Get in touch
CAN & USA TOLL FREE 1-800.790.3141
FAX 202.768.7238 
ENGLISH SPANISH

customerservice@1stchoicecreditservices.com

Privacy

FSTCCS Inc. Privacy Policy  

Procedure

 
To better implement the Privacy Policy, FST follows the procedures stated below along with other considerations defined under other Information Security Policies and Procedures:   


1. Access Control Lists (ACL) should be developed, maintained, and reviewed on a regular basis.


2. Information should be clearly marked with the following identifiers at minimum, before publishing, distribution, or storage of the information:

  1. Document Name,
  2. Owner(s) name or Author(s) name,
  3. Information Classification
  4. Audience classification or name
  5. Revision dates

3. All information marked as ‘Confidential’ or ‘Restricted’ should be stored in a secure location. If printed, should be stored in locked cabinets, clearly marked as Confidential. In case of electronic information, files should be store in restricted file servers, with limited access appropriate encryption applied to the files and systems.


4. In case of Privacy breach, Privacy Officer and other concerned parties should be advised so the necessary preventive measures can be initialized in a systematic order in accordance with Security Incident Handling Policies and Procedures. 


5. In case of concerns of question about personal information handling, Office of the Privacy Officer/Ombudsman should be reached in writing or by phone. Privacy Officer may require more information based on the nature of concern or request. Contact information of Privacy Officer/Ombudsman is defined in the Appendix A of this document.


PIPEDA Fair Principles


The PIPEDA fair principles are a set of policy guidelines for FST , and its operating subsidiaries, to follow when handling personal information. Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form: age, name, ID numbers (SIN), income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).


These guidelines are in place to give individuals control of how their information is being handled by private sector organizations. To uphold these principles the Company is responsible for taking specific steps to always ensure the protection of personal information and the proper handling of it, throughout the organization and in dealings with third parties. In addition to the requirements of the PIPEDA fair principles, the Privacy Act contains an overriding obligation that any collection, use or disclosure of personal information must only be for purposes that would reasonably be considered appropriate in the circumstance. This overarching standard of appropriateness of purposes continues to apply, independently of any guidelines within the PIPEDA fair principles. This policy will set out the organization responsibilities and guidance on how to fulfill these responsibilities for each of the 10 PIPEDA fair principles. 


For transparency FST will provide information about our information management practices on Company websites. Online privacy disclosures should be supplemented by other types of privacy disclosures – just in time notifications and should provide explanations at key points in the user experience.


Company employees must follow the code of the 10 fair principles. The code was developed by business, consumers, academics, and government under the oversight of the Canadian Standards Association. The code addresses requirements in the following areas as they relate to person information handling:


1. Accountability

2. Identifying purpose

3. Consent

4. Limiting collection

5. Limiting use, disclosure, and retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual Access

10. Challenging compliance



Everyone is responsible for Compliance to Privacy.

The daily responsibility for compliance to PIPDEA rests with every lawyer, agent, customer service representative, manager, leader, or another employee of FST. It is imperative that employees understand and strictly follow the procedures establish to uphold the requirements.

Whenever unsure of how to manage a procedure, respond to a client, consumer or partner inquiry contact clientservices@fstccs.com. If an event occurs that is against PIPEDA report it, per the Compliance Incident Policy. Making the wrong decision whether intentional or not can pose risk to the Company and or result in disciplinary actions.


Employee Acknowledgement

Every employee will be provided access to and training on the PIPEDA Fair Principles Policy. Each employee will receive training as a new employee onboarding, or in role training. Annually, or if a significant change occurs.


Questions

If employees have questions concerning the Policy or its associated procedures, employees are encouraged to contact their manager or the Corporate Compliance team at clientservices@fstccs.com

for support.


Privacy Program Requirements 

10 Fair Principles - Be Accountable

The company will:


1. Comply with all of the PIPEDA 10 fair principles of Privacy Act Schedule 1.

2. The Compliance leader is accountable to ensure Sr. Management and employees are aware of and uphold their teams’ responsibilities.

3. Protect all personal information held by FST or transferred to a third party for processing.

4. Ensure functional teams develop and implement personal information procedures practices in support of the Policy.

5. Compliance will routinely monitor operational procedures for adherence to the rules and requirements set out within this Policy.

6. Procedures and practices including new initiatives should use the following checklist to facilitate meeting fair information practices:

• What information do we collect and is it sensitive?

• Why do we collect it?

• How do we collect it?

• What do we use it for?

• Where do we keep it?

• How is it secured?

• Who has access to or uses it?

• To whom is it disclosed?

• When is it disposed?


Functional teams will document and implement procedures to protect personal information:


1. Define the purpose of its collection - staff must be able to explain to consumers specifically why their information is required.

2. Obtain consent – create scripts to obtain and controls to monitor obtaining expressed or implied consent.

3. Limit its collection, use and disclosure - only collect the minimum amount of information needed to perform the business activity.

4. Ensure the information is correct, complete, and accurate - having QA and procedures and logs that track information collection or changes.

5. Develop adequate security measures (systems and behaviors) - limit access to sensitive information: access should be defined by roles and monitored through system security procedures.

6. Develop a retention and destruction procedure with a timetable – understand and uphold the rules regarding how long information must be retained and create an information management program to support the rules.

7. Develop and implement procedures to respond to requests, inquiries, and complaints- understand the timeline rules related to requests and complaints.

8. Conduct risk assessments- work with compliance and IT to have new or changes to process evaluated for Company risk.

9. Develop, document, and implement appropriate service provider management procedures- Ensure Vendors follow the Vendor Management Policy, and that only required personal information is sent, received, or stored.

10. Develop, document, and deliver appropriate procedural training for employees- institute routine training and reward compliant behavior.

Compliance will regularly monitor privacy management procedures and make recommendations to address any shortcomings.


Identifying Purpose

FST must identify the reason for collecting personal information before the time of collection. Ensure that these purposes are limited to required use. Define the purposes for collecting data as clearly and narrowly as possible so the individual can understand how the information will be used or disclosed. For example, verifying creditworthiness or opening an account. Establish and validate why the information is needed and how the information will be used through operational workflow.

Document, in Procedure format, how and why the information is collected. Clearly informing from whom the information is collected and why it is needed.

Routinely review Procedures to identify any new purpose for the information and obtain the individual’s consent before using the information either orally or in writing of these purposes. Record all obtained consent for reference in case an individual or partner requests an account of such information.


Obtain valid, informed consent.

 
Company processes must demonstrate obtaining informed consent from the individual whose personal information is collected, used, or disclosed. Consent can be obtained in person, by phone, by mail, or online.

Consent is only considered valid if it is reasonable to expect those individuals to whom FST activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure to which they are consenting. Consent is to be obtained before or at the time of collection, as well as when a new use of the personal information is identified.

The Company will ensure adequate and routine training for employees collecting personal information to ensure they are able to answer individuals’ questions about why they are being asked for the information.

For an individual who is a minor, seriously ill or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney. If such a situation arises contact clientservices@fstccs.com for approval to collect. This may result in liability exposure and therefore needs to be carefully managed. Staff will not make the determination without Compliance approval.

 
Express, or opt- in consent should be used whenever possible and, in all cases, when the personal information is considered sensitive. A convenient procedure will be in place for withdrawing consent and the opt-out should take effect immediately. Exceptions:


The Company may collect and retain personal information without the individual’s knowledge or consent only where it is produced by individuals in the course of their employment, business, or profession, if the collection is consistent with the purposes for which the information was produced. E.G., resume, family information for health benefits. The Company may use or disclose information without the individual’s knowledge or consent only:

• Legal or insurance investigation.

• for an emergency that threatens an individual.

• for statistical or scholarly study or research.

• if it is publicly available as specified in the regulations; and

• to collect a debt the individual owes to the Company.


If any of these exceptional situations arise Compliance must be notified via email immediately to clientservicesfstccs.com. The situation will be reviewed, assessed, and tracked by the Compliance Leader. 


Functional teams will engage Compliance in advance of any response, commitments, collection, or disclosure of information. Other stakeholders like Legal will be engaged as required by Compliance.


Any employee who behaves in conflict with these guidelines may face disciplinary action.


Limit Collection

Company processes must demonstrate collection of information is limited to only essential information directly required and related to the associate business activity. 


a) Use of Social Insurance Numbers

The Office of the Privacy Commissioner of Canada has long held the position that the Social Insurance Number (SIN) should not be used as a general identifier. As a rule, FST Companies will not collect SINs as a general identifier.

The Human Resources function is authorized to collect SIN numbers from employees in order to provide them with records of employment and T-4 slips for income tax and Canada Pension Plan (CPP) purposes. Any exceptions require approval from Compliance. 


b) Collection of Driver’s Licence Numbers


Due to the sensitive nature of this information if a functional team is contemplating collecting it, a risk assessment should be performed looking at the benefits of collecting and retaining driver’s licence information weighed against the security risks posed. The laws in Ontario, Alberta, British Columbia, and Quebec require:


1. Telling consumers why the Company is collecting the information and then ask for the least amount to meet our purposes.

2. Protect personal information in our environment.

3. If a Driver’s License is recorded, copied, or scanned limit its use strictly to meet business needs. This can be accomplished by removing or not capturing unnecessary details such as photograph, height, and weight.

4. The ability to demonstrate how the Company protects personal information in our custody or under our control by making reasonable security arrangements against risks, such as unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction. 


c) Photo Identification

The use of photo identification from customers to show proof of identity by showing a driver’s licence or other photo identification is acceptable. The Company must limit the collection of personal information to the examination of the identification only and must not involve recording of personal information from the identification offered, including driver’s licence numbers or addresses. 


d) Recording Customer Telephone Calls

The Company and third parties’ requirement to comply apply to calls initiated by the customer and calls initiated by the organization. The Company and third parties should also be aware that a recording may collect personal information other than the content of the call, for example, a recording will capture the caller's tone of voice, which could be used for other purposes such as a legal proceeding; and procedures must be in place to support:

• Only recording calls for specified purposes.

• The purposes must meet the reasonable person test.

• Functional teams must inform the individual that the call may be recorded and must ensure that the individual is advised of the purposes for which the information will be used.

• The recording may only take place with the individual’s explicit consent.

• Consent is not required for calls made to collect a debt. Knowing that a call may be recorded could potentially hamper the organization’s ability to obtain accurate information; and the information collected must only be used for the specified purposes.


Recording conversations requirements:


1. The individual must be informed that the conversation is being recorded at the beginning of the call. This can be done by an automated recording or by the customer service representative.

2. The individual must be advised of the purposes. The individual must be clear about the purposes; it should not be stated that FST or third party is recording the conversation for quality assurance purposes if, in fact, the recording will be used for other purposes. Informing the individual of the purposes can be done in a variety of ways - verbally, by pressing a number on the keypad (in the case of automated messages) or with clear messages on monthly statements. (For example: If you have any questions about your bill, please call 1-800-790-3141. Please note your call will be recorded for...) If the individual proceeds knowing the conversation is being recorded and the purpose of the recording, consent is implied.

3. If the caller objects to the recording, Functional teams will provide the caller with meaningful alternatives. The alternatives might involve not taping the call; visiting an office location; writing a letter; or conducting the transaction over the Internet.


e) Privacy Emergency

There are special provisions in place for the sharing of personal information in the event of an emergency. Functional teams will engage Compliance immediately for support in handling the emergency at clientservices@fstccs.com


Limiting Use, Disclosure and Retention

Use or disclose personal information only for the purpose for which it was collected.

Keep personal information only as long as necessary to satisfy its purpose. Generally, the length of retention will be the length of a contract or other transaction decisions. Purpose and term may also be defined by client or partner requirements. The Company will have guidelines in place for retaining and destroying personal information. Establish a retention schedule which includes conducting regular reviews of data to determine whether information is still required. Destroy, erase, or render anonymous information that is no longer required for an identified or legal purpose. Generally, it is less onerous and complicated to destroy or erase information than to make information anonymous.

Be Accurate

It is the Company’s responsibility to minimize the possibility of using incorrect information, when using it for business decisions about the individual or when disclosing the information to a third party. Procedures must be in place to record the date when the personal information was obtained or updated. Documentation and procedures should also address steps to verify accuracy, completeness, and timeliness of the information. This may include steps of reviewing the records or communicating with the consumer for verification.

Use Appropriate Safeguards

The Company must protect personal information against loss or theft. Safeguarding the information from unauthorized access, disclosure, copying, use or modification. Consideration to the following factors for developing safeguards:

• Sensitivity of the information

• Amount of the information (number of records)

• Extent of distribution (number of receivers, internal or external)

• Format of the information (paper or electronic-via email)

• Type of storage (lockable filing cabinets, or secure, limited access electronic)

Refer to the IT Data Security Policy for details that address and protect and review measures in place for personal information.

Requirements:

1. Remove personal information (name, address, credit information…) when sharing information or reporting information. 

2. Individual’s information should only be processed and saved in protected applications.

3. Do not retain files with individuals’ information on computer desktops or local folders.

4. Do not circulate personal information via email (body or attachment).

5. Use secure file transfer to share information.


Be Open


The Company will communicate transparently with clients, partners, consumers and employees regarding policies and procedures in place for managing personal information. The location of policies and procedures will regularly be communicated and made accessible to employees. Information about these policies and procedures should be made available in person, in writing, or on the FST intranet web site. Always confirm you are referencing the most current version of a policy or procedure by contacting the process owner of the document, as listed on the title page.

If a client, partner, or consumer asks for a copy of the Company’s policies or procedures contact Compliance for support before providing any documents to external parties. Compliance will need to assess and track these types of requests and submit to clientservices@fstccs.com.


Employees should have clear understanding of:

• Contact information for the Compliance team who is accountable for the PIPEDA Fair Principles Policy.

• Procedures for system access requests/ approval

• How an individual /consumer can gain access to his or her personal information. E.G., print and mail account information, extract, and email.

• How an individual can complain to the organization

• Location of information related to the companies, policies, standards, or codes. E.G. Web site or brochures.

• A list and description of any personal information that is made available to any third parties or subsidiaries and why it is disclosed.


Giving Consumers Access to Information


Individuals have a right to access the personal information that an organization holds about them. Employees must be able to explain to an individual what information the organization has about them, how it is used, including third parties. Procedures must be in place to record, correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.

Requirements:

1. The Company is to respond as quickly as possible, without any monetary charge to information requests, as and no later than 30 days after receipt of the request.

2. Requests for information must be recorded by voice or email.

3. If for any reason, a functional team cannot respond, or fails to respond within 30 days’ contact Compliance for support on how to address the procedure failure. Operations will assess and determine the best way forward.

4. Do NOT reveal personal information about another individual.

5. Any requests by an individual to restrict information sharing about their file with a government body or Legal representative must be escalated to Compliance at clientservices@fstccs.com

6. Any request by a Legal representative or Government body to access an individuals’ information must be escalated to Compliance clientservices@fstccs.com. Functional teams must not make the decision whether to disclose information to any third-party request.

           
Complaint Handling


Managing complaints is important to ensure consistency in applying the Privacy Act and handling a complaint fairly and appropriately may help to preserve or restore the individual’s confidence in the Company. Teams must ensure there are procedures in place and front-line employees trained to answer questions and respond to complaints.


Requirements:

1. All complaints will be investigated and documented.

2. Record all decisions to ensure consistency in applying the Act.

3. Record the date a complaint is received and the nature of the complaint (e.g. Delays in responding to a request, incomplete or inaccurate responses, or improper collection, use, disclosure, or retention).

4. Acknowledge receipt of the complaint promptly.

5. Contact the individual to clarify the complaint, if necessary.

6. Assign the matter to a person with the skills necessary to review it fairly and impartially and provide that individual with access to all relevant records, employees or others who handled the personal information or access request.

7. Notify individuals of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.

8. Correct any inaccurate personal information or modify procedures based on the outcome of the complaint and ensure that employees in the Company are aware of any changes to these procedures.


Employees must notify their manager or Human Resources of a privacy complaint and report it to Compliance in 24hrs or less if there is a privacy information incident. Refer to the Compliance Incident Policy and Report Form.

The Company will investigate all complaints. If we find that a complaint justified, we will take appropriate measures, including, if necessary, amending our policies and practices. If any client or consumer is not satisfied with the way the Company has responded to a complaint, the complainer may wish to contact the Office of the Privacy Commissioner of Canada: Office of the Privacy Commissioner of Canada, 30, Victoria Street, Gatineau, Quebec K1A 1H3 www.privv.gc.ca


Transferring Information to Third Parties

When transferring personal information to third parties, FST contracts should ensure the Vendor:

1. Names a person to handle all privacy aspects of the contract.

2. Limits use of the information to the purposes specified to fulfil the contract.

3. Limit’s disclosure of the information to what is authorized by FST or as required by law.

4. Refers people looking for access to their information to FST.

5. Returns or provides proof of disposal of the transferred information upon completion of the contract; and 6. Allows FST to audit their compliance with the contract’s terms, as necessary.

7. Any updates, corrections or changes to personal information will be recorded and provided to all Third Parties

Training and Education

The Company will have mandatory Compliance training for all staff in positions which handle private information or associated processes. New appointments to these positions will be required to take training as part of assuming those duties. Incumbent managers and employees will be required to renew their training annually or more frequent, depending upon the risks associated with the position. 

Management should play an active role in delivering compliance messages to employees and reinforcing their support for the program requirements.

Functional teams will train employees on compliant procedures required to support daily in role duties, supporting PIPEDA requirements.
           

Monitoring and Reporting Compliance


Monitoring

Compliance will routinely review procedures to ensure their implementation is effective. Compliance will review procedures to verify and document whether any compromises or high-risk conduct, of the Act have occurred. Compliance will also document any recommendation of procedure improvement opportunities. If necessary Corporate Compliance will perform detailed investigation of compliance issues raised and to take all the necessary steps to stop on- going and prevent future contraventions. New training requirements may be identified and incorporated because of information obtained through monitoring structure.

Reporting

Compliance will continue to report on all areas of business activities or events that require visibility. The findings of any compliance audits will be documented and shared. Compliance is encouraging all employees to speak out on any act an employee believes contravenes the Act. Compliance incidences related to PIPEDA will be documented and reported to the Board of Directors, Risk Committee Quarterly. 

Disciplinary Procedures

The FST leadership team is committed to upholding Company compliance to PIPEDA and other related standards, regulations, or laws. Any employee or manager who fails to comply with the compliance program may face disciplinary actions, suspension, demotion, dismissal, or legal action. A manager may also face disciplinary actions if he or she fails to take reasonable steps to prevent misconduct as set out within policies and procedures.

Incentives for Compliance

To foster a culture of transparency, integrity and performance, employees who are recognized through peers, managers, or customers for performing work with an exceptional level of knowledge and understanding related to compliance elements will contribute to their performance evaluation, and qualification for promotions, and or bonuses. 

How do we safeguard your information?

Share by: