This TU Group Privacy Policy (the “Policy”) contains ten Principles that are observed by TU Group regarding the collection, use and disclosure of personal information. The Policy has been tailored to reflect personal information issues specific to TU Group.
This Policy is subject to, and in addition to, the requirements and procedures under any applicable privacy law or regulation. In the event of conflict between this Policy and an applicable law or regulation, the law or regulation shall prevail.
The scope and application of this Policy are as follows:
Collection – the act of gathering, acquiring, recording, or obtaining personal information, whether orally, electronically or in writing.
Consent – agreement to the collection, use or disclosure of personal information. Consent can be express, implied or deemed, and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. Deemed consent occurs in situations described in applicable privacy legislation or regulations.
Disclosure – making personal information available to a third party.
Personal information – information about an identifiable individual, but not including aggregated information that cannot be associated with a specific individual, or information excluded under applicable privacy legislation or regulations, such as publicly available information or certain business contact information.
TU Group – includes the following companies: North American Air Travel Insurance Agencies Ltd. d.b.a. Travel Underwriters and TU Insurance, One World Medicare Inc., One World Assist Inc. and TravelGold Mexico, S.A. de C.V.
Third party – an individual or organization outside TU Group.
Use – the treatment, handling and management of personal information by and within an organization.
1.1 TU Group is responsible for personal information under its control and has designated its Privacy Officer as the person who is accountable for TU Group’s compliance with the following Principles.
1.2 The Privacy Officer may delegate the performance of certain responsibilities regarding the Policy to other employees and agents of TU Group.
1.3 TU Group is responsible for personal information in its possession or under its control. TU Group shall use appropriate means to ensure the protection of personal information while it is being used by third parties on behalf of TU Group (see Principle 7)
1.4 TU Group shall implement policies and procedures to give effect to the Policy, including:
2.1 TU Group shall identify and record the purposes for which personal information is collected at or before the time the personal information is collected or, when appropriate, at or before the time the personal information is used for a new purpose.
2.2 TU Group collects personal information for the following purposes:
Further references to “identified purposes” include the purposes identified in this Principle.
2.3 TU Group shall, as appropriate, specify orally, electronically or in writing to the affected individual the relevant and identified purposes for collecting, using or disclosing personal information at or before the time personal information is collected. Upon request, persons collecting personal information shall explain those purposes or refer the individual to a designated person within TU Group who shall explain those purposes.
3.1 In most cases, the consent of the affected individual is required for the collection, use or disclosure of personal information. In certain circumstances personal information may be collected, used or disclosed without the knowledge or consent of the individual, such as in the case of an emergency where the life, health or security of an individual is threatened.
3.2 TU Group may disclose personal information without the knowledge or consent of the affected person to a lawyer or other advisor representing a member of TU Group, to collect a debt, to comply with a subpoena, warrant or other court order, or as may otherwise be required or authorized by law.
3.3 Where required by law, TU Group shall use reasonable efforts to ensure that an individual is advised of the identified purposes for which personal information may be collected, used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the individual.
3.4 Generally, TU Group shall seek consent to use and disclose personal information at the same time it collects the information. However, TU Group may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.
3.5 TU Group will require individuals to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is reasonably required to fulfill the identified purposes.
3.6 In determining the appropriate form of consent (express or implied) TU Group shall take into account the sensitivity of the personal information and the reasonable expectations of the individual.
3.7 An individual may withdraw consent to the use or disclosure of personal information, subject to legal or contractual restrictions and reasonable notice. TU Group will inform individuals of the effect of withdrawing consent. Individuals may contact the Privacy Officer or another designated representative of TU Group for more information regarding the implications of withdrawing consent in particular circumstances.
4.1 TU Group shall limit the collection of personal information to that which is reasonably necessary for the purposes identified by TU Group or otherwise permitted by law.
4.2 TU Group generally collects personal information from the individual to whom the information relates, and may collect personal information from third parties including parents and legal guardians, spouses or family members, physicians and other medical care providers and other third parties who represent that they have the right to disclose the information, or as otherwise permitted by law.
5.1 TU Group shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. TU Group shall retain personal information only as long as necessary for the fulfillment of those purposes or as required or permitted by law.
5.2 TU Group may disclose an individual's personal information to:
5.3 Only employees and agents of TU Group with a business need to know, or whose duties reasonably so require, will be granted access to personal information.
5.4 Where personal information has been used to make a decision affecting an individual, TU Group shall retain for a reasonable period of time either the actual information referred to in making the decision or a record of the reasons for making the decision.
5.5 TU Group shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required or permitted by law to be retained. When, in accordance with such practices and law such information is no longer required to be retained, it shall be destroyed, erased or made anonymous.
6.1 TU Group shall take reasonable steps to ensure that personal information is as accurate, complete and up-to-date as is appropriate given the purposes for its collection, use and disclosure, and to minimize the possibility that inappropriate information may be used to make a decision affecting an individual.
6.2 TU Group shall amend personal information about individuals as and when reasonably necessary to fulfill the identified purposes for its collection, use or disclosure. If TU Group receives a request to make an amendment or addition to personal information about an individual and TU Group concludes that such amendment or addition is appropriate, TU Group will amend the personal information. If TU Group concludes that a requested amendment or addition is not appropriate, TU Group will notify the person requesting the amendment or addition of that fact and maintain a record of the requested amendment or addition.
6.3 Where required by law or otherwise appropriate, TU Group will communicate amendments of or additions to personal information to third parties.
7.1 TU Group shall protect personal information by security safeguards that are appropriate given the sensitivity of the information.
7.2 TU Group shall take appropriate and reasonable steps to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
7.3 TU Group shall take appropriate and reasonable steps to protect personal information disclosed to third parties, for example by contractual agreements stipulating the confidentiality of the information and the purposes for which it may be used.
8.1 TU Group shall make available to individuals specific information about its policies and practices relating to the management of personal information, including:
9.1 Upon request, TU Group shall inform an individual of the contents, use and disclosure of his or her personal information, at a minimal or no cost to the individual. An affected individual shall be able to challenge the accuracy and completeness of the information and to request its amendment in accordance with Principle 6 above.
9.2 In certain situations and where permitted by law, TU Group may not provide access to some or all of the personal information that it holds about an individual. For example, TU Group may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of an individual. TU Group may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a law. If access to personal information is not provided TU Group shall, upon request, provide the reason for denying access.
9.3 In order to protect personal information, an individual may be required to provide identification sufficient to satisfy TU Group that it may properly provide the individual with access to personal information.
9.4 Individuals may request access to their personal information by contacting the Privacy Officer or another designated representative of TU Group.
9.5 TU Group will endeavour to respond to all requests within 30 days or, in any event, within the time limit required or permitted by applicable law.
10.1 An individual may address a challenge concerning compliance with the above Principles or any applicable privacy law or regulation to the Privacy Officer or another designated representative of TU Group.
10.2 TU Group shall maintain procedures for addressing and responding to all inquiries or complaints from individuals about TU Group’s handling of personal information.
10.3 TU Group shall, upon request, inform affected persons about the existence of these procedures as well as the availability of complaint procedures.