Privacy Code

Grand Forks District Savings Credit Union Privacy Policies

Commitment

The Credit Union is committed to protecting the confidentiality and privacy of the personal information of all members and other individuals whose personal information is held or controlled by the Credit Union.

The Code

The Credit Union recognizes the Credit Union Code for the Protection of Personal Information (the “Code”) developed by Credit Union Central of Canada and set out in Credit Union Central of Canada’s Credit Union Manual, based on principles entrenched in the Personal Information Protection and Electronic Documents Act (Canada). The Code is comprised of the following 10 interrelated privacy principles:

• Accountability – The Credit Union is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for the Credit Union’s compliance with the principles of the Code.

• Identifying Purposes – The purposes for which personal information is collected shall be identified by the Credit Union at or before the time the information is collected.

• Consent – The knowledge and consent of the individual are required for the collection, use, and disclosure of personal information, except in specific circumstances as described within the Code.

• Limiting Collection – The collection of personal information shall be limited to that which is necessary for the purposes identified by the Credit Union. Information shall be collected by fair and lawful means.

• Limiting Use, Disclosure, and Retention – Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

• Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

• Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The Credit Union will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.

• Openness – The Credit Union shall make readily available to individuals specific, understandable information about its policies and practices relating to the management of personal information.

• Individual Access – Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual is entitled to question the accuracy and completeness of the information and have it amended as appropriate on proof of inaccuracy.

• Challenging Compliance – An individual shall be able to question compliance with the above principles to the Privacy Officer accountable for the Credit Union’s compliance. The Credit Union shall have policies and procedures to respond to the individual’s questions and concerns.

The 10 principles of the Code will form the basis for the Credit Union’s privacy policies and practices (the “Privacy Policies”), as set out below.

Compliance with Privacy Legislation

The Credit Union will establish Privacy Policies that respect the Code and ensure that the Credit Union complies with applicable privacy legislation [including the Personal Information Protection Act (BC), the Personal Information Protection and Electronic Documents Act (Canada), and the legislation commonly known as Canada's Anti-Spam Legislation] (the "Privacy Legislation").

Accountability for Compliance with Privacy Legislation

The Credit Union’s Board of Directors is responsible for the Credit Union’s compliance with Privacy Legislation and approval of Privacy Policies.

Privacy Officer and Alternate Privacy Officer

The CEO will designate a Privacy Officer who is responsible for managing and implementing the Privacy Policies and ensuring that the Credit Union’s Privacy Policies comply with Privacy Legislation. The Credit Union will notify all employees, the Credit Union’s members, and any affected third parties of the appointment. The CEO will also designate an Alternate Privacy officer who will have identical responsibilities to the Privacy Officer in the event of the absence of the Privacy Officer. Neither the Privacy Officer nor the Alternate Privacy Officer will have, as a function of their jobs, the responsibility of overseeing the Credit Union’s compliance with anti-money laundering and counter-terrorist financing legislation.

Annual Reporting

The Privacy Officer will continually review compliance with the Privacy Policies within the Credit Union and its third-party suppliers and report to senior management and the Board of Directors though the Audit & Operational Risk Committee, any material matters concerning non-compliance with the Credit Union’s Privacy Policies. The Privacy Officer will prepare an annual report for management and the Board of Directors through the Audit & Operational Risk Committee that identifies key activities, any known contraventions of privacy laws by the Credit Union, including privacy breaches, and recommended changes for consideration. The report will also include an overview of the number of inquiries received by the Privacy Officer, number of requests for access to, or correction of, personal information, and details regarding individuals’ challenges to the Credit Union’s compliance with these Privacy Policies. Management and the Board of Directors through the Audit & Operational Risk Committee will review each annual report to determine whether additional steps, beyond those taken by the Privacy Officer, are required.

Identifying Purposes for Collection of Personal Information

When collecting personal information, the Credit Union will state its purpose for collecting the personal information, as well as how it will be used and disclosed. The Credit Union will also provide on request the position or title and contact information for an employee who cananswer the individual’s questions about the collection. The Privacy Officer is responsible for approving any new purpose for the collection, use, or disclosure of personal information, prior to the collection of personal information for the new purpose. If the new purpose is significantly different from existing purposes or involves a new use or disclosure to a third party, the proposed purpose must also be approved by senior management who will advise the Board of Directors through the Audit & Operational Risk Committee. The Credit Union will make reasonable efforts to ensure that all individuals are aware of and understand the purpose(s) for which their personal information is collected, used, and/or disclosed.

Express Consent

Express consent is when the individual giving consent has clearly stated, whether in writing, verbally, or through electronic means, his or her acceptance of the terms contained in a request for consent. Express consent is contrasted with implied or deemed consent, which is consent that is inferred from an individual’s actions and the facts and circumstances of a particular situation. Once express consent is obtained from an individual, further express consent will not be required when personal information is supplied to agents of the Credit Union who carry out functions such as data processing, cheque printing, and cheque processing, provided the use is consistent with the original stated purpose. The Credit Union’s Privacy Officer must review all instances that are brought to the Privacy Officer’s attention where an individual’s personal information is collected, used, and/or disclosed without the individual’s knowledge and consent. The Privacy Officer can authorize further action following the review, such as the removal, destruction, or anonymization of the personal information from or on the Credit Union’s systems.

Obtaining Express Consent

The Credit Union will obtain express written consent for the collection, use, and/or disclosure of personal information through the use of standardized forms. The Credit Union will rely on express verbal consent only on an exception basis with the prior approval of the manager or supervisor of the employee collecting the personal information. If the obtaining of verbal consent is approved, the employee will use a standardized script to communicate the purpose for the collection of the personal information, as well as what the personal information will be used for and to which other parties the personal information will be disclosed. The employee will record the date and time that the individual provided express verbal consent. Notwithstanding the above exception, under no circumstances will the Credit Union rely on express verbal consent to send a commercial electronic message (“CEM”). The Credit Union will not rely on implied or deemed consent at any time, even on an exception basis. The Privacy Officer must review and approve all forms used to obtain consent. The Privacy Officer must also review and approve the standardized scripts used to obtain express verbal consent.

Limits on Consents

The Credit Union will not, as a condition of supplying a product or service, require an individual to consent to the collection, use, and/or disclosure of personal information beyond what is required to fulfill explicitly specified and legitimate purposes. Where consent to the collection of additional, non-essential personal information for a product or service is sought from an individual, this will be identified as optional information, and collected only with the express consent of the individual. Where consent to an additional, non-essential use or disclosure of personal information is sought from an individual, this will be identified as an optional collection, use, or disclosure, and will be collected, used, or disclosed only with the express consent of the individual. Refusal to consent to such optional collection, use, and/or disclosure will not influence the individual’s consideration for a product or service. The Privacy Officer will review the personal information requirements of all products or services to ensure that only personal information required for the legitimate purpose is collected, used, and/or disclosed.

Withdrawing Consent

The Credit Union will require a written request from an individual who wants to withdraw consent. The request will be made on a standardized form provided by the Credit Union. The standardized form will include the individual’s acknowledgement that he or she has been advised that the Credit Union may not be able to provide a product or service that the individual requests, now or in the future, as a consequence of the withdrawal. In addition, when an individual makes a request to withdraw consent, the employee processing the request will communicate the consequences of withdrawing consent to ensure that the individual can make an informed decision of whether or not to proceed. The withdrawal of consent is subject to any legal or contractual restrictions. The Credit Union will not allow the individual to withdraw consent if the withdrawal would impede the performance of a legal or contractual obligation.

Limiting Collection of Personal Information

The Credit Union will not collect personal information unless there is a legitimate purpose for the collection. At the time of collection, the Credit Union will specify the information to be collected, limited to what is necessary to fulfill the specified and legitimate purposes in accordance with the Privacy Policies.

Limiting Use, Disclosure, and Retention of Personal Information

Limiting Use of Personal Information

The Credit Union will not use personal information for purposes other than those for which it was collected, except with the express consent of the individual or as required or authorized by law.

Limiting Disclosure of Personal Information

The Credit Union may share personal information with its subsidiaries and other carefully selected organizations with the express consent of the individual or as required or authorized by law. The Credit Union will not disclose personal information except with the express consent of the individual or as required or authorized by law. When disclosing personal information, the Credit Union will take all reasonable steps to protect the privacy of its members and other individuals to ensure that:

• orders or demands comply with the laws under which they were issued;

• only personal information that is required to be disclosed is disclosed, whether to comply with legal requirements or to fulfill contractual obligations (e.g. with a third-party service provider);

• information is only disclosed to the person authorized to receive it; and

• all personal information disclosed to third parties is protected by the same standards of care as personal information held by the Credit Union.

If the Credit Union intends to provide an individual’s personal information to a third party under a legal order or demand, the Credit Union will notify the individual, unless the Credit Union is prohibited from doing so. Notification will be by mailed letter to the address on file.

Limiting Retention of Personal Information

The Credit Union will retain personal information used to make a decision that affects an individual for at least [1] year after using it to make the decision. The Privacy Officer will ensure that minimum and maximum retention periods are reviewed on a regular basis to ensure that they comply with legislative requirements. The Privacy Officer will also ensure that the Credit Union disposes of, destroys, erases, or anonymizes personal information when there is no legal or business reason to retain it to prevent unauthorized parties from gaining access to the information.

Accuracy

The Privacy Officer will ensure that personal information held by the Credit Union is as accurate, complete, and current as necessary to fulfill the purposes for which the information was collected. The Credit Union will update personal information as necessary to fulfill the purposes for which the information was collected and/or at the request of the individual. The Privacy Officer will ensure that personal information held on the Credit Union’s behalf by third parties (e.g., data service providers) is kept accurate, complete, and current.

Safeguards

Credit Union Safeguards

The Credit Union will protect personal information under its control through the combination of physical, electronic, and organizational controls. The Credit Union’s controls will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure, or disposal. The Credit Union will protect personal information under its control regardless of the format in which it is held.

Third-Party Safeguards

The Credit Union will require third-party agents, or suppliers of products or services to the Credit Union, to safeguard personal information disclosed to them in a manner consistent with the Privacy Policies. The Credit Union will use contractual or other means to provide a comparable level of protection while the information is being held or processed by a third party. The Credit Union will not enter into any commercial relationships with organizations that do not, or cannot, agree to the Credit Union’s restrictions on the use and disclosure of personal information and any safeguards required by the Credit Union. The Privacy Officer must be satisfied that the personal information is adequately safeguarded by the third party.

Ensuring Adequate Safeguards

The Privacy Officer will

• collaborate with third parties specializing in security safeguards, as required, to ensure the required level of protection;

• conduct regular reviews of organizational and employee practices related to the safeguarding of personal information; and

• periodically remind employees, officers, and directors of the importance of maintaining the security and confidentiality of personal information.

Employees, officers, and directors are each required to commit in writing, on an annual basis, to keeping all personal information held by the Credit Union secure and confidential. This commitment can be included in the Credit Union’s Code Conduct.

Destruction of Personal Information

When personal information is no longer required for legal or business reasons, the Credit Union will securely dispose of, destroy, erase, or anonymize personal information, as appropriate. The disposal, destruction, or anonymization will prevent unauthorized access, use, and/or disclosure of personal information. The Privacy Officer will periodically review and evaluate the effectiveness of the disposal, destruction, and anonymization methods used by the Credit Union and will provide recommendations for improvement, if required.

Openness

The Credit Union will direct inquiries about the Credit Union’s Privacy Policies and processes to the Privacy Officer. The Credit Union will provide the name and contact information of the Privacy Officer to the individual making the inquiry. When responding to inquiries, the Privacy Officer can provide information that includes the following:

• the means that an individual can use to gain access to the personal information held by the Credit Union

• a description of the type of personal information held at the Credit Union, including a general explanation of what the personal information is used for

• types of personal information made available to other organizations such as affiliates or third-party service providers.

The Privacy Officer will respond to inquiries in a form that is understandable and accessible to accommodate the reasonable needs of the individual making the inquiry.

Individual Access

The Credit Union will provide routine account information, such as copies of recent statements, recent transaction slips, and account agreements, upon request to the individual entitled to receive the information. The Credit Union will charge its standard fee(s), in accordance with its standard fee schedule, for providing the information. The Credit Union will provide non-routine account information after receiving and reviewing a written request (“Access to Information Request”). The individual making the Access to Information Request must provide adequate proof of his or her identity, and sufficient information to allow the Credit Union to locate the requested information. The Credit Union will direct an inquiry about non-routine account information and/or an Access to Information Request to the Privacy Officer. The Privacy Officer will provide assistance to an individual making an Access to Information Request. The Privacy Officer will respond to all Access to Information Requests, including any refusal to provide information in whole or in part. Where the Credit Union provides account information routinely (e.g., account statement) or because of a routine request, and the account information is inaccurate, the individual can provide the correct information and request that the Credit Union correct its records. Such requests can be made orally or in writing. If necessary, the Credit Union will refer the request to the Privacy Officer. Where the Credit Union provides account information because of an Access to Information Request, and the account information is inaccurate, the individual can request that the information be corrected by making a written request (a “Correction of Information Request”). A Correction of Information Request will be reviewed by the Privacy Officer.

Restricting Access

The Credit Union will provide information under an Access to Information Request subject to the restrictions set out in this section and under Privacy Legislation. The Credit Union will not disclose information that it is prohibited from disclosing and that is not required to be disclosed, including information that:

• contains the personal information of another individual who has not consented to such disclosure of his or her personal information;

• could threaten the safety or health of either the requesting individual or a third party;

• would reveal personal information about another individual;

• would threaten the life or security of another individual;

• cannot be disclosed for legal, security, or commercial proprietary reasons; or

• is subject to solicitor-client or litigation privilege.

However, if the Credit Union is able to sever information that it is prohibited from disclosing and that is not required to be disclosed from its response to the requesting individual, it will do so. If the Credit Union refuses a request for access to personal information in whole or in part, the Credit Union’s response to the Access to Information Request will provide the reasons for refusal and provide the name, position/title, address, and telephone number of an officer of the Credit Union who can answer the individual’s questions about the refusal. The Credit Union may refuse to confirm or deny the existence of personal information collected as part of an investigation. The Privacy Officer will review any situations where the Credit Union refuses to disclose the requested information in whole or in part due to the reasons set out above, and can consult with the Corporate Solicitor as needed.

Response Time

The Privacy Officer will respond to an Access to Information Request within 30 days. If additional time is required to provide the requested information, the Privacy Officer may extend the time to respond by up to an additional 30 days, subject to providing a written notice containing the required information to the individual who made the Access to Information Request. If an extension of more than 30 days is required, the Privacy Officer will consult with their supervisor before making an application for approval to the Privacy Commissioner. The Credit Union will correct inaccurate account information as soon as is reasonable after being notified, whether notification is through a Correction of Information Request or otherwise.

Cost of Response

The Credit Union will charge a minimal fee in accordance with its access to information fee schedule for providing information under an Access to Information Request. The Credit Union will provide an estimate of the fee to the individual making the Access to Information Request. The Credit Union will not proceed with processing the Access to Information Request unless the individual agrees to the fee estimate. The Credit Union may require a deposit for all or part of the fee. The Credit Union will not charge for correcting information, whether a Correction of Information Request is received or not.

Challenging Compliance

Any individual can challenge the Credit Union’s compliance with the Privacy Policies and Privacy Legislation. The Credit Union will, on request, inform the individual of its complaint process, which will be accessible and simple to use. All inquiries and complaints regarding the Privacy Policies and any privacy-related matters will be referred to the Privacy Officer who is responsible for investigating the inquiry or complaint and responding to the individual. The Credit Union will accept inquiries verbally or in writing. Complaints, however, will be accepted in writing only.

Inquiry and Complaint Handling Process

The Privacy Officer is responsible for maintaining and reviewing, from time to time, documented processes for responding to all privacy-related inquiries and complaints. The Privacy Officer will acknowledge the individual’s inquiry or complaint as soon as reasonably possible, and provide an estimated time for a more detailed response, if required.

Justified Complaints

If a complaint is found to be justified, the Privacy Officer is responsible for taking appropriate measures, including:

• providing a written response to the complainant within the estimated time;

• correcting incorrect personal information, if any;

• revising the Privacy Policies and related processes, if required;

• including a detailed description of the matter and the resolution in the Privacy Officer’s annual report

Questions?

Members and other individuals may direct any inquiries or complaints regarding their personal information to the Credit Union's Privacy Officer. Contact information will be available by inquiring in person at our office, by telephone at 1-866-442-5511 or by email at privacy@gfdscu.com

Complaint Process

The Credit Union will, on request, inform members and other individuals of its complaint procedures, which will be accessible and simple to use.

The Credit Union will ensure that inquiries, concerns, and complaints regarding personal information receive prompt attention and are resolved in a timely manner.

Where appropriate, members and other individuals will be informed of their right to file a complaint with the BC Privacy Commissioner and will be provided contact information.