Security & Privacy

Security

Your money is secure at Superior Credit Union. Every member of a credit union in Ontario is covered by deposit insurance.

What is DICO?

DICO (Deposit Insurance Corporation of Ontario) is an agency of the Province of Ontario.

What is insured by DICO?

DICO insures all deposits in Canadian currency payable in Canada.
Deposits include:

• Maximum Member Coverage
  Member deposits are insured to a maximum of:  $100,000 for the combined total of all deposits.
  
  PLUS
  $100,000 for deposits in each additional registered savings plan (RRSP, RRIF, RESP) Separate insurance protection is provided for deposits held in joint accounts, trust accounts and business accounts.
  
  
• Who pays the cost of deposit insurance?
  Superior Credit Union pays premiums to DICO for deposit insurance coverage based on the amount of insured deposits held.

Privacy

Superior Credit Union Privacy Policy

Protection of Personal Information
The following ten interrelated privacy principles are specified in the Personal Information Protection and Electronic Documents Act, and form the basis of the Code:

• Accountability – The credit union is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for the credit union’s compliance with the principles of the Code.
  
  
• Identifying Purposes – The purposes for which personal information is collected shall be identified by the credit union at or before the time the information is collected.
  
  
• Consent – The knowledge and consent of the member are required for the collection, use and disclosure of personal information, except in specific circumstances as described within this Code.
  
  
• Limiting Collection – The collection of personal information shall be limited to that which is necessary for the purposes identified by the credit union. Information shall be collected by fair and lawful means.
  
  
• Limiting Use, Disclosure and Retention – Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the member or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
  
  
• Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  
  
• Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The credit union will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.
  
  
• Openness – The credit union shall make readily available to members specific, understandable information about its policies and practices relating to the management of personal information.
  
  
• Individual Access – Upon request, a member shall be informed of the existence, use, and disclosure of their personal information, and shall be given access to that information. A member is entitled to question the accuracy and completeness of the information and have it amended as appropriate on proof of inaccuracy.
  
  
• Challenging Compliance – A member shall be able to question compliance with the above principles to the Privacy Officer accountable for the credit union’s compliance. The credit union shall have policies and procedures to respond to the member’s questions and concerns.

Accountability
The credit union Board of Directors is accountable for Superior Credit Union’s compliance with the Code, the creation and review of all Board policies specific to the Code and the designation of a credit union Privacy Officer.

Privacy Officer
The Board of Directors, in consultation with the Chief Executuive Officer, will designate a Privacy Officer, who has primary day-to-day responsibility for compliance with the Code. The Board of Directors will notify all employees, and any affected third parties, in writing of the appointment.

Board Reporting and Notification

Quarterly Reporting

The Privacy Officer will continually review compliance within the credit union and its third party suppliers, and will report to the Board of Directors and/or senior management any matters concerning non-compliance with the credit union’s Code principles, policies or procedures that are likely to require input from the Board (e.g., any matter that could result in an investigation or audit by the Office of the Privacy Commissioner).

The Privacy Officer will prepare a Quarterly Report for the Board that identifies key activities (e.g., a review of third party contracts, training initiatives, review of policies and procedures) and recommended changes for Board consideration. The report should also include an overview of the number of enquiries, number of access requests, and details regarding challenges to compliance.
The Board will review the steps taken to address any deficiencies or weakness in compliance.

Annual Reporting

The Privacy Officer will prepare an annual review of the effectiveness of the board policies to ensure compliance with the Code and to recommend any revisions as deemed appropriate. This report is due within four months of the end of each calendar year.

Identifying Purposes

Approval and Documentation of Purposes
The Privacy Officer will document all purposes, including existing and new purposes, for which personal information is collected, used or disclosed. All new purposes must be approved by the Privacy Officer prior to collection of information for the new purpose.
If the proposed purpose is significantly different than existing purposes or involves a new disclosure to a third party, the proposed purpose must be approved by the Board of Directors prior to implementation.

Member Disclosure
The credit union will make reasonable efforts to ensure that members are aware of the purpose for which their personal information is collected, including any disclosure of their personal information to third parties. The primary communication method will be the use of written or electronic statements on applications, forms, contracts and agreements.

Employee Disclosure
The credit union will ensure that all employees are aware of the purposes for which employee information is collected, including any disclosure of their personal information to third parties. This will be communicated verbally and in writing at the commencement of employment.

Consent
Once member consent is obtained, further member consent will not be required when personal information is supplied to agents of the credit union who carry out functions such as data processing, credit bureaus, cheque printing and cheque processing.
Superior’s Privacy Officer must authorize all instances where a member’s information is collected, used or disclosed without the member’s knowledge and consent.

Obtaining Consent
Express consent in writing, through the use of applications, signed forms and contracts, will be used for obtaining consent for the collection, use or disclosure of personal information.
Implied consent will be used for marketing purposes or to disclose nominative information to an affiliated organization. Implied consent must never contravene the “Act”.

The Privacy Officer must review and approve all methods of obtaining consent.

Limits on Consent to Information Collection
Superior will not, as a condition of the supply of a product or service, require a member to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.

Where additional, non-essential information for a product or service is sought from members, this will be identified as optional information, and collected only at the discretion of the member.
Refusal to provide this optional information will not influence the member’s consideration for a product or service.

The Privacy Officer will review the personal information requirements of all products or services to ensure that only information required for the legitimate purpose is collected and used.

Withdrawing Consent
The credit union will obtain a written request (signed and dated) from a member who seeks to withdraw consent. The written request must acknowledge that the member has been advised that the credit union may subsequently not be able to provide the member with a related product, service or information that could be of value to the member.

The withdrawal of consent is subject to any legal or contractual restrictions that the credit union may have with the member or other organizations such as: the Income Tax Act; credit reporting; or to fulfill other fiduciary and legal responsibilities.

Limiting Collection
The credit union will not collect personal information indiscriminately. It will specify both the amount and the type of information collected, limited to that which is necessary to fulfill the purposes identified, in accordance with these policies.

Limiting Use, Disclosure and Retention

Safeguard Standards
The credit union will protect the interests of its members by taking reasonable steps to ensure that:

• orders or demands comply with the laws under which they were issued
• only personal information that is legally required is disclosed
• casual requests for personal information are denied
• all information disclosed to third parties receives the same standards of care as within the credit union (see Protection of Member Information with Third Parties).

The credit union will make reasonable attempts to notify the member that an order has been received, if not contrary to the security of the credit union and if the law allows. Notification may be by telephone, or by letter to the member’s usual address.

Retention & Destruction of Personal Information
The Privacy Officer will ensure that guidelines and procedures with respect to the retention of personal information are maintained within the credit union. These guidelines will include minimum and maximum retention periods and will conform to any legislative requirements. The Privacy Officer will ensure that the credit union has guidelines and procedures to govern the destruction of personal information. Refer to Board & Management Responsibilities, Chapter 7 for policies, and General Administration, “Records Management” for procedures.

Accuracy
The Privacy Officer will ensure the credit union has guidelines and procedures to ensure member and employee data is as accurate, complete and current as necessary. The credit union will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.

Safeguards

Credit Union Safeguards
Superior’s security safeguards will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure or disposal. Superior will protect personal information regardless of the format in which it is held.
The Privacy Officer will:

• collaborate with third parties specializing in security safeguards, as required, to ensure the required level of protection
• conduct regular reviews of organizational and employee practices related to the safeguarding of personal information 
• periodically remind employees, officers and directors of the importance of maintaining the security and confidentiality of personal information.

Employees, officers and directors are individually required to sign a Statement of Ethical Conduct annually. The statement must include a commitment to keep members’ personal information secure and strictly confidential.

Destruction of Personal Information Safeguards
The credit union will dispose of personal information in a secure manner to prevent any unauthorized access. The Privacy Officer will periodically review the disposal and destruction methods used by credit union employees.

Openness
The credit union will make specific and understandable information about its policies and procedures relating to the management of personal information readily available to members.
This information will include the following:

• name or title and address of the Privacy Officer to whom complaints or inquires can be directed
• the means of gaining access to personal information held by the credit union
• a description of the type of personal information held at the credit union, including a general account of its use
• types of personal information made available to related organizations such as subsidiaries or third party suppliers of services.

The Privacy Officer will review the methods of dissemination, and the form in which the information is presented to ensure that it is easy to locate, understandable and accessible.

Individual Access
All requests for access to personal information must be submitted in writing and include adequate proof of the individual’s identity/right to access, and sufficient information to allow the credit union to locate the requested information.

Restricting Access
Exceptions to the access requirement will be limited and specific and include the following:

• providing access would reveal personal information about a third party
• information protected by solicitor-client privilege
• providing access would reveal confidential commercial information
• providing access might threaten the life or security of another individual
• information generated in the course of a formal dispute resolution process
• personal information to which the member has requested access has been requested by a government institution for law enforcement, or an investigation related to law enforcement.
• information collected without knowledge or consent for purposes related to investigating a breach of an agreement or a contravention of Ontario or Canadian law.

The Privacy Officer must be made aware of any situations involving employees, members or other individuals that would result in legal restrictions on access.

Treatment of Opinions and Judgements
The credit union cannot withhold from a member any opinions and judgements formed about the member in determining their eligibility for any products and services. The credit union will provide a member, on written request, access to all information that may have been used in making a determination about a member’s eligibility for a service, other than in the specific restrictions mentioned above.

Response Time
The credit union will respond to a member’s request for information within 30 days. This timeframe can be expanded, but only if required, and on written notification to the member.

Cost of Response
At the Privacy Officer’s discretion, the credit union may impose a fee at a stated and reasonable hourly rate where collection of the requested information requires exceptional time and effort. The member must be informed of, and agree to, an estimate of costs prior to the commencement of the request.

Challenging Compliance
Any individual, not just a member or a credit union employee, can challenge the credit union’s compliance with any of the Code principles. The Privacy Officer will investigate all complaints.

Inquiry & Complaint Handling Process
The Privacy Officer will maintain documented procedures for responding to all questions or concerns.

Inquiries and complaints must be in writing, with a formal process in place to receive and track them. The credit union must respond as quickly as possible within 30 days.

Required Measures for Justified Complaints
The Privacy Officer is responsible for ensuring appropriate measures are taken when a complaint is found to be justified. These measures will include:

• written response to the complainant within 30 days
• revision of the challenged personal information
• revision to policies and procedures, if required
• review of any complaint that requires disciplinary action against a credit union employee with the appropriate manager
• reporting non-compliance to the Board of Directors, including the actions proposed or taken to resolve the issue.

Protection of Member Information with Third Parties

Third Party Accountability
The credit union will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Personal information disclosed to unrelated third party suppliers is strictly limited to programs endorsed by the credit union. The Privacy Officer must be satisfied that the personal information is adequately safeguarded by the third party.

Third Party Agents/Suppliers Safeguards
Third party agents or suppliers will be required to safeguard personal information disclosed to them in a manner consistent with the policies of the credit union. Examples include data processors, credit bureaus, cheque printers, and cheque processors.

The credit union will not enter into any commercial relationships with organizations that do not agree to abide by acceptable limitations on information uses and appropriate safeguards.

To Contact Superior Credit Union’s Privacy Officer:
Privacy Officer: Allison Kasper
Email: info@supercu.com
Phone: 624.2252 in Thunder Bay
Toll Free: 1.877.202.5722

Personal

• Online Banking
• Products and Services
• Borrowing
• Investment
• Planning and Advice

Business

• Online Banking
• Products and Services
• Planning and Advice
• Our Business Team