Vestcor Inc. Privacy Statement
Vestcor Inc. (“Vestcor”) complies with the requirements of applicable legislation in relation to the collection, usage, disclosure, and retention of personal information, including the Personal Information Protection and Electronic Documents Act. This Privacy Statement outlines the policies, procedures and safeguards Vestcor has developed for the management of personal information when providing its pension administration, employee benefit administration and investment management services. These policies, procedures and safeguards are reviewed on a regular basis (no less than annually), and Vestcor’s Privacy Administrator is responsible for ensuring Vestcor’s compliance with them.
Collection and Usage
Vestcor obtains personal information for the purposes of providing pension administration, employee benefit administration and investment management services. Much of the personal information Vestcor receives is provided to Vestcor by employers and/or plan sponsors. By participating in employers’ pension and group benefit plans, individuals have provided their consent to their employer or plan sponsor, as applicable, to the disclosure of their personal information to Vestcor. Vestcor assumes no responsibility to obtain consent in relation to information it receives from employers and/or plan sponsors.
Vestcor also obtains personal information directly from individuals (e.g. pension and group benefit plan members, retirees/pensioners) or their authorized representatives (e.g. attorneys under powers of attorney, legal/appointed guardians). The purpose(s) for this personal information collection and use by Vestcor are identified within this Privacy Statement and on Vestcor’s applicable forms, or in the supporting documentation and instructions supplied by Vestcor, or by Vestcor’s Member Services team if the collection is conducted over the phone or in-person. Individuals have consented to the collection of personal information for these purpose(s) by providing it to Vestcor or Vestcor’s Member Services team.
When an individual provides Vestcor with personal information about a third party (e.g. spouse, common-law partner, beneficiary), the individual providing the information is solely responsible for obtaining consent from the third party to provide that information to Vestcor. Vestcor assumes no responsibility to obtain consent from the third party to whom the information relates.
Vestcor may also obtain personal information from publicly available sources (e.g. obituaries, directories, public records, court filings) if it is not possible or practical to obtain that information directly by other means.
The nature and extent of the personal information Vestcor collects varies depending on the type of the service being provided and the individual’s relationship with Vestcor (e.g. pension plan member, beneficiary, authorized representative). The personal information Vestcor collects about an individual may include:
- Name and contact information (e.g. address, telephone number, E-mail address);
- Demographic information (e.g. age, gender, marital status);
- Government-issued identification (e.g. birth certificate, driver’s license);
- Social insurance number;
- Employment information (e.g. employer, salary, employment dates and status);
- Information on family members/relationships (e.g. current or former spouse/common-law partner, named beneficiaries);
- Legal documents (e.g. power of attorney, will, court order, domestic contract);
- Financial institution information (e.g. banking information/void cheque);
- Medical/health information; and/or
- Supporting documentation for any of the above.
The purposes for which Vestcor collects personal information may include:
- Determining and verifying eligibility for membership and entitlement to benefits (including survivor benefits);
- Calculating and paying benefits;
- Providing pension and marriage breakdown estimates, and options upon termination of employment;
- Determining eligibility and calculating benefits related to purchases of service and reciprocal transfer agreements with other pension plans;
- Communicating with members, beneficiaries, and others who may be entitled to payments and/or benefits;
- Producing individual member statements;
- Verifying identities of members, beneficiaries, and others who may be entitled to benefits and/or information;
- Conducting due diligence on companies that may be added to Vestcor’s investment portfolio, and monitoring and overseeing companies currently in its portfolio;
- Complying with statutory and regulatory requirements (including reporting requirements); and/or
- Compiling statistical and qualitative data on administered plans and Vestcor’s performance.
Personal information may be shared with third parties who provide services to Vestcor (e.g. actuaries, database and data processing system providers, printing service providers.), or third parties who provide services to a Vestcor client, in which case it will be at the request or with the consent of the Vestcor client. These third parties are contractually obligated to keep any personal information they receive secure and confidential, and to have safeguards in place to protect it.
Vestcor employs the use of security cameras within the entrance areas of its offices strictly for the purpose of ensuring the safety of individuals and the security of Vestcor’s property and assets. Notices are posted within the premises where video surveillance is taking place. A video surveillance record may be provided to law enforcement or other applicable government agency if permitted/required by law or for the purpose of a law enforcement investigation.
Policies and Safeguards
Vestcor makes reasonable efforts to ensure that the personal information it possesses is accurate. For example, when mail is returned as undeliverable, Vestcor’s staff attempt to contact the individual and obtain up-to-date information. Further, prior to making a payment to someone or commencing benefits, Vestcor confirms the recipient’s information is current for the purposes of making such payment(s). Newsletters produced by Vestcor also include reminders to plan members and benefit recipients to update contact and banking information when there are changes. Individuals are entitled to correct their personal information held by Vestcor in the event of any identified inaccuracies.
Vestcor will retain personal information only as long as necessary to fulfill the purpose(s) for which it was collected and to satisfy any legal and/or business requirements.
Vestcor employs a number of policies and administrative, technological, and physical safeguards to protect the personal information it has in its possession from unauthorized use or access. These policies and safeguards include:
- Processes for verifying identities;
- Controlling/restricting access to Vestcor’s offices;
- Requiring staff to keep personal information out of sight by maintaining clean desks and locked offices and filing cabinets, disposing of unneeded paper records via a third-party shredding service provider, and ensuring that computer screens are not visible to others;
- Implementing information technology policies for system access and use of technology-related hardware and software, which are communicated regularly to all staff and subject to annual compliance certifications;
- Implementing other policies respecting Vestcor’s computer network and systems aimed at preventing unauthorized access;
- Records management policies and retention schedules;
- Continuous and mandatory online cybersecurity awareness training to ensure staff understand their responsibility for safeguarding data and systems; and
- Ensuring that third party service providers are subject to the same requirements as Vestcor if they receive personal information from Vestcor.
Vestcor will report and provide notifications of breaches of its security safeguards in accordance with its internal policies and applicable privacy legislation.
Disclosures to Third Parties
Vestcor discloses personal information to third parties under limited circumstances. Personal information may be shared by Vestcor, at the request or with the consent of its client(s), with employers and organizations that provide services to employers that Vestcor is required to coordinate with (e.g. insurance companies).
Vestcor may also share personal information with third parties with the individual’s consent or when required or authorized by law. Depending on the circumstances, personal information may be shared with authorized representatives, regulatory bodies (e.g. Superintendent of Pensions, Canada Revenue Agency), current or former spouses/common-law partners, named beneficiaries, or others who may be required or permitted to receive the information.
Vestcor does not sell or lease the personal information that it holds.
When Vestcor’s website is visited, Vestcor’s web server automatically collects a limited amount of information essential for the operation and security of the website. We use technologies such as cookies, which store small pieces of data on your device and allow us to collect certain anonymous usage information from you when you interact with us online (the “usage information”). The usage information may include, but is not limited to, internet browser information, operating system information, Internet Service Provider (ISP), Internet Protocol (IP) addresses or other device identifiers, your location, and the date and time that you visited a particular website, and the language preference initially selected by the user. Vestcor does not use the usage information to identify any individual user. We use third party tools such as Google Analytics to collect usage information. Vestcor is not responsible for the security and privacy practices of these third party tools. For more information about these products and their security and privacy principles, please review their respective privacy policies.
Inquiries made through Vestcor’s website require individuals to submit a limited amount of personal information, such as name and contact details, so that Vestcor’s staff may contact and follow-up with those individuals. Transmissions made to Vestcor through the Internet are not secure and therefore the confidentiality of a transmission cannot be assured. As a result, it is advised that users not submit any confidential or sensitive information via Vestcor’s website.
Vestcor’s website (including electronic documents posted on the website) may contain links to third-party websites which are not covered by Vestcor’s privacy policies and safeguards. Vestcor does not assume responsibility for the privacy practices of these third-party websites/organizations, and individuals should review the applicable policies of these third parties in order to determine their privacy practices.
Inquiries or Concerns
Individuals who wish to withdraw their consent for Vestcor to use their personal information may make a written request to the Privacy Administrator (see below). Vestcor will endeavour to accommodate such requests, but due to the fact that much of the personal information Vestcor collects is required to fulfill legal and contractual obligations, it may not be possible to withdraw consent in many instances.
Written requests may also be made if individuals wish to know what personal information Vestcor holds about them (if any), and how that information is used and disclosed. Vestcor’s fulfilment of such requests is subject to certain statutory exceptions.
For more information about Vestcor’s privacy practices, to make a written request, or make a complaint regarding a privacy-related matter, contact the Privacy Administrator by writing to:
P.O. Box 6000
Fredericton, New Brunswick
The Privacy Administrator may need to contact you for further information prior to processing your request or complaint.