PRIVATE / CONFIDENTIAL INFORMATION PROTOCOL AND CHECKLIST PERSONAL INFORMATION IS DEFINED AS “INFORMATION ABOUT AN IDENTIFIABLE INDIVIDUAL” INCLUDING BUT NOT LIMITED TO: CONTACT INFORMATION ‰ Name ‰ E‐mail address ‰ Mailing address ‰ Phone/ facsimile number • an individual’s name whether linked with other PI or in isolation identifies them as a client and is considered PI FINANCIAL / BILLING INFORMATION (pertaining to individual or company) ‰ Financial statements (unless publicly available), projections or interim financial information that is not in the public domain ‰ Salary or anything pertaining to income ‰ Credit history/rating/records ‰ Name of banking institution ‰ Credit/debit card number/PIN ‰ Account number/routing number ‰ Account balance UNIQUE IDENTIFIERS ‰ Social insurance number ‰ Driver’s license number ‰ Digital signature/biometric data ‰ Passport number DEMOGRAPHIC INFORMATION ‰ Age/weight/height ‰ Gender/sexual preference ‰ Ethnicity or religion ‰ Marital status (unless publicly known) MEDICAL INFORMATION ‰ Medical history ‰ Health status/present conditions ‰ Health insurance provider ‰ OHIP number/Health card number ‰ Blood type EMPLOYMENT INFORMATION (unless in the public domain) ‰ Employment status ‰ Employer ‰ Title ‰ Business contact info. EDUCATION INFORMATION (unless in the public domain) ‰ Schools attended ‰ Degrees conferred ‰ Dates of attendance ‰ Transcript LEGAL INFORMATION ‰ Criminal Record ‰ Current/pending lawsuits ‰ Views or opinions of case or information pertaining to a law suit FAMILY INFORMATION (unless in public domain) Private Information =“PI” PROTOCOL AROUND PRIVATE AND CONFIDENTIAL INFORMATION PAPER INFORMATION ‰ Do not throw PI in garbage or recycling ‐ ensure that it is shredded ‰ Do not place PI near garbage or recycling (may be inadvertently picked up) ‰ Ensure PI is locked away, out of sight, when unattended ‰ While in transit, PI is locked away, out of sight, while unattended (e.g., trunk of car, locked filing cabinet or desk when outside of workplace) TRANSFER OF PAPER INFORMATION ‰ In sealed envelope, marked Private and Confidential, sent by a reputable courier or delivered by staff, with a return address specified ‰ In sealed envelope to be picked up by person who asks for it by name of recipient ELECTRONIC INFORMATION ‰ Ensure that it is properly protected (e.g. passwords, encryption, firewalls, anti‐virus protection) ‰ Lock laptops away ‰ Do not allow use of company laptops by household or non‐company staff ‰ Do not save PI on public drives unless password protected ‰ When scanning, immediately erase scanned version TRANSFER OF ELECTRONIC INFORMATION ‰ Through a direct line that is password protected ‰ Through email or other internet communication in one of the following circumstances: • with the consent of the person to whom PI relates • where the message has identifiers removed • when encryption is used ‰ Through a verified fax number with a cover sheet identifying the recipient marked Private and Confidential ‰ Through a disk, CD or other storage medium that is treated with the same safeguards as a transfer of paper information GENERAL SAFEGUARDS ‰ Consider PI with strictest degree of confidentiality ‰ Be sensitive in collecting or using personal information verbally where others may overhear ‰ Ensure that you have appropriate consent for gathering the PI if needed ‰ Remove or mask unnecessary PI when providing copies internally or externally ‰ Recognize and avoid being “pumped” for information (e.g. media) ‰ Provide access to PI only on a need‐to‐know basis ‰ Do not access PI that you do not need to know for business purpose ‰ Do not discuss PI in public places (e.g. elevator, restaurant, washroom, public transit) ‰ Report any breach to managers ‰ Do not keep any PI on your desk or posted where it is visible when unattended ‰ Do not keep your passwords written down where they can be found ‰ Remove materials from printers and fax machines in a timely manner ‰ Log‐off computers before leaving ‰ Verify fax numbers prior to use ‰ Do not leave PI on computer screen when unattended ‰ Do not allow office access to non‐staff ‰ Report any unfamiliar individual without security card NOTE: PI does not include name, title, business address or telephone number of an employee of an organization. Although PI pertains to individuals this protocol should be exercised with respect to institutional clients as well in that there are usually confidentiality agreements in place. ‰ Number of children or siblings ‰ Information regarding spouse/partner ‰ Mother’s maiden name ‰ Information regarding parents ‰ Years at current address OTHER INFORMATION ‰ Private clubs, interests, charitable associations (unless in public domain) ‰ Dialogue/interaction with client/broker (chat rooms, e‐mail, bulletin board postings, etc.) Disclaimer: This checklist is provided for illustrative purposes only. It is by no means intended to be relied upon in that it is not exhaustive or suitable for all purposes. This checklist should be tailored to applicable Privacy Legislation and industry needs.
Chubb Insurance Company ©