• Scope and Application
• Definitions
• TU Group’s Ten Privacy Principles
  
  • Principle 1 Accountability
  • Principle 2 Identifying Purposes for Collection of Personal Information
  • Principle 3 Consent
  • Principle 4 Limiting Collection of Personal Information
  • Principle 5 Limiting Use, Disclosure and Retention of Personal Information
  • Principle 6 Accuracy
  • Principle 7 Security Safeguards
  • Principle 8 Openness
  • Principle 9 Individual Access
  • Principle 10 Handling Inquiries and Challenges

SCOPE AND APPLICATION

This TU Group Privacy Policy (the “Policy”) contains ten Principles that are observed by the TU Group regarding the collection, use and disclosure of personal information. The Policy has been tailored to reflect personal information issues specific to the TU Group.

This Policy is subject to, and in addition to, the requirements and procedures under any applicable privacy law or regulation. In the event of conflict between this Policy and an applicable law or regulation, the law or regulation shall prevail.

The scope and application of this Policy are as follows:

• The Policy applies to personal information about the TU Group's customers and other individuals that is collected, used or disclosed by the TU Group.
  
• This Policy is subject to change, and may be supplemented or modified by additional terms applicable between the TU Group and an individual. Those terms may be contained in, for example, an application or order form, a policy booklet, or terms and conditions of sale.

Top

DEFINITIONS:

Collection - the act of gathering, acquiring, recording, or obtaining personal information, whether orally, electronically or in writing.

Consent- agreement to the collection, use or disclosure of personal information. Consent can be express, implied or deemed, and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual's action or inaction. Deemed consent occurs in situations described in applicable privacy legislation or regulations.

Disclosure - making personal information available to a third party.

Personal information - information about an identifiable individual, but not including aggregated information that cannot be associated with a specific individual, or information excluded under applicable privacy legislation or regulations, such as publicly available information or certain business contact information.

TU Group – includes the following companies: North American Air Travel Insurance Agencies Ltd. d.b.a. Travel Underwriters and TU Insurance, OneWorld Medicare Inc., OneWorldRx Inc., OneWorld Assist Inc. and TravelGold Mexico, S.A. de C.V.

Third party - an individual or organization outside the TU Group.

Use - the treatment, handling and management of personal information by and within an organization.

Top

Principle 1 - Accountability

1.1 The TU Group is responsible for personal information under its control and has designated its Privacy Officer as the person who is accountable for the TU Group's compliance with the following Principles.

1.2 The Privacy Officer may delegate the performance of certain responsibilities regarding the Policy to other employees and agents of the TU Group.

1.3 The TU Group is responsible for personal information in its possession or under its control. The TU Group shall use appropriate means to ensure the protection of personal information while it is being used by third parties on behalf of the TU Group (see Principle 7).

1.4 The TU Group shall implement policies and procedures to give effect to the Policy, including:

a) implementing procedures to protect personal information and to oversee the TU Group's compliance with the TU Group Privacy Policy;

b) establishing procedures to receive and respond to inquiries or complaints;

c) training and communicating to staff about the Policy and related matters; and

d) developing public information to explain the Policy and related matters.

Top

Principle 2 - Identifying Purposes for Collection of Personal Information

2.1 The TU Group shall identify and record the purposes for which personal information is collected at or before the time the personal information is collected or, when appropriate, at or before the time the personal information is used for a new purpose.

2.2 The TU Group collects personal information for the following purposes:

a) to establish and maintain commercial relationships with our partners and customers;

b) for purposes identified or reasonably obvious to individuals in respect of particular collections of personal information including, for example, identifying available insurance coverage and determining premiums, determining the medical condition of customers, providing assistance services to customers and their families, determining customers’ suitability and making arrangements for medical evacuation, and determining insurance coverage;

c) to meet legal and regulatory requirements;

d) to understand needs and preferences of individuals;

e) to develop, enhance, market and/or provide products and services; and

f) to manage and develop the TU Group's business and operations, including transfer of data amongst the TU Group and its partners.

Further references to "identified purposes" include the purposes identified in this Principle.

2.3 The TU Group shall, as appropriate, specify orally, electronically or in writing to the affected individual the relevant and identified purposes for collecting, using or disclosing personal information at or before the time personal information is collected. Upon request, persons collecting personal information shall explain those purposes or refer the individual to a designated person within the TU Group who shall explain those purposes.

Top

Principle 3 - Consent

3.1 In most cases, the consent of the affected individual is required for the collection, use or disclosure of personal information. In certain circumstances personal information may be collected, used or disclosed without the knowledge or consent of the individual, such as in the case of an emergency where the life, health or security of an individual is threatened.

3.2 The TU Group may disclose personal information without the knowledge or consent of the affected person to a lawyer or other advisor representing a member of the TU Group, to collect a debt, to comply with a subpoena, warrant or other court order, or as may otherwise be required or authorized by law.

3.3 Where required by law, the TU Group shall use reasonable efforts to ensure that an individual is advised of the identified purposes for which personal information may be collected, used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the individual.

3.4 Generally, the TU Group shall seek consent to use and disclose personal information at the same time it collects the information. However, the TU Group may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.

3.5 The TU Group will require individuals to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is reasonably required to fulfill the identified purposes.

3.6 In determining the appropriate form of consent (express or implied) the TU Group shall take into account the sensitivity of the personal information and the reasonable expectations of the individual.

3.7 An individual may withdraw consent to the use or disclosure of personal information, subject to legal or contractual restrictions and reasonable notice. TU Group will inform individuals of the effect of withdrawing consent. Individuals may contact the Privacy Officer or another designated representative of the TU Group for more information regarding the implications of withdrawing consent in particular circumstances.

Top

Principle 4 - Limiting Collection of Personal Information

4.1 The TU Group shall limit the collection of personal information to that which is reasonably necessary for the purposes identified by the TU Group or otherwise permitted by law.

4.2 The TU Group generally collects personal information from the individual to whom the information relates, and may collect personal information from third parties including parents and legal guardians, spouses or family members, physicians and other medical care providers and other third parties who represent that they have the right to disclose the information, or as otherwise permitted by law.

Principle 5 - Limiting Use, Disclosure and Retention of Personal Information

5.1 The TU Group shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. The TU Group shall retain personal information only as long as necessary for the fulfillment of those purposes or as required or permitted by law.

5.2 The TU Group may disclose an individual's personal information to:

a) a person who in the reasonable judgment of the TU Group is seeking the information as an agent or legal or personal representative of the individual;

b) a company or individual employed or contracted by the TU Group to perform functions on its behalf, such as but not limited to research or data processing;

c) another company or individual for the development, enhancement, marketing or provision of any of the TU Group's products and services;

d) an agent used by the TU Group to evaluate the individual's creditworthiness or to collect the individual's account, or a credit reporting agency;

e) a public authority or agent of a public authority if, in the reasonable judgment of the TU Group, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information;

f) another entity as part of a merger, a sale of assets or all or part of a business, or any other corporate change or re-organization;

g) a third party or parties, where the individual consents to such disclosure or disclosure is required or permitted by law.

5.3 Only employees and agents of TU Group with a business need to know, or whose duties reasonably so require, will be granted access to personal information.

5.4 Where personal information has been used to make a decision affecting an individual, the TU Group shall retain for a reasonable period of time either the actual information referred to in making the decision or a record of the reasons for making the decision.

5.5 The TU Group shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required or permitted by law to be retained. When, in accordance with such practices and law such information is no longer required to be retained, it shall be destroyed, erased or made anonymous.

Top

Principle 6 - Accuracy

6.1 The TU Group shall take reasonable steps to ensure that personal information is as accurate, complete and up-to-date as is appropriate given the purposes for its collection, use and disclosure, and to minimize the possibility that inappropriate information may be used to make a decision affecting an individual.

6.2 The TU Group shall amend personal information about individuals as and when reasonably necessary to fulfill the identified purposes for its collection, use or disclosure. If TU Group receives a request to make an amendment or addition to personal information about an individual and TU Group concludes that such amendment or addition is appropriate, TU Group will amend the personal information. If TU Group concludes that a requested amendment or addition is not appropriate, TU Group will notify the person requesting the amendment or addition of that fact and maintain a record of the requested amendment or addition.

6.3 Where required by law or otherwise appropriate, the TU Group will communicate amendments of or additions to personal information to third parties.

Top

Principle 7 - Security Safeguards

7.1 The TU Group shall protect personal information by security safeguards that are appropriate given the sensitivity of the information.

7.2 The TU Group shall take appropriate and reasonable steps to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.

7.3 The TU Group shall take appropriate and reasonable steps to protect personal information disclosed to third parties, for example by contractual agreements stipulating the confidentiality of the information and the purposes for which it may be used.

Top

Principle 8 - Openness

8.1 The TU Group shall make available to individuals specific information about its policies and practices relating to the management of personal information, including:

a) the name and address of the TU Group's Privacy Officer or other person to whom inquiries or complaints can be forwarded;

b) the means of gaining access to personal information held by the TU Group; and

c) the procedure for requesting amendments to personal information.

Top

Principle 9 - Individual Access

9.1 Upon request, the TU Group shall inform an individual of the contents, use and disclosure of his or her personal information, at a minimal or no cost to the individual. An affected individual shall be able to challenge the accuracy and completeness of the information and to request its amendment in accordance with Principle 6 above.

9.2 In certain situations and where permitted by law, the TU Group may not provide access to some or all of the personal information that it holds about an individual. For example, the TU Group may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of an individual. The TU Group may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a law. If access to personal information is not provided the TU Group shall, upon request, provide the reason for denying access.

9.3 In order to protect personal information, an individual may be required to provide identification sufficient to satisfy the TU Group that it may properly provide the individual with access to personal information.

9.4 Individuals may request access to their personal information by contacting the Privacy Officer or another designated representative of the TU Group.

9.5 The TU Group will endeavor to respond to all requests within 30 days or, in any event, within the time limit required or permitted by applicable law.

Top

Principle 10 - Handling Inquiries and Challenges

10.1 An individual may address a challenge concerning compliance with the above Principles or any applicable privacy law or regulation to the Privacy Officer or another designated representative of the TU Group.

10.2 The TU Group shall maintain procedures for addressing and responding to all inquiries or complaints from individuals about the TU Group's handling of personal information.

10.3 The TU Group shall, upon request, inform affected persons about the existence of these procedures as well as the availability of complaint procedures.

Top