privacy Officer will provide assistance to an individual making an Access to Information Request. The Privacy Officer will respond to all Access to Information Requests, including any refusal to provide information in whole or in part. 

Where the credit union provides account information routinely (e.g., account statement) or because of a routine request, and the account information is inaccurate, the individual can provide the correct information and request that the credit union correct its records. Such requests can be made orally or in writing. If necessary, the credit union will refer the request to the Privacy Officer. 

Where the credit union provides account information because of an Access to Information Request, and the account information is inaccurate, the individual can request that the information be corrected by making a written request (a “Correction of Information Request”). A Correction of Information Request will be reviewed by the Privacy Officer.

Restricting access

The credit union will provide information under an Access to Information Request subject to the restrictions set out in this section and under the privacy legislation. 

The credit union will not disclose information that it is prohibited from disclosing and that is not required or authorized to disclose, including information that:

• Contains the personal information of another individual who has not consented to such disclosure of his or her personal information;
• Could threaten the safety or health of either the requesting individual or a third party;
• Would reveal personal information about another individual;
• Would threaten the life or security of another individual;
• Cannot be disclosed for legal, security, or commercial proprietary reasons; or
• Is subject to solicitor-client or litigation privilege. 

However, if the credit union is able to sever information that it is prohibited from disclosing and that is not required to be disclosed from its response to the requesting individual, it will do so. If the credit union refuses a request for access to personal information in whole or in part, the Credit Union’s response to the Access to Information Request will provide the reasons for refusal and provide the name, position/title, address, and telephone number of the Privacy Officer of the credit union who can answer the individual’s questions about the refusal. The credit union may refuse to confirm or deny the existence of personal information collected as part of an investigation. 

The Privacy Officer will review any situations where the credit union refuses to disclose the requested information in whole or in part due to the reasons set out above and can consult with the Corporate Solicitor. 

Response time 

The Privacy Officer will respond to an Access to Information Request within 30 days. If additional time is required to provide the requested information, the Privacy Officer may extend the time to respond by up to an additional 30 days, subject to providing a written notice containing the required information to the individual who made the Access to Information Request. 

If an extension of more than 30 days is required, the Privacy Officer will consult with the Board of Directors or the CEO's Office before making an application for approval to the Privacy Commissioner. 

The credit union will correct inaccurate account information as soon as is reasonable after being notified, whether notification is through a Correction of Information Request or otherwise. 

Cost of response 

The credit union will charge a minimal fee in accordance with its fee schedule for providing information under an Access to Information Request. The credit union will provide an estimate of the fee to the individual making the Access to Information Request. The credit union will not proceed with processing the Access to Information Request unless the individual agrees to the fee estimate. The credit union may require a deposit for all or part of the fee. 

The credit union will not charge for correcting information, whether a Correction of Information Request is received or not.

Any individual can challenge the credit union’s compliance with the privacy policies and privacy legislation. The credit union will, on request, inform the individual of its complaint process, which will be accessible and simple to use. The Credit Union will ensure that inquiries, concerns, and complaints regarding personal information receive prompt attention and are resolved in a timely manner. Where appropriate, members and other individuals will be informed of their right to file a complaint with the BC Privacy Commissioner and will be provided contact information.

The credit union will accept inquiries verbally or in writing. Complaints, however, will be accepted in writing only. 

Inquiry and complaint handling process

The Privacy Officer will acknowledge the individual’s inquiry or complaint as soon as reasonably possible, and provide an estimated time for a more detailed response, if required. 

Depending on the nature of the complaint, the Privacy Officer has the option to consult the CEO’s Office and/or the Board of Directors before providing a response. 

Justified complaints

If a complaint is found to be justified, the Privacy Officer is responsible for taking appropriate measures, including:

• Providing a written response to the complainant within the estimated time;
• Correcting incorrect personal information, if any;
• Revising the privacy policies and related processes, if required; and
• Reporting to the Privacy Review Team and Board of Directors on the actions proposed or taken to resolve the complaint.