Rifco National Auto Finance Corporation Personal Information Protection Policy
Rifco National Auto Finance Corporation (RIFCO) is committed to safeguarding the personal information entrusted to us by our customers. We manage your personal information in accordance with Alberta’s Personal Information Protection (PIPA) and Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable laws.
This policy outlines the principles and practices we follow in protecting your personal information. The policy also applies to any person providing services on our behalf. A copy of this policy is provided to any client on request.
RIFCO recognizes Personal Information to be any identifying information of an individual that is not publicly available and uses common sense rules for collection, use and disclosure.
RIFCO has appointed a Privacy Officer who is responsible for ensuring compliance with PIPEDA and this policy. RIFCOs Privacy Officer may delegate the accountability to the Manager or Director of each department. This delegation for each department may include:
• Development of a training manual and guidelines for the secure handling of Personal Information as it relates to their department and employees job function.
• Provide training for new hires and refresher training, as required, on the secure handling of Personal Information.
• Oversight of adherence and compliance of the handling of Personal Information by employees.
• Risk assessment and mitigation of unauthorized disclosure of Personal Information by employees
• Timely reporting to RIFCOs Privacy Office of any suspected breach.
RIFCO Executives, Directors, Managers are accountable for supporting a business culture that promotes the safeguarding of personal information entrusted by our customers.
Any questions regarding this policy or concerns with RIFCO’s compliance with the requirements of PIPEDA, can be addressed directly to RIFCO’s Privacy Officer. Contact information is included at the end of this policy.
This policy applies to anyone who collects, uses and discloses personal information on behalf of RIFCO including employees and third-party service providers.
RIFCO collects personal information for the purposes of providing services to our customers, including personal information to:
• Identify the customer
• Understand customers credit needs
• Evaluate eligibility for products and services including credit
• Deliver products and services
• Refine and improve our current products and services
• Develop new products and services
• Protect our customers and Rifco against error, fraud, theft and damage
• Comply with legal and regulatory requirements
Rifco collects customer information directly from our customers and our Dealer partners. Rifco may collect customer information from other persons with prior consent or as authorized by law.
We inform our customers, before or at the time of collecting personal information, of the purposes for which we are collecting information. However, we do not provide this notification when a customer volunteers information for an obvious purpose.
RIFCO obtains customer consent to collect, use or disclose personal information, except in specific circumstances where collection, use or disclosure without consent is authorized or required by law. We may assume consent in cases where information is volunteered for an obvious purpose.
RIFCO may not be able to provide certain services if a customer is unwilling to provide consent to the collection, use or disclosure of certain personal information. Where express consent is needed, we request that customers provide their consent orally (in person, by telephone), in writing (by signing a consent form, by checking a box on a form), or electronically (by clicking a button).
We may collect, use or disclose customer personal information without consent only as authorized by law. For example, we may not request consent when the collection, use or disclosure is reasonable for an investigation or legal proceeding, to collect a debt owed to our organization, in an emergency that threatens life, health or safety, or when the personal information is from a public telephone directory.
In the event a client has withdrawn his or her consent for collecting, using and disclosing of their information, PIPA allows RIFCO to continue to use, disclose or retain the information if we have legal or business reason to do so.
Limiting Use, Disclosure and Retention
Rifco limits the amount of personal information collected to what is necessary to determine customers’ ability to pay the loan and for the purposes of managing and servicing the loan. Limiting the amount of personal information collected reduces our risk of improper usage or disclosure.
We retain customer personal information only for as long as is reasonable to fulfil the purposes for which the information was collected or for legal or business purposes.
RIFCO will not use or disclose customer personal information for any purpose other than those for which it was collected without the customers express consent or as required or permitted by law. We may disclose our customers personal information, as necessary, for the purpose of collecting a debt owed to RIFCO.
RIFCO complies with Canada Revenue Agency data retention and destruction standards. Once a customer has fulfilled the terms of the Loan Agreement, personal information will be retained for a period of six fiscal years. Hard copy documents are shredded by a 3rd party provider and electronic data is deleted. RIFCO retains non-identifying client information for business and statistical purposes.
RIFCO’s electronic data systems are configured with data encryption. This means that when an individual sends personal information to RIFCO, such as a credit card number, the electronic data is protected by secure technology to ensure safe transmission.
Computers, servers, networks, and software systems containing customer personal information are safeguarded by limiting access to user specific, username and password protection, and in some instances, multi-level authentication. External data storage devices, such as USB drives, are not permitted by RIFCO for storage or file transfer purposes.
Physical documentation is stored in locked file cabinets and restricted storage areas.
RIFCO administrative safeguards include training our employees on our policies for protection of customer personal information as well as the consequences of non-compliance. Sensitive information is accessible only to those employees who require it for operational and business purposes.
RIFCO will notify the Office of the Information and Privacy Commissioner of Alberta, without delay, of any security breach affecting personal information should occur.
We render client personal information non-identifying, or destroy records containing personal information once the information is no longer needed.
We use appropriate security measures when destroying customer personal information, including shredding paper records and permanently deleting electronic records.
Use of Providers Outside Canada
RIFCO has contractual agreements with certain service providers outside of Canada. These agreements may require the collection, use and disclosure of customer personal information as set out in the agreement. We employ a reasonable presumption our service providers follow all applicable laws pertaining to the use, disclosure, retention and safeguarding of personal information.
Access to records
Upon request, a Rifco customer shall be informed of the existence, use and disclosure of their information and shall be given access to it. Customers may verify the accuracy and completeness of their information, and may request that it be amended, if appropriate. We will amend, as necessary, upon notice from another organization updates to customer personal information. Rifco will correct a customer’s information under our custody and control within a reasonable time frame.
Organizations are authorized under the Act to refuse access to personal information if disclosure would reveal confidential business information. Access may also be refused if the information is protected by legal privileged or contained in mediation records.
If we refuse a request in whole or in part, RIFCO will provide the reasons for the refusal. In some cases where exceptions to access apply, we may withhold that information by way of redaction or omission and provide the remainder of the record.
We will respond to access requests withing 45 calendar days, unless an extension is granted by the Office of the Information and Privacy Commissioner.
Compliance Breach of Personal Information
RIFCOs Privacy Officer is responsible for timely reporting of a suspected Breach to the Office of the Information and Privacy Commissioner (OIPC). RIFCO will notify the affected individuals directly as soon as feasible after it has been determined that the breach has occurred.
Individuals may submit concerns in writing regarding the use, disclosure, retention and safeguarding of personal information direct to:
RIFCO Privacy Officer
Office of the Information and Privacy Commissioner of Alberta
Personal Information Protection Training
RIFCO firmly believes training of its employees is essential to ensure safeguarding of the personal information our customers have entrusted us with. Managers and Directors of each department are responsible for development, training and adherence to the safe handling of customers private information.