Privacy Policy

THE CAMPUS TRUST
PRIVACY POLICY


The following summarizes the policy and procedures, effective January 1, 2004, of the Board of Trustees and, therefrom, those persons or organizations serving the Board, for the collection, use, storage and disclosure of personal information.

The records of the Trust include details that are deemed personal in nature (over and above a person’s name, business address and telephone number) such as the Member’s age, marital status, social insurance number, the identity and dates of birth for the spouse and dependent children.  These details may be augmented with medical/dental records, and other employment related details, as well as benefit entitlements and payments.  None of that information has been gathered, previously, unless it was germane to the plan’s operation.  The same principle will continue to apply.

Limiting Use, Disclosure, Retention Of Information And Safeguards

Access to personal information is, and will continue to be, limited to only those people who have a need to know.  It is filed electronically, with access limitations related to the specific activities of the administrative staff within Student Benefits Administrators Inc. (“the Administrator”).  Hard-copy information is either destroyed after it is recreated in electronic form, or it is kept in locked files to which only authorized staff members have access.  There is a limited number of instances wherein the personal information, held in the files, is disclosed to third parties.  The most prevalent, of those, involves medical practitioners concerned with the process of claims adjudication.  They are bound by their professional standards.  Otherwise, there may be third parties who determine reserve requirements and other projected costs, lawyers who perform family and estate settlements, and auditors who assess recording-accuracy.  In each of those cases, we require formal commitments of confidentiality.

Except for the revocation of a Member’s consent (to hold and use personal information) there are long-term requirements for the retention of personal information.  As a rule of thumb, records should be held for at least seven years (or a shorter period of time, if reasonable) after the Member’s termination from the plan.  In the latter case, files are purged, periodically, and destroyed.  Electronic destruction is performed by the IT staff of the Administrator.  Hard-copy files are shredded, on site, by reputable contractors, who certify the completion of each job. 

Security

With the few exceptions (noted above) where hard-copy files are kept, the personal information held by the Administrator is stored on an IBM i5 520 Midrange System. It is downloaded, to the microcomputers of the staff members with clearance to do so.  Both facilities are protected by encryption, firewalls, anti-virus programs, and physical intrusion detection that are regularly upgraded.

All databanks and systems are duplicated, for disaster-recovery purposes, at an IBM facility.  

Physical admittance to the IT department of the Administrator has always been controlled with locks and select access codes.  Only a limited number of staff members may enter those premises without close supervision.

A complaint related to personal information, may be addressed to the Administrator's Privacy Officer.  If further action is required, a Member may contact the Office of the Privacy Commissioner of Canada or an applicable Provincial Commissioner.