Your Privacy is Important to Us
We are committed to protecting your privacy and safeguarding your personal and financial information. While the Internet is revolutionizing the way that we do business — providing convenient access to financial services from your home or office — we also recognize that it may bring legitimate concerns about privacy and security.
Privacy Code Expand/Collapse
Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve the quality of the protection of privacy rights and the individual’s right to control the use and exchange of personal information.
The credit union is a member-owned and controlled financial institution and, as such, has an inherent responsibility to be open and accessible while, at the same time, demonstrating the greatest respect for protection of the member’s personal privacy.
Credit unions that also serve non-members shall ensure the same standards of protection are applied to these individuals as to members.
In adopting this Credit Union Code for the Protection of Personal Information, what has been accepted practice becomes a documented commitment to the member.
2 Purpose of This Document
The Credit Union Code for the Protection of Personal Information (the Code), modeled after the ten principles of the Canadian Standards Association’s (CSA) Model Code for the Protection of Personal Information, forms the basis for privacy compliance and reflects credit union limitations and differences. The Code is a model that individual credit unions, provincial Centrals and affiliated organizations can adopt and tailor further to their specific needs.
It should be noted that Credit Union Central of Canada has created this document based on the interpretation of the Personal Information Protection and Electronic Documents Act (PIPED Act). Credit unions must ensure the statements included here do not conflict or contravene any existing or proposed provincial legislation or regulations.
The following definitions apply in this Code:
The act of gathering, acquiring, or obtaining personal information from any source, including Third Parties, by any means.
Voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the credit union seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the member.
Making personal information available to others outside the credit union.
The person who is a member and owner of the credit union. This Code applies equally to the collection, use or disclosure of personal information about members and non-members. Where the term ‘member’ is used, its intent is also to include non-members.
A term used in the Code that includes business corporations, partnerships, professional practices, persons, government bodies, institutions, associations, charitable organizations, clubs, unions, or any other form of organization.
Any information that is about or can be linked to an identifiable individual, but does not include the name, title or business address or telephone number of an employee or organization.
The person within the credit union who is responsible for overseeing the collection, use, disclosure and protection of the members’ personal information, and the credit union’s day-to-day compliance with the Code.
A company or organization wholly-owned or controlled by the credit union.
Any person or organization other than the credit union or the member.
Refers to the treatment and handling of personal information within the credit union.
4 The Code Principles
Ten interrelated principles form the basis of the Credit Union Code for the Protection of Personal Information (the Code). Each principle must be read in conjunction with the accompanying commentary.
1. Accountability – The credit union is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for the credit union’s compliance with the principles of the Code.
2. Identifying Purposes – The purposes for which personal information is collected shall be identified by the credit union at or before the time the information is collected.
3. Consent – The knowledge and consent of the member are required for the collection, use and disclosure of personal information, except in specific circumstances as described within this Code.
4. Limiting Collection – The collection of personal information shall be limited to that which is necessary for the purposes identified by the credit union. Information shall be collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention – Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the member or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
6. Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
7. Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness – The credit union shall make readily available to members specific, understandable information about its policies and practices relating to the management of personal information.
9. Individual Access – Upon request, a member shall be informed of the existence, use, and disclosure of their personal information, and shall be given access to that information. A member is entitled to question the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance – A member shall be able to question compliance with the above principles to the Privacy Officer accountable for the credit union’s compliance. The credit union shall have policies and procedures to respond to the member’s questions and concerns.
4.1 Principle 1 - Accountability
The credit union is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for the credit union’s compliance with the principles of the Code.
4.1.1 Ultimate accountability for the credit union’s compliance with the principles rests with the Credit Union Board of Directors, who delegate day-to-day accountability to a Privacy Officer. Other individuals within the credit union may be accountable for the day-to-day collection and processing of personal information, or to act on behalf of the Privacy Officer.
4.1.2 The credit union shall identify internally and to its members the Privacy Officer who is responsible for the day-to-day compliance with the principles.
4.1.3 The credit union is responsible for personal information in its control. The credit union shall use contractual or other means to provide a comparable level of protection while the information is being processed by a Third Party.
4.1.4 The credit union shall implement policies and procedures to give effect to the principles, including:
(a) Procedures to protect personal information;
(b) Procedures to receive and respond to concerns and inquiries;
(c) Training staff to understand and follow the credit union’s policies and procedures; and
(d) Annual review of the effectiveness of the policies and procedures to ensure compliance with the Code and consideration of any revisions as deemed appropriate.
4.2 Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the credit union at or before the time the information is collected.
4.2.1 The credit union shall document the purposes for which personal information is collected prior to the information being collected.
4.2.2 The credit union shall make reasonable efforts to ensure that the member is aware of the purposes for which personal information is collected, including any disclosures to Third Parties.
4.2.3 Identifying the purposes for which personal information is being collected at or before the time of collection also defines the information needed to fulfill these purposes.
The credit union shall collect personal information for the following purposes:
· To understand the member’s needs;
· To determine the suitability of the products or services for the member or the eligibility of the member for products and services;
· To develop, offer and manage products and services that meet the member’s needs;
· To provide ongoing service;
· To detect and prevent fraud, and to help safeguard the financial interests of the credit union and its members;
· To meet legal and regulatory requirements; and
· To meet personnel requirements.
4.2.4 The identified purposes should be specific to the member from whom the personal information is being collected. This can be done orally, electronically or in writing. An application form with the purposes highlighted, for example, may give notice of the purposes.
4.2.5 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purposes is required by law, the consent of the member is required before information can be used for that purpose.
4.3 Principle 3 - Consent
The knowledge and consent of the member is required for the collection, use or disclosure of personal information, except in specific circumstances as described within this Code.
Note: In certain circumstances personal information may be collected, used, or disclosed without the knowledge or consent of the member. These circumstances include:
· Where clearly in the interests of the member and consent cannot be obtained in a timely way;
· To avoid compromising information availability or accuracy and if reasonable to investigate a breach of an agreement or a contravention o f the laws of Canada or a province;
· Where the information is considered by law to be publicly available;
· To act in respect of an emergency that threatens the life, health of security of an individual;
· To investigate an offence under the laws of Canada, a threat to Canada’s security, to comply with a subpoena, warrant or court order, or rules of court relating to the production of records, or otherwise as required by law.
4.3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent may be sought after the information has been collected but before use (for example, when existing information is to be used for a purpose not previously identified).
The credit union may be required to collect, use or disclose personal information without the member’s consent for certain purposes, including for the collection of overdue accounts, legal or security reasons.
4.3.2 The principle requires “knowledge and consent”. The credit union shall make a reasonable effort to ensure that the member is aware of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the member can reasonably understand how the information will be used or disclosed.
4.3.3 The credit union shall not, as a condition of the supply of a product or service, require a member to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.
4.3.4 In determining the form of consent to use, the credit union shall take into account the sensitivity of the information. Although some information (for example, medical and financial records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.
4.3.5 In obtaining consent, the reasonably expectations of the member are also relevant.
For example, a member should reasonable expect the credit union to periodically supply information on credit union developments, products and services, and to provide ongoing services. Similarly, further consent will not be required when personal information is transferred to agents of the credit union to carry out functions such as data processing. In this case, the credit union can assume that the member’s request constitutes consent for specifically related purposes.
On the other hand, a member would not reasonably expect that personal information given to a credit union would be given to a Third Party company selling insurance products, unless consent was obtained.
Consent will not be obtained through deception.
4.3.6 The way in which a credit union seeks consent may vary, depending on the circumstances and the type of information collected. A credit union will seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.
Members can give consent:
(a) In writing, such as when completing and signing an application;
(b) Through inaction, such as failing to check a box indicating that they do not wish their names and addresses to be used for optional purposes;
(c) Orally, such as when information is collected over the telephone or in person;
(d) At the time they use a product or service; and
(e) Through an authorized representative (such as a legal guardian or a person having power of attorney).
4.3.7 A member may withdraw consent at any time, subject to legal or contractual restrictions, provided that:
(a) Reasonable notice of withdrawal of consent is given to the credit union;
(b) Consent does not relate to a credit product requiring the collection and reporting of information after credit has been granted; and
(c) The withdrawal of consent is in writing and includes understanding by the member that the credit union may subsequently not be able to provide the member with a related product, service or information of value.
The credit union shall inform the member of the implications of such withdrawal.
4.4 Principle 4 - Limiting Collection
The collection of personal information will be limited to that which is necessary for the purposes identified by the credit union. Information will be collected by fair and lawful means.
4.4.1 The credit union shall not collect personal information indiscriminately. The credit union shall specify both the amount and the type of information collected, limited to that which is necessary to fulfill the purposes identified, in accordance with the credit union’s policies and procedures.
4.4.2 The credit union shall collect personal information by fair and lawful means, and not by misleading or deceiving members about the purpose for which information is being collected.
4.5 Principle 5 - Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the member or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
4.5.1 When the credit union uses personal information for a new purposes, the purpose shall be documented.
4.5.2 The credit union shall protect the interests of its members by taking reasonable steps to ensure that:
(a) Orders or demands comply with the laws under which they were issued:
(b) Only the personal information that is legally required is disclosed and nothing more;
(c) Casual requests for personal information are denied; and
(d) Personal information disclosed to unrelated Third Party suppliers of services is strictly limited to programs endorsed by the credit union or Canadian Credit Union System.
4.5.3 The member’s health records at the credit union may be used solely for credit application and related insurance purposes. The member’s health records shall not be collected from, or disclosed to, any other organization.
4.5.4 The credit union shall maintain guidelines and procedures with respect to the retention of personal information. These guidelines include minimum and maximum retention periods. Personal information that has been used to make a decision about a member shall be retained long enough to allow the member access to the information after the decision has been made. The credit union may be subject to legislative requirements with respect to retention of records.
4.5.5 Subject to any requirement to retain records, personal information that is no longer required to fulfill the identified purposes shall be destroyed, erased, or made anonymous. The credit union shall develop guidelines and implement procedures to govern the destruction of personal information.
4.6 Principle 6 – Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
4.6.1 The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the uses of the information, taking into account the interest of the member. The credit union relies on the member to keep certain personal information, such as address information, accurate, complete and up-to-date. Information shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the member.
4.6.2 The credit union shall not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
4.6.3 Personal information that is used on an ongoing basis, including information that is disclosed to
Third Parties, will generally be accurate and up-to-date unless limits to the requirement for accuracy are clearly set out.
4.7 Principle 7 - Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The credit union will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.
4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure or disposal. The credit union shall protect personal information regardless of the format in which it is held.
4.7.2 The nature of the safeguards will vary depending on the sensitivity, amount, distribution and format of the information, and the method of storage. More sensitive information will be safeguarded by a higher level of protection.
4.7.3 The methods of protection will include:
(a) Physical measures, for example, locked filing cabinets and restricted access to offices;
(b) Organizational measures, for example, controlling entry to data centers and limiting access to information to a “need-to-know” basis;
(c) Technological measures, for example, the use of passwords and encryption; and
(d) Investigative measures, in cases where the credit union has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.
4.7.4 The credit union shall periodically remind employees, officers and directors of the importance of maintaining the confidentiality of personal information. Employees, officers and directors are individually required to sign an oath of ethical conduct annually, including a commitment to keep personal information in strict confidence.
4.7.5 Third Parties shall be required to safeguard personal information disclosed to them in a manner consistent with the policies of the credit union. Examples include cheque printing, data processing, credit collection, credit bureaus and card production.
4.7.6 Care should be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
4.8 Principle 8 – Openness
The credit union will make readily available to members specific, understandable information about its policies and practices relating to the management of personal information.
4.8.1 The credit union shall be open about privacy policies and procedures with respect to the management of personal information and shall make them readily available in a form that is generally understandable.
4.8.2 The information made available shall include:
(a) The name or title, and the address of the Privacy Officer who is accountable for compliance with the credit union’s policies and procedures and to whom inquiries or complaints can be directed;
(b) The means of gaining access to personal information held by the credit union;
(c) A description of the type of personal information held by the credit union including a general account of its uses;
(d) A copy of any brochures or other information that explains the credit union policies, procedures, standards or codes; and
(e) The types of personal information made available to related organizations, such as subsidiaries or other suppliers of services.
4.8.3 The credit union may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, the credit union may choose to make brochures available in its place of business, mail information to its members, provide on-line access, or establish a toll-free telephone number.
4.9 Principle 9 - Individual Access
Upon request, a member shall be informed of the existence, use and disclosure of their personal information, and shall be given access to that information. A member is entitled to question the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, a credit union may not be able to provide access to all the personal information it holds about a member. Exceptions to the access requirement will be limited and specific.
The reasons for denying access include the following:
· providing access would likely reveal personal information about a Third Party unless such information can be severed from the record or the Third Party consents to the disclosure, or the information is needed due to a threat to life, health or security;
· the personal information has been requested by a government institution for the purposes of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out any investigation related to the enforcement of any law, the administration of any law, the protection of national security, the defence of Canada or the conduct of international affairs;
· the information is protected by solicitor-client privilege;
· providing access would reveal confidential commercial information, provided this information cannot be severed from the file containing other information requested by the individual;
· providing access could reasonably be expected to threaten the life or security of another individual, provided this information cannot be severed from the file containing other information requested by the individual;
· the information was collected without the knowledge or consent of the individual for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
· the information was generated in the course of a formal dispute resolution process.
4.9.1 Upon request, the credit union shall inform a member of the existence, use, disclosure, and source of personal information about the member held by the credit union, and shall allow the member access to this information. However, the credit union may choose to make sensitive medical information available through a medical practitioner.
4.9.2 For the credit union to provide an account of the existence, use, and disclosure of personal information held by the credit union, the member may be asked to provide sufficient information to aid in the search. The additional information provided shall only be used for this purpose.
4.9.3 In providing an account of Third Parties to which it has, or may have, disclosed personal information about a member, the credit union will be as specific as possible, including a list of Third Parties.
4.9.4 The credit union shall respond to a member’s request within a reasonable time and at no cost, or reasonable cost, to the member. The requested information shall be provided or made available in a form that is generally understandable. For example, if the credit union uses abbreviations or codes to record information, an explanation will be provided.
4.9.5 When a member successfully demonstrates the inaccuracy or incompleteness of personal information, the credit union shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to Third Parties having access to the information in question.
4.9.6 When a challenge is not resolved to the satisfaction of the member, the substance of the unresolved challenge shall be recorded by the credit union. When appropriate, the existence of the unresolved challenge shall be transmitted to Third Parties having access to the information in question.
4.10 Principle 10 – Challenging Compliance
A member shall be able to question compliance with the above principles to the Privacy Officer accountable for the credit union’s compliance. The credit union shall have policies and procedures to respond to the member’s questions and concerns.
4.10.1 The Privacy Officer accountable for the credit union’s compliance shall be known to staff and identified to the members periodically.
4.10.2 The credit union shall maintain procedures to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.
4.10.3 Members who make inquiries or lodge complaints shall be informed by the credit union of the existence of relevant complaint procedures. If a complaint is not satisfactorily resolved with the Privacy Officer in the credit union, it may be taken to the credit union Board of Directors. If not resolved there, procedures shall be in place to refer it to the provincial Central, who will mediate the process, or, refer the matter to Credit Union Central of Canada, to a regulator, or to an independent mediator or arbitrator, as may be appropriate.
4.10.4 The credit union shall investigate all complaints. If a complaint is found to be justified, the credit union shall take appropriate measures, including revision of the personal information and, if necessary, amending the credit union’s policies and practices.
Privacy Online Expand/Collapse
This information page describes in general terms how your personal information is collected and used within the online banking section of our site. The online banking area of the site is the area of our website that requires you to use your Member ID and Personal Access Code (PAC) to enter.
Controlled Access to your Information
To ensure that you are the only person accessing your personal financial information, we restrict access to the online banking section of the site by requiring that you enter your Member ID and PAC to login. Only you know your PAC. Our employees do not have access to your PAC, and they will not ask you to reveal it. If someone does ask you to provide your PAC to them, we ask that you refuse to do so and contact us immediately.
By nature, our Internet banking site has many transactional functions such as transfers between accounts and bill payment functions. These transactions are all logged to ensure that your accounts are debited or credited appropriately, and a history of each transaction is available to verify your account information. We store and use your transactional information in the same fashion as if you performed the transaction at a branch or through any other service channel.
We may also use transactional information for servicing your account — for example, billing you for the particular transactions that you perform, or for the services that you use.
Creating a Secure Channel
We create a secure channel between your browser and our server to protect your information when you use the site. To learn more about how we do this, please review our information on Internet Security.
Website Usage Statistics
To continually improve our site, we often collect statistics about how our members are using it. These usage statistics are only viewed in the aggregate and are not associated with you as an individual. We use this information for purposes such as improving the pages where our members are having difficulties.
The information collected may include your IP address, your browser type and your operating system, as well as data such as the number and types of pages visited, and the length of time spent per page and on the site overall.
We also use a key web technology called cookies. A cookie is a small information token that sits on your computer. As you use this site, cookies are passed back and forth between our server and your browser.
Specifically, we use two kinds of cookies — session cookies and persistent cookies. A session cookie exists only for the length of your browsing session and is deleted when you close your browser. A persistent cookie is a cookie that stays on your computer after you close your browser. A persistent cookie may or may not expire on a given date.
We use a session cookie to maintain the integrity of your online banking session. With each page that you visit, the cookie is passed back and forth between our server and your browser. We use the cookie to distinguish your session from the many others that may be happening at the same time. Our session cookies never store any personal information, such as your name, or date of birth, or financial information, such as your accounts and balances.
Most recent browser versions allow you to set some level of control over which cookies are accepted and how your browser uses them. For example, it may be set to notify you when it is receiving a cookie so that you accept cookies from only known, reliable sites such as this one. If you are concerned about cookies, we encourage you to upgrade your browser to a recent version and review the Help section of your browser to learn more about its specific control features.
Memorized Accounts Feature
We use a persistent cookie to store information to help you personalize the site and to make it easier to use. For example, we allow you to make the login easier by remembering your login information within our Memorized Accounts feature. Since the Memorized Accounts feature is optional, this cookie only contains information that you have entered into it. We never store your Personal Access Code (PAC) in a cookie.
To ensure that no-one else can access your personal information, always use the logout button to end an online banking session. It is located at the top of every page. When you exit using the logout button, we delete your session cookie so that your session cannot be resumed unless your Member ID and PAC are re-entered.
Automatic Session Time-outs
In the event that you leave your computer without logging out, the online banking feature of this site has been designed to end your session automatically if our system detects that you haven't provided any instructions or used the browser buttons to navigate for several minutes. To restart the session, you will need to provide your PAC again.
To communicate with us electronically, we strongly recommend that you use our Contact Us feature. This feature provides a secure channel for sending us comments, questions or instructions.
General email is not secure since it passes through many points on its route from you to us. If you are using general email to communicate with us, we strongly recommend that you do not include personal financial information (such as account numbers) within the email as we cannot guarantee its confidentiality en route to us.
When you email us your comments, questions or instructions, you provide us your email address and we use it to correspond with you. We then store your email and our replies to you in case we correspond further.
Links to Other Sites
Our site may also contain links to other websites or Internet resources. As an example, from time-to-time we may provide links to Microsoft or Netscape to assist you in upgrading your Internet browser. However, we have no control over these other websites or Internet resources and do not control their collection, use and disclosure of your personal information. Always review the Privacy Statements of the sites that you are viewing.
We welcome any questions or concerns about your privacy relating to use of our website. Please use the contact us or contact our Privacy Officer, Bev Beach at (807) 467-4408
As we continue to expand our online banking service to serve you better, and as new Internet technologies become available, we may update the information on this page at any time, to reflect changes.
Privacy Statement Expand/Collapse
Copperfin Credit Union is committed to protecting the personal information of credit union members, employees and other individuals. In order to protect all personal information collected, used or disclosed by Copperfin Credit Union, we have adopted the Credit Union Code for the Protection of Personal Information.
On our Web site, we only collect personal information required to improve the services we offer, to improve our site content and, with your permission, to contact you with information about our services. We will not share any personal information obtained on this Web site with any other organization without your express knowledge and consent.
For more information on our Web site Privacy Statement, please read below.
Information We Collect on our Site
You can visit all public areas of our site without providing any personal information about yourself. Our Web site collects only non-personal information based on a visitor’s Internet Protocol (IP) address (this is not personally identifiable). Information collected includes the date and time of visit, the type of Internet browser used to access the site, the referring address (the link a visitor uses to access the site). This data is used to create statistics on site usage and improve online services.
Copperfin Credit Union’s internal Web site is solely for the use of authorized members of boards, committees, management and staff of the Credit Union. Access requires a special "User Name" and "Password". Personal information that is collected on the internal web site is used solely for security and site management purposes and to facilitate business functions of Copperfin Credit Union.
Will a cookie be set on my computer when I visit this site?
To help us manage our Web site, we set a cookie on your computer that expires when you close your web browser.
If you send us an e-mail, any information provided by you will only be used for the purposes of responding to your inquiry or acting on your request. We will not use your name or e-mail address for any other purposes without additional consent.
Links to other Web sites
Our Web site contains links to other Web sites that are part of, affiliated with, or have a business relationship with Copperfin Credit Union. When you leave our site to visit one of these other sites, the only information transferred to the new site is the fact that you came from the Copperfin Credit Union Web site (the referring address). Transmission of this referring address allows other sites to monitor their own web traffic, but does not disclose any personal information about you.
How do I contact Copperfin Credit Union with Questions or Concerns?
We welcome any questions or concerns about our Internet Privacy Statement, or the practices of this site. Please contact us by e-mail or in writing at the following address:
Copperfin Credit Union
346 Second Street South
Kenora, ON, P9N 1G5
Copperfin Credit Union reserves the right to amend its Credit Union Code for the Protection of Personal Information at any time with or without notice. Please check this page periodically for changes.